Encrypting Data Encryption Keys
When a user opens a blank encrypted document, initiates an encrypted call, or creates an encrypted Calendar event, a random Data Encryption Key (DEK) is generated and the data is encrypted with it. After the third-party identity provider user authentication is successful, an authentication token (3P JWT) is generated. The user is authenticated using a Google JWT and third-party JWT. KACLS wraps the DEK with the key associated with the KACLS endpoint URL and returns a wrapped key. The encrypted data with its wrapped key is uploaded to the Google Workspace server.
Encrypting Files on Google Drive
To create an encrypted Google Docs document:
Open the Google Drive console, https://drive.google.com.
Log on as an end user.
Click New > Google Docs > Blank encrypted document.
A message prompting to sign in with your identity provider is displayed, as shown below.
Sign in with the configured third-party identity provider's user credentials.
Make your changes and save the document, as shown below.
The document is encrypted. KACLS’s wrap
API is called to encrypt the document. The wrap
requests are logged at KACLS (under Cloud Key Manager > Records), as shown below.
{
"reason": "",
"authorization": {
"aud": "cse-authorization",
"exp": 1643373456,
"iat": 1643369856,
"iss": "gsuitecse-tokenissuer-drive@system.gserviceaccount.com",
"role": "writer",
"email": "demo.user@domain.com",
"kacls_url": "https://demo.domain.com/api/v1/cckm/GoogleWorkspaceCSE/endpoints/fb692716-b749-47b5-a233-3e0e06a9ee30",
"perimeter_id": "",
"resource_name": "//googleapis.com/drive/files/1c-5qu5usfHFxeyoOFtlKBNuHHxZHmXan"
},
"authentication": {
"acr": "1",
"aud": "b0ae52b6-c5e1-4931-9091-34d09df11960",
"azp": "b0ae52b6-c5e1-4931-9091-34d09df11960",
"exp": 1643370765,
"iat": 1643369865,
"iss": "https://<IDP>",
"jti": "129cf52c-4394-4bc8-9fb2-d3e8c812d017",
"sub": "6ba78312-6214-3ac5-b2a2-b99d83681091",
"typ": "ID",
"email": "demo.user@domain.com",
"nonce": "fzmCUX-d6R74GQpdyLWvzA:https://docs.google.com",
"s_hash": "hTpM40xvzcDvbGKKzzq9pg",
"auth_time": 1643369865,
"session_state": "95ae9ecc-d20b-4d44-bf4b-a485d8ff6773",
"email_verified": false
}
}
These requests are also visible at KACLS (under Records > Server Records).
Encrypting Calls Over Google Meet
To initiate an encrypted Google Meet call:
Open the Google Meet console, https://meet.google.com/.
Log on as an end user.
Click New meeting > Video call options > Security.
Select Add encryption.
Create an encrypted call. The options are:
Create a meeting for later
Start an instant meeting
A message prompting to sign in with your identity provider is displayed, as shown below.
Sign in with the configured third-party identity provider's user credentials.
The call data is encrypted automatically with KACLS’s wrap
API. The wrap
requests are logged at KACLS (under Cloud Key Manager > Records), as shown below.
{
"reason": "Client-side encryption for Google Meet",
"authorization": {
"aud": "cse-authorization",
"exp": 1646761146,
"iat": 1646757546,
"iss": "gsuitecse-tokenissuer-meet@system.gserviceaccount.com",
"role": "writer",
"email": "demo.user@domain.com",
"kacls_url": "https://demo.domain.com/api/v1/cckm/GoogleWorkspaceCSE/endpoints/07cabf0f-e59d-426f-927e-f41827bacf5b",
"perimeter_id": "",
"resource_name": "//meetings.googleapis.com/MeetingSpace/spaces/tJgsmRfbjDoB"
},
"authentication": {
"acr": "1",
"aud": "6f088e98-d071-4d24-b3f1-8c86c0090f4a",
"azp": "6f088e98-d071-4d24-b3f1-8c86c0090f4a",
"exp": 1646758044,
"iat": 1646757144,
"iss": "https://<IDP>",
"jti": "4c217728-b7f0-4bfe-ae7c-dee238b69929",
"sub": "07c9e65b-bdca-3a2f-a390-4cb1502e6ae8",
"typ": "ID",
"email": "demo.user@domain.com",
"nonce": "evrsDJS1_sc9xQdrDljbnw:https://meet.google.com",
"s_hash": "LcSs9u0M5fuV20HI1ykv9Q",
"auth_time": 1646757144,
"session_state": "1d87d04d-e300-4db2-a1a4-19825aaaf603",
"email_verified": false
}
These requests are also visible at KACLS (under Records > Server Records).
Encrypting Google Calendar Events
To create an encrypted Google Calendar event:
Open the Google Calendar console, https://calendar.google.com/.
Log on as an end user.
Click Create.
Enable Turn on encryption. After selection, the option looks like the following.
Add event details.
A message prompting to sign in with your identity provider is displayed.
Sign in with the configured third-party identity provider's user credentials.
The event data is encrypted automatically with KACLS’s wrap
API. The wrap
requests are logged at KACLS (under Cloud Key Manager > Records), as shown below.
{
"reason": "Encrypting description for calendar demo.user@domain.com, event 73tg8i2jdio57rib0o4s23a2em",
"authorization": {
"aud": "cse-authorization",
"exp": 1647936974,
"iat": 1647933374,
"iss": "gsuitecse-tokenissuer-calendar@system.gserviceaccount.com",
"role": "writer",
"email": "demo.user@domain.com",
"kacls_url": "https://demo.domain.com/api/v1/cckm/GoogleWorkspaceCSE/endpoints/7232123d-3d0d-4d5b-8b14-24c97540708e",
"perimeter_id": "",
"resource_name": "//googleapis.com/calendar/08927975989983541514/eef396266e4b5ca9"
},
"authentication": {
"aud": "ecdUQSQtIVkZ7rYSarnN45nuUZkeLUqL",
"exp": 1647968855,
"iat": 1647932855,
"iss": "https://<IDP>",
"sub": "google-oauth2|110478923717308119755",
"email": "demo.user@domain.com",
"nonce": "asTWdJJLSzWP2hgGTkmTXw:https://krahsc.google.com",
"email_verified": true
}
}
These requests are also visible at KACLS (under Records > Server Records).