Prerequisites
Common Prerequisites
Before you can perform client side encryption:
Make sure you have a stable release of Google Chrome or Microsoft Edge installed and running.
Make sure your access to KACLS is not blocked by web filters, for example, Zscaler.
Make sure you have the CCKM Admins rights to perform Google Workspace CSE operations on the CipherTrust Manager.
Make sure that an identity provider system is set up correctly. For this, the identity provider admin uses either of following methods:
Using .well-known File Configuration
Host the
cse-configuration
JSON file on a Web server. A sample JSON file looks like this:{ "name": "CSE IDP", "client_id": "<authenticationAud>", "discovery_uri": "<openidConfigurationURL>", "audience": "cse-test" }
Here,
<authenticationAud>
is the ID of the third-party identity provider. For example, for Auth0, it is represented by theClient ID
.<openidConfigurationURL>
is the identity provider configuration URL. For example, for Auth0, it can behttps://demo.auth0.com/.well-known/openid-configuration
.
Create a sub-domain on the Google domain portal for the hosted Web server. Navigate to the Google domain > DNS > Customer resource records and add the IP address of the Web server with the name
cse
.
Using IdP Fallback Settings
On the Google Admin Console, set identity provider configuration.
Specify the following fields:
Name: Name for the identity provider.
Client ID: The ID of the third-party identity provider. For example, for Auth0 and STA, it is represented by the
Client ID
.Discovery URI: The identity provider configuration URL. For example, for Auth0, it can be
https://demo.auth0.com/.well-known/openid-configuration
, and for STA, it is represented by WELL KNOWN CONFIGURATION URL.Grant type: Set as Implicit.
Test and save the settings.
(Applicable when a valid public DNS for the CipherTrust Manager is unavailable.) Create a subdomain for Thales key service (KACLS) on Google domain. Refer to Creating a Subdomain on Google Domain.
Create a URL to access the KACLS. This URL is referred to as KACLS Endpoint URL in this document. Refer to Creating a KACLS Endpoint URL below.
Configure Google Workspace connection to KACLS. Refer to Configure Google Workspace Connection to KACLS for details.
Creating a Subdomain on Google Domain
Note
This section is applicable when a valid public DNS for the CipherTrust Manager is unavailable.
Log on to Google domain as a super admin for the user domain.
Navigate to DNS > Custom resource records.
Create a subdomain for the KACLS. Specify a name for your subdomain and the IP address or hostname of the KACLS.
Tip
If you are working in a clustered CipherTrust Manager environment, you need to create a clustered subdomain on Google domain. Refer to Create a clustered subdomain on Google domain for details.
Note
It is recommended to add the Google NTP server to the CipherTrust Manager (Admin Settings > NTPs).
Creating a KACLS Endpoint URL
A KACLS URL is needed to access the Thales key service. Google Workspace administrators use this URL to configure Google Workspace to communicate with the KACLS. Creating a KACLS URL requires an identity provider and a KACLS endpoint.
To create a KACLS endpoint URL:
Create an identity provider.
GUI: Refer to Creating Identity Providers.
API: Refer to Creating Identity Providers.
Create a KACLS endpoint.
GUI: Refer to Creating KACLS Endpoints.
API: Refer to Creating KACLS Endpoints.
Note
Before proceeding, make sure that the KACLS endpoint URL is accessible from the internet and KACLS is running.
Configure Google Workspace Connection to KACLS
To configure the Google Workspace connection to KACLS:
Open the Google Admin console, http://admin.google.com.
Log on as a super admin for the user domain.
Navigate to CSE settings: Security > Client Side Encryption.
Click Add external key service.
Specify Name of external key service. This name will appear in error messages if Google Workspace cannot contact the key service.
Enter URL of external key service. This URL was created in Creating a KACLS Endpoint URL.
Click TEST CONNECTION to test that Google Workspace can communicate with the KACLS.
If the connection fails, correct the KACLS endpoint URL, ensure the Internet connectivity, and retry.
Click CONTINUE.
Click SAVE. The Google Workspace connection to KACLS is configured.
Additional Prerequisites for Gmail
Apart from the prerequisites described above, perform these additional steps for Gmail:
Create a test environment and enroll it with Google.
Enable Google Workspace CSE for intended Gmail users (senders and recipients).
Open the Google Admin console, http://admin.google.com.
Log on as a super admin for the user domain.
Navigate to CSE settings: Data > Compliance > Client-Side Encryption.
Scroll down to the Apps section and click the Gmail link.
Select an organizational unit or group for which you want to enable Gmail CSE.
Under User access, select ON.
Save the settings.
Prepare your certificates.
Generate S/MIME certificates. Adhere to the Google-specified certificate chain rules.
Wrap associated private keys using your KACLS endpoint URLs. Refer to Encrypting Private Keys (wrapprivatekey) for details.
Upload the wrapped private keys and certificates to Google.
Using Google Workspace Admin Console: Use this method if you want Google to trust your own root CA.
Open the Google Admin console, http://admin.google.com.
Log on as a super admin for the user domain.
Navigate to CSE settings: Apps > Google Workspace > Gmail.
On the right, click User settings.
Click S/MIME and select Enable S/MIME encryption for sending and receiving emails and Allow users to upload their own certificates.
Click ADD to upload the root certificate. This root CA is the chain of intermediate and root certificates.
Save the changes.
Using Gmail API client libraries: Use this method to upload each user's S/MIME certificates and wrapped private keys using the API client libraries provided by Google.
Communication with KACLS
Google Workspace can communicate with KACLS for encryption and decryption of data, as described below.
Google Drive
Google Workspace can communicate with KACLS for encryption and decryption of files on Google Drive. Whenever a new file (Blank encrypted document) is created or updated, its data is encrypted automatically.
Also, when a new file is uploaded (using Drive > File upload > Encrypt and upload), the file is encrypted and uploaded. When an existing encrypted file is opened, its data is decrypted for authenticated end users.
Google Meet
Google Workspace can communicate with KACLS for encryption and decryption of calls over Google Meet (using Meet > New meeting > Video call options > Security > Add encryption).
Whenever an authenticated host initiates an encrypted call, the call data is encrypted automatically. The call data is automatically decrypted for authenticated participants.
Google Calendar
Google Workspace can communicate with KACLS for encryption and decryption of Google Calendar event data such as description, attachments, etc. (using Calendar > Create). Turn on the encryption toggle.
Whenever an authenticated host creates a Calendar event, the event description and attachments are encrypted automatically. The event data is automatically decrypted for authenticated recipients.
While creating the event, you can also add an encrypted Google Meet call by clicking Add Google Meet video conferencing.
Gmail
Google Workspace can communicate with KACLS for encryption and decryption of Gmail messages. (using Gmail > Compose). Click the Message security icon and Turn on the encryption.
Whenever an authenticated user composes an email message, the message details are encrypted automatically. The encrypted Gmail message is automatically decrypted for authenticated recipients.
Note
If a key pair already exists, a new key pair cannot be inserted. To insert a new key pair, the existing key pair must first be deleted. The existing key pair can only be deleted if it is disabled for more than 30 days.