Decrypting Data Encryption Keys
When a user opens an encrypted document, joins an encrypted call, or views an encrypted Calendar event, the wrapped key and the encrypted data are downloaded from the Google Workspace server. Google JWT is generated by the Google Workspace CSE library. After the third-party identity provider user authentication is successful, an authentication token (3P JWT) is generated. The user is authenticated using a Google JWT and third-party JWT. KACLS unwraps the wrapped key and returns the DEK. Google Workspace CSE decrypts the data using this DEK.
Decrypting Files on Google Drive
To decrypt an encrypted Google Docs document:
-
Open the Google Drive console, https://drive.google.com.
-
Log on as a super admin for the user domain.
-
Try to open the encrypted document (created in Encrypting Data Encryption Keys).
-
Sign in with the configured third-party identity provider user credentials.
KACLS’ unwrap
API is called internally to decrypt the document for the user. The unwrap
requests are logged at KACLS (under Records > Server Records), as shown below.
{
"reason": "",
"authorization": {
"aud": "cse-authorization",
"exp": 1644323888,
"iat": 1644320288,
"iss": "gsuitecse-tokenissuer-drive@system.gserviceaccount.com",
"role": "writer",
"email": "demo.user@domain.com",
"kacls_url": "https://demo.domain.com/api/v1/cckm/GoogleWorkspaceCSE/endpoints/a2feb391-6184-4b66-ad7f-1248d568375d",
"perimeter_id": "",
"resource_name": "//googleapis.com/drive/files/1g1rb0wvPRpIhHHJjbchgnZNsVqII4TSp"
},
"authentication": {
"acr": "1",
"aud": "b0ae52b6-c5e1-4931-9091-34d09df11960",
"azp": "b0ae52b6-c5e1-4931-9091-34d09df11960",
"exp": 1644320477,
"iat": 1644319577,
"iss": "https://<IDP>",
"jti": "bf7c35ba-67c7-4762-a945-72aeca382e1b",
"sub": "6ba78312-6214-3ac5-b2a2-b99d83681091",
"typ": "ID",
"email": "demo.user@domain.com",
"nonce": "LZ2oaPjdCO52dAkY7LNTlw:https://docs.google.com",
"s_hash": "7UIHrDHqf3sRbIRC-zZHTA",
"auth_time": 1644319577,
"session_state": "6b686726-bcc3-4d2d-9429-2ab80aad5eed",
"email_verified": false
}
}
Decrypting Calls Over Google Meet
To decrypt an encrypted Google Meet call:
-
Open the Google Meet console, https://meet.google.com/.
-
Log on as an end user.
-
Join the call (created in Encrypting Data Encryption Keys).
-
Sign in with the configured third-party identity provider user credentials.
KACLS’ unwrap
API is called internally to decrypt the call for the user. The unwrap
requests are logged at KACLS (under Records > Server Records), as shown below.
{
"reason": "Client-side encryption for Google Meet",
"authorization": {
"aud": "cse-authorization",
"exp": 1646761418,
"iat": 1646757818,
"iss": "gsuitecse-tokenissuer-meet@system.gserviceaccount.com",
"role": "reader",
"email": "demo.user@domain.com",
"kacls_url": "https://demo.domain.com/api/v1/cckm/GoogleWorkspaceCSE/endpoints/07cabf0f-e59d-426f-927e-f41827bacf5b",
"perimeter_id": "",
"resource_name": "//meetings.googleapis.com/MeetingSpace/spaces/4Wbij56jcqAB"
},
"authentication": {
"acr": "1",
"aud": "6f088e98-d071-4d24-b3f1-8c86c0090f4a",
"azp": "6f088e98-d071-4d24-b3f1-8c86c0090f4a",
"exp": 1646758044,
"iat": 1646757144,
"iss": "https://<IDP>",
"jti": "4c217728-b7f0-4bfe-ae7c-dee238b69929",
"sub": "07c9e65b-bdca-3a2f-a390-4cb1502e6ae8",
"typ": "ID",
"email": "demo.user@domain.com",
"nonce": "evrsDJS1_sc9xQdrDljbnw:https://meet.google.com",
"s_hash": "LcSs9u0M5fuV20HI1ykv9Q",
"auth_time": 1646757144,
"session_state": "1d87d04d-e300-4db2-a1a4-19825aaaf603",
"email_verified": false
}
}
Decrypting Google Calendar Events
To decrypt an encrypted Google Calendar event:
-
Open the Google Calendar console, https://calendar.google.com/.
