Decrypting Data Encryption Keys
When a user opens an encrypted document, joins an encrypted call, or views an encrypted Calendar event, the wrapped key and the encrypted data are downloaded from the Google Workspace server. Google JWT is generated by the Google Workspace CSE library. After the third-party identity provider user authentication is successful, an authentication token (3P JWT) is generated. The user is authenticated using a Google JWT and third-party JWT. KACLS unwraps the wrapped key and returns the DEK. Google Workspace CSE decrypts the data using this DEK.
Decrypting Files on Google Drive
To decrypt an encrypted Google Docs document:
Open the Google Drive console, https://drive.google.com.
Log on as a super admin for the user domain.
Try to open the encrypted document (created in Encrypting Data Encryption Keys).
Sign in with the configured third-party identity provider user credentials.
KACLS’s unwrap
API is called internally to decrypt the document for the user. The unwrap
requests are logged at KACLS (under Cloud Key Manager > Records), as shown below.
{
"reason": "",
"authorization": {
"aud": "cse-authorization",
"exp": 1644323888,
"iat": 1644320288,
"iss": "gsuitecse-tokenissuer-drive@system.gserviceaccount.com",
"role": "writer",
"email": "demo.user@domain.com",
"kacls_url": "https://demo.domain.com/api/v1/cckm/GoogleWorkspaceCSE/endpoints/a2feb391-6184-4b66-ad7f-1248d568375d",
"perimeter_id": "",
"resource_name": "//googleapis.com/drive/files/1g1rb0wvPRpIhHHJjbchgnZNsVqII4TSp"
},
"authentication": {
"acr": "1",
"aud": "b0ae52b6-c5e1-4931-9091-34d09df11960",
"azp": "b0ae52b6-c5e1-4931-9091-34d09df11960",
"exp": 1644320477,
"iat": 1644319577,
"iss": "https://<IDP>",
"jti": "bf7c35ba-67c7-4762-a945-72aeca382e1b",
"sub": "6ba78312-6214-3ac5-b2a2-b99d83681091",
"typ": "ID",
"email": "demo.user@domain.com",
"nonce": "LZ2oaPjdCO52dAkY7LNTlw:https://docs.google.com",
"s_hash": "7UIHrDHqf3sRbIRC-zZHTA",
"auth_time": 1644319577,
"session_state": "6b686726-bcc3-4d2d-9429-2ab80aad5eed",
"email_verified": false
}
}
These requests are also visible at KACLS (under Records > Server Records).
Decrypting Calls Over Google Meet
To decrypt an encrypted Google Meet call:
Open the Google Meet console, https://meet.google.com/.
Log on as an end user.
Join the call (created in Encrypting Data Encryption Keys).
Sign in with the configured third-party identity provider user credentials.
KACLS’s unwrap
API is called internally to decrypt the call for the user. The unwrap
requests are logged at KACLS (under Cloud Key Manager > Records), as shown below.
{
"reason": "Client-side encryption for Google Meet",
"authorization": {
"aud": "cse-authorization",
"exp": 1646761418,
"iat": 1646757818,
"iss": "gsuitecse-tokenissuer-meet@system.gserviceaccount.com",
"role": "reader",
"email": "demo.user@domain.com",
"kacls_url": "https://demo.domain.com/api/v1/cckm/GoogleWorkspaceCSE/endpoints/07cabf0f-e59d-426f-927e-f41827bacf5b",
"perimeter_id": "",
"resource_name": "//meetings.googleapis.com/MeetingSpace/spaces/4Wbij56jcqAB"
},
"authentication": {
"acr": "1",
"aud": "6f088e98-d071-4d24-b3f1-8c86c0090f4a",
"azp": "6f088e98-d071-4d24-b3f1-8c86c0090f4a",
"exp": 1646758044,
"iat": 1646757144,
"iss": "https://<IDP>",
"jti": "4c217728-b7f0-4bfe-ae7c-dee238b69929",
"sub": "07c9e65b-bdca-3a2f-a390-4cb1502e6ae8",
"typ": "ID",
"email": "demo.user@domain.com",
"nonce": "evrsDJS1_sc9xQdrDljbnw:https://meet.google.com",
"s_hash": "LcSs9u0M5fuV20HI1ykv9Q",
"auth_time": 1646757144,
"session_state": "1d87d04d-e300-4db2-a1a4-19825aaaf603",
"email_verified": false
}
}
These requests are also visible at KACLS (under Records > Server Records).
Decrypting Google Calendar Events
To decrypt an encrypted Google Calendar event:
Open the Google Calendar console, https://calendar.google.com/.
Log on as an end user.
View the event (created in Encrypting Data Encryption Keys).
Sign in with the configured third-party identity provider user credentials.
KACLS’s unwrap
API is called internally to decrypt the event data for the user. The unwrap
requests are logged at KACLS (under Cloud Key Manager > Records), as shown below.
{
"reason": "Decrypting description for calendar demo.user@domain.com, event 2c4nks2odk7nbk6nh0dpdhfn1p",
"authorization": {
"aud": "cse-authorization",
"exp": 1647936814,
"iat": 1647933214,
"iss": "gsuitecse-tokenissuer-calendar@system.gserviceaccount.com",
"role": "reader",
"email": "demo.user@domain.com",
"kacls_url": "https://demo.domain.com/api/v1/cckm/GoogleWorkspaceCSE/endpoints/7232123d-3d0d-4d5b-8b14-24c97540708e",
"perimeter_id": "",
"resource_name": "//googleapis.com/calendar/08927975989983541514/d05a582bb76c2af"
},
"authentication": {
"aud": "ecdUQSQtIVkZ7rYSarnN45nuUZkeLUqL",
"exp": 1647968855,
"iat": 1647932855,
"iss": "https://<IDP>",
"sub": "google-oauth2|110478923717308119755",
"email": "demo.user@domain.com",
"nonce": "asTWdJJLSzWP2hgGTkmTXw:https://krahsc.google.com",
"email_verified": true
}
}
These requests are also visible at KACLS (under Records > Server Records).