Encrypting Data Encryption Keys
When a user opens a blank encrypted document, initiates an encrypted call, or creates an encrypted Calendar event, a random Data Encryption Key (DEK) is generated and the data is encrypted with it. After the third-party identity provider user authentication is successful, an authentication token (3P JWT) is generated. The user is authenticated using a Google JWT and third-party JWT. KACLS wraps the DEK with the key associated with the KACLS endpoint URL and returns a wrapped key. The encrypted data with its wrapped key is uploaded to the Google Workspace server.
Encrypting Files on Google Drive
To create an encrypted Google Docs document:
Open the Google Drive console, https://drive.google.com.
Log on as an end user.
Click New > Google Docs > Blank encrypted document.
A message prompting to sign in with your identity provider is displayed, as shown below.
Sign in with the configured third-party identity provider's user credentials.
Make your changes and save the document, as shown below.
The document is encrypted. KACLS’ wrap API is called to encrypt the document. The wrap requests are logged at KACLS (under Records > Server Records), as shown below.
{
"reason": "",
"authorization": {
"aud": "cse-authorization",
"exp": 1643373456,
"iat": 1643369856,
"iss": "gsuitecse-tokenissuer-drive@system.gserviceaccount.com",
"role": "writer",
"email": "demo.user@domain.com",
"kacls_url": "https://demo.domain.com/api/v1/cckm/GoogleWorkspaceCSE/endpoints/fb692716-b749-47b5-a233-3e0e06a9ee30",
"perimeter_id": "",
"resource_name": "//googleapis.com/drive/files/1c-5qu5usfHFxeyoOFtlKBNuHHxZHmXan"
},
"authentication": {
"acr": "1",
"aud": "b0ae52b6-c5e1-4931-9091-34d09df11960",
"azp": "b0ae52b6-c5e1-4931-9091-34d09df11960",
"exp": 1643370765,
"iat": 1643369865,
"iss": "https://<IDP>",
"jti": "129cf52c-4394-4bc8-9fb2-d3e8c812d017",
"sub": "6ba78312-6214-3ac5-b2a2-b99d83681091",
"typ": "ID",
"email": "demo.user@domain.com",
"nonce": "fzmCUX-d6R74GQpdyLWvzA:https://docs.google.com",
"s_hash": "hTpM40xvzcDvbGKKzzq9pg",
"auth_time": 1643369865,
"session_state": "95ae9ecc-d20b-4d44-bf4b-a485d8ff6773",
"email_verified": false
}
}
Encrypting Calls Over Google Meet
To initiate an encrypted Google Meet call:
Open the Google Meet console, https://meet.google.com/.
Log on as an end user.
Click New meeting > Video call options > Security.
Select Add encryption.
Create an encrypted call. The options are:
Create a meeting for later
Start an instant meeting
A message prompting to sign in with your identity provider is displayed, as shown below.
Sign in with the configured third-party identity provider's user credentials.
The call data is encrypted automatically with KACLS’ wrap API. The wrap requests are logged at KACLS (under Records > Server Records), as shown below.
{
"reason": "Client-side encryption for Google Meet",
"authorization": {
"aud": "cse-authorization",
"exp": 1646761146,
"iat": 1646757546,
"iss": "gsuitecse-tokenissuer-meet@system.gserviceaccount.com",
"role": "writer",
"email": "demo.user@domain.com",
"kacls_url": "https://demo.domain.com/api/v1/cckm/GoogleWorkspaceCSE/endpoints/07cabf0f-e59d-426f-927e-f41827bacf5b",
"perimeter_id": "",
"resource_name": "//meetings.googleapis.com/MeetingSpace/spaces/tJgsmRfbjDoB"
},
"authentication": {
"acr": "1",
"aud": "6f088e98-d071-4d24-b3f1-8c86c0090f4a",
"azp": "6f088e98-d071-4d24-b3f1-8c86c0090f4a",
"exp": 1646758044,
"iat": 1646757144,
"iss": "https://<IDP>",
"jti": "4c217728-b7f0-4bfe-ae7c-dee238b69929",
"sub": "07c9e65b-bdca-3a2f-a390-4cb1502e6ae8",
"typ": "ID",
"email": "demo.user@domain.com",
"nonce": "evrsDJS1_sc9xQdrDljbnw:https://meet.google.com",
"s_hash": "LcSs9u0M5fuV20HI1ykv9Q",
"auth_time": 1646757144,
"session_state": "1d87d04d-e300-4db2-a1a4-19825aaaf603",
"email_verified": false
}
Encrypting Google Calendar Events
To create an encrypted Google Calendar event:
Open the Google Calendar console, https://calendar.google.com/.
