Prerequisites
Common Prerequisites
Before you can perform client side encryption:
Make sure you have a stable release of Google Chrome or Microsoft Edge installed and running.
Make sure your access to KACLS is not blocked by web filters, for example, Zscaler.
Make sure you have the CCKM Admins rights to perform Google Workspace CSE operations on the CipherTrust Manager.
Make sure that an identity provider system is set up correctly. For this, the identity provider admin uses either of following methods:
Using .well-known File Configuration
Host the
cse-configuration
JSON file on a Web server. A sample JSON file looks like this:{ "name": "CSE IDP", "client_id": "<authenticationAud>", "discovery_uri": "<openidConfigurationURL>", "audience": "cse-test" }
Here,
<authenticationAud>
is the ID of the third-party identity provider. For example, for Auth0, it is represented by theClient ID
.<openidConfigurationURL>
is the identity provider configuration URL. For example, for Auth0, it can behttps://demo.auth0.com/.well-known/openid-configuration
.
Create a sub-domain on the Google domain portal for the hosted Web server. Navigate to the Google domain > DNS > Customer resource records and add the IP address of the Web server with the name
cse
.
Using IdP Fallback Settings
On the Google Admin Console, set identity provider configuration.
Specify the following fields:
Name: Name for the identity provider.
Client ID: The ID of the third-party identity provider. For example, for Auth0 and STA, it is represented by the
Client ID
.Discovery URI: The identity provider configuration URL. For example, for Auth0, it can be
https://demo.auth0.com/.well-known/openid-configuration
, and for STA, it is represented by WELL KNOWN CONFIGURATION URL.Grant type: Set as Implicit.
Test and save the settings.
(Applicable when a valid public DNS for the CipherTrust Manager is unavailable.) Create a subdomain for Thales key service (KACLS) on Google domain. Refer to Creating a Subdomain on Google Domain.
Create a URL to access the KACLS. This URL is referred to as KACLS Endpoint URL in this document. Refer to Creating a KACLS Endpoint URL below.
Configure Google Workspace connection to KACLS. Refer to Configure Google Workspace Connection to KACLS for details.
Creating a Subdomain on Google Domain
Note
This section is applicable when a valid public DNS for the CipherTrust Manager is unavailable.
Log on to Google domain as a super admin for the user domain.
Navigate to DNS > Custom resource records.
Create a subdomain for the KACLS. Specify a name for your subdomain and the IP address or hostname of the KACLS.
Tip
If you are working in a clustered CipherTrust Manager environment, you need to create a clustered subdomain on Google domain. Refer to Create a clustered subdomain on Google domain for details.
Note
It is recommended to add the Google NTP server to the CipherTrust Manager (Admin Settings > NTPs).
Creating a KACLS Endpoint URL
A KACLS URL is needed to access the Thales key service. Google Workspace administrators use this URL to configure Google Workspace to communicate with the KACLS. Creating a KACLS URL requires an identity provider and a KACLS endpoint.
To create a KACLS endpoint URL:
Create an identity provider.
GUI: Refer to Creating Identity Providers.
API: Refer to Creating Identity Providers.
Create a KACLS endpoint.
GUI: Refer to Creating KACLS Endpoints.
API: Refer to Creating KACLS Endpoints.
Note
Before proceeding, make sure that the KACLS endpoint URL is accessible from the internet and KACLS is running.
Configure Google Workspace Connection to KACLS
To configure the Google Workspace connection to KACLS:
Open the Google Admin console, http://admin.google.com.
Log on to the user domain as a super admin.
Navigate to CSE settings: Security > Client Side Encryption.
Click Add external key service.
Specify Name of external key service. This name will appear in error messages if Google Workspace cannot contact the key service.
Enter URL of external key service. This URL was created in Creating a KACLS Endpoint URL.
Click TEST CONNECTION to test that Google Workspace can communicate with the KACLS.
If the connection fails, correct the KACLS endpoint URL, ensure the Internet connectivity, and retry.
Click CONTINUE.
Click SAVE. The Google Workspace connection to KACLS is configured.
Additional Prerequisites for Gmail
Apart from the prerequisites described above, perform these additional steps for Gmail:
Create a test environment and enroll it with Google.
Enable Google Workspace CSE for intended Gmail users (senders and recipients).
Open the Google Admin console, http://admin.google.com.
Log on to the user domain as a super admin.
Navigate to CSE settings: Data > Compliance > Client-Side Encryption.
Scroll down to the Apps section and click the Gmail link.
Select an organizational unit or group for which you want to enable Gmail CSE.
Under User access, select ON.
Save the settings.
Prepare your certificates.
Generate S/MIME certificates. Adhere to the Google-specified certificate chain rules.
Wrap associated private keys using your KACLS endpoint URLs. Refer to Encrypting Private Keys (wrapprivatekey) for details.
Upload the wrapped private keys and certificates to Google.
Using Google Workspace Admin Console: Use this method if you want Google to trust your own root CA.
Open the Google Admin console, http://admin.google.com.
Log on to the user domain as a super admin.
Navigate to CSE settings: Apps > Google Workspace > Gmail.
On the right, click User settings.
Click S/MIME and select Enable S/MIME encryption for sending and receiving emails and Allow users to upload their own certificates.
Click ADD to upload the root certificate. This root CA is the chain of intermediate and root certificates.
Save the changes.
Using Gmail API client libraries: Use this method to upload each user's S/MIME certificates and wrapped private keys using the API client libraries provided by Google.
Additional Prerequisites for Key Migration
Browser Requirement
The latest stable version of Google Chrome is installed and running.
Configure External Key Management (EKM) Service
To configure the external key management service.
Create a sub-domain for KACLS in the Google domain. Refer to Creating a subdomain on Google domain for details.
Create a KACLS Endpoint URL, refer to Creating a KACLS Endpoint URL.
Configure Migration on KACLS
Using the API, you need to update the rewrap and privilegedUnwrap configurations on the following.
Old KACL
New KACL
Refer to the Update a Rewrap Configuration and Update a Privileged Unwrap Configuration APIs.
Configure Google Workspace Connection to KACLS
Refer to Configure Google Workspace Connection to KACLS for details.
Note
To enable the key migration feature, you need to add an EKM service with backup enabled.
You can only have one backup EKM service enabled at a time.
Ensure to turn on the "migration" toggle.