-
Log on as an end user.
-
View the event (created in Encrypting Data Encryption Keys).
-
Sign in with the configured third-party identity provider user credentials.
KACLS’ unwrap
API is called internally to decrypt the event data for the user. The unwrap
requests are logged at KACLS (under Records > Server Records), as shown below.
{
"reason": "Decrypting description for calendar demo.user@domain.com, event 2c4nks2odk7nbk6nh0dpdhfn1p",
"authorization": {
"aud": "cse-authorization",
"exp": 1647936814,
"iat": 1647933214,
"iss": "gsuitecse-tokenissuer-calendar@system.gserviceaccount.com",
"role": "reader",
"email": "demo.user@domain.com",
"kacls_url": "https://demo.domain.com/api/v1/cckm/GoogleWorkspaceCSE/endpoints/7232123d-3d0d-4d5b-8b14-24c97540708e",
"perimeter_id": "",
"resource_name": "//googleapis.com/calendar/08927975989983541514/d05a582bb76c2af"
},
"authentication": {
"aud": "ecdUQSQtIVkZ7rYSarnN45nuUZkeLUqL",
"exp": 1647968855,
"iat": 1647932855,
"iss": "https://<IDP>",
"sub": "google-oauth2|110478923717308119755",
"email": "demo.user@domain.com",
"nonce": "asTWdJJLSzWP2hgGTkmTXw:https://krahsc.google.com",
"email_verified": true
}
}
Decrypting Gmail Messages
When a recipient opens an encrypted Gmail message, the message will be decrypted by using the recipient's private key associated with the wrapped private key and certificates uploaded to Google. These were uploaded while completing the additional prerequisites for Gmail.
After the third-party identity provider user authentication is successful, an authentication token (3P JWT) is generated. The user is authenticated using a Google JWT and third-party JWT. When the recipient opens the encrypted message, KACLS unwraps the recipient's wrapped private key, unwraps the encrypted content encryption key (ECEK) with this private key, and returns the message's DEK. Google Workspace CSE decrypts the message using this DEK.
To decrypt an encrypted Gmail message:
-
Open the Gmail console, https://mail.google.com/.
-
Log on as an end user.
-
Try to open the encrypted message.
-
Sign in with the configured third-party identity provider user credentials.
KACLS’ privatekeydecrypt
API is called internally to decrypt the message for the user. The privatekeydecrypt
requests are logged at KACLS (under Records > Server Records), as shown below.
{
"reason": "unpack request",
"authorization": {
"aud": "cse-authorization",
"exp": 1661488112,
"iat": 1661484512,
"iss": "gsuitecse-tokenissuer-gmail@system.gserviceaccount.com",
"role": "decrypter",
"email": "demo.user@domain.com",
"kacls_url": "https://demo.domain.com/api/v1/cckm/GoogleWorkspaceCSE/endpoints/59e7c24f-4573-472d-8e8c-afb622793154",
"spki_hash": "jFBT+M1baVaQqDRLmQTP1gS3zwrUPXpR/uOtyAnjbkY=",
"message_id": "<CAGb6PCqtvd6d5n20xazMGkFxnezY1b9yBQPYmVgEdkM6O=AmNQ@mail.gmail.com>",
"perimeter_id": "",
"resource_name": "//gmail.googleapis.com/gmail/users/demo.user%40domain.com/settings/cse/keypairs/ANe1BmhsTEntl0K99F0xA5Txc1jJgjUSxAms4RzSmRypRSQzh4nYso55Mq9ktKmmPPNLP0Rgx0FLSQXhj6xdg6_OX-7hIg",
"spki_hash_algorithm": "SHA-256"
},
"authentication": {
"aud": "3kT5KerY3vXrEuzNRrQxVQqaRNvYUAwR",
"exp": 1661485571,
"iat": 1661484371,
"iss": "https://<IDP>",
"sid": "klqAk-BaWczEf_Unf6RoCM8DPwdXL7hU",
"sub": "google-oauth2|110478923717308119755",
"email": "demo.user@domain.com",
"nonce": "LJOJ79acJoMBIqeTW9vHrg:https://krahsc.google.com",
"email_verified": true
}
}