Log on as an end user.
Click Create.
Enable Turn on encryption. After selection, the option looks like the following.
Add event details.
A message prompting to sign in with your identity provider is displayed.
Sign in with the configured third-party identity provider's user credentials.
The event data is encrypted automatically with KACLS’ wrap API. The wrap requests are logged at KACLS (under Records > Server Records), as shown below.
{
"reason": "Encrypting description for calendar demo.user@domain.com, event 73tg8i2jdio57rib0o4s23a2em",
"authorization": {
"aud": "cse-authorization",
"exp": 1647936974,
"iat": 1647933374,
"iss": "gsuitecse-tokenissuer-calendar@system.gserviceaccount.com",
"role": "writer",
"email": "demo.user@domain.com",
"kacls_url": "https://demo.domain.com/api/v1/cckm/GoogleWorkspaceCSE/endpoints/7232123d-3d0d-4d5b-8b14-24c97540708e",
"perimeter_id": "",
"resource_name": "//googleapis.com/calendar/08927975989983541514/eef396266e4b5ca9"
},
"authentication": {
"aud": "ecdUQSQtIVkZ7rYSarnN45nuUZkeLUqL",
"exp": 1647968855,
"iat": 1647932855,
"iss": "https://<IDP>",
"sub": "google-oauth2|110478923717308119755",
"email": "demo.user@domain.com",
"nonce": "asTWdJJLSzWP2hgGTkmTXw:https://krahsc.google.com",
"email_verified": true
}
}
Encrypting Gmail Messages
When a user composes an encrypted Gmail message, the message will be encrypted by using the recipient's public key associated with the wrapped private key and certificates uploaded to Google. These were uploaded while completing the additional prerequisites for Gmail.
After the third-party identity provider user authentication is successful, an authentication token (3P JWT) is generated. The user is authenticated using a Google JWT and third-party JWT. When the sender composes the message, KACLS unwraps the sender's wrapped private key, signs the message digest with this private key, and returns the signed digest. The encrypted Gmail message is uploaded to the Google Workspace server.
To compose an encrypted Gmail message:
Open the Gmail console, https://mail.google.com/.
Log on as an end user.
Click Compose.
Click the Message security icon and Turn on the encryption.
Compose the message.
Click Send.
A message prompting to sign in with your identity provider is displayed.
Sign in with the configured third-party identity provider's user credentials.
The Gmail message is encrypted automatically with KACLS’ privatekeysign API. The privatekeysign requests are logged at KACLS (under Records > Server Records), as shown below.
{
"reason": "sign email",
"authorization": {
"aud": "cse-authorization",
"exp": 1661487920,
"iat": 1661484320,
"iss": "gsuitecse-tokenissuer-gmail@system.gserviceaccount.com",
"role": "signer",
"email": "demo.user@domain.com",
"kacls_url": "https://demo.domain.com/api/v1/cckm/GoogleWorkspaceCSE/endpoints/59e7c24f-4573-472d-8e8c-afb622793154",
"spki_hash": "jFBT+M1baVaQqDRLmQTP1gS3zwrUPXpR/uOtyAnjbkY=",
"message_id": "<CAGb6PCqtvd6d5n20xazMGkFxnezY1b9yBQPYmVgEdkM6O=AmNQ@mail.gmail.com>",
"perimeter_id": "",
"resource_name": "//gmail.googleapis.com/gmail/users/demo.user%40domain.com/settings/cse/keypairs/ANe1BmhsTEntl0K99F0xA5Txc1jJgjUSxAms4RzSmRypRSQzh4nYso55Mq9ktKmmPPNLP0Rgx0FLSQXhj6xdg6_OX-7hIg",
"spki_hash_algorithm": "SHA-256"
},
"authentication": {
"aud": "3kT5KerY3vXrEuzNRrQxVQqaRNvYUAwR",
"exp": 1661485571,
"iat": 1661484371,
"iss": "https://<IDP>",
"sid": "klqAk-BaWczEf_Unf6RoCM8DPwdXL7hU",
"sub": "google-oauth2|110478923717308119755",
"email": "demo.user@domain.com",
"nonce": "LJOJ79acJoMBIqeTW9vHrg:https://krahsc.google.com",
"email_verified": true
}
}
