Prerequisites
Before you can perform client side encryption:
Make sure you have a stable release of Google Chrome or Microsoft Edge installed and running.
Make sure your access to KACLS is not blocked by web filters, for example, Zscaler.
Make sure you have the CCKM Admins rights to perform Google Workspace CSE operations on the CipherTrust Manager.
Make sure that an identity provider system is set up correctly. For this, the identity provider admin uses either of following methods:
Using .well-known File Configuration
Host the
cse-configuration
JSON file on a Web server. A sample JSON file looks like this:{ "name": "CSE IDP", "client_id": "<authenticationAud>", "discovery_uri": "<openidConfigurationURL>", "audience": "cse-test" }
Here,
<authenticationAud>
is the ID of the third-party identity provider. For example, for Auth0, it is represented by theClient ID
.<openidConfigurationURL>
is the identity provider configuration URL. For example, for Auth0, it can behttps://demo.auth0.com/.well-known/openid-configuration
.
Create a sub-domain on the Google domain portal for the hosted Web server. Navigate to the Google domain > DNS > Customer resource records and add the IP address of the Web server with the name
cse
.
Using IdP Fallback Settings
On the Google Admin Console, set identity provider configuration.
Specify the following fields:
Name: Name for the identity provider.
Client ID: The ID of the third-party identity provider. For example, for Auth0 and STA, it is represented by the
Client ID
.Discovery URI: The identity provider configuration URL. For example, for Auth0, it can be
https://demo.auth0.com/.well-known/openid-configuration
, and for STA, it is represented by WELL KNOWN CONFIGURATION URL.Grant type: Set as Implicit.
Test and save the settings.
(Applicable when a valid public DNS for the CipherTrust Manager is unavailable.) Create a subdomain for Thales key service (KACLS) on Google domain. Refer to Creating a Subdomain on Google Domain.
Create a URL to access the KACLS. This URL is referred to as KACLS Endpoint URL in this document. Refer to Creating a KACLS Endpoint URL below.
Configure Google Workspace connection to KACLS. Refer to Configure Google Workspace Connection to KACLS for details.
Creating a Subdomain on Google Domain
Note
This section is applicable when a valid public DNS for the CipherTrust Manager is unavailable.
Log on to Google domain as a super admin for the user domain.
Navigate to DNS > Custom resource records.
Create a subdomain for the KACLS. Specify a name for your subdomain and the IP address or hostname of the KACLS.
Tip
If you are working in a clustered CipherTrust Manager environment, you need to create a clustered subdomain on Google domain. Refer to Create a clustered subdomain on Google domain for details.
Note
It is recommended to add the Google NTP server to the CipherTrust Manager (Admin Settings > NTPs).
Creating a KACLS Endpoint URL
A KACLS URL is needed to access the Thales key service. Google Workspace administrators use this URL to configure Google Workspace to communicate with the KACLS. Creating a KACLS URL requires an identity provider and a KACLS endpoint.
To create a KACLS endpoint URL:
Create an identity provider.
GUI: Refer to Creating Identity Providers.
API: Refer to Creating Identity Providers.
Create a KACLS endpoint.
GUI: Refer to Creating KACLS Endpoints.
API: Refer to Creating KACLS Endpoints.
Note
Before proceeding, make sure that the KACLS endpoint URL is accessible from the internet and KACLS is running.
Configure Google Workspace Connection to KACLS
To configure the Google Workspace connection to KACLS:
Open the Google Admin console, http://admin.google.com.
Log on as a super admin for the user domain.
Navigate to CSE settings: Security > Client Side Encryption.
Click Add external key service.
Specify Name of external key service. This name will appear in error messages if Google Workspace cannot contact the key service.
Enter URL of external key service. This URL was created in Creating a KACLS Endpoint URL.
Click TEST CONNECTION to test that Google Workspace can communicate with the KACLS.
If the connection fails, correct the KACLS endpoint URL, ensure the Internet connectivity, and retry.
Click CONTINUE.
Click SAVE. The Google Workspace connection to KACLS is configured.
Google Workspace can communicate with KACLS for encryption and decryption of files and calls, as described below.
Google Drive
Google Workspace can communicate with KACLS for encryption and decryption of files on Google Drive. Whenever a new file (Blank encrypted document) is created or updated, its data is encrypted automatically.
Also, when a new file is uploaded (using Drive > File upload > Encrypt and upload), the file is encrypted and uploaded. When an existing encrypted file is opened, its data is decrypted for authenticated end users.
Google Meet
Google Workspace can communicate with KACLS for encryption and decryption of calls over Google Meet (using Meet > New meeting > Video call options > Security > Add encryption).
Whenever an authenticated host initiates an encrypted call, the call data is encrypted automatically. The call data is automatically decrypted for authenticated participants.
Google Calendar
Google Workspace can communicate with KACLS for encryption and decryption of Google Calendar event data such as description, attachments, etc. (using Calendar > Create). Turn on the encryption toggle.
Whenever an authenticated host creates a Calendar event, the event description and attachments are encrypted automatically. The event data is automatically decrypted for authenticated recipients.
While creating the event, you can also add an encrypted Google Meet call by clicking Add Google Meet video conferencing.