Skip to main content
This guide provides information about integrating CryptoHub and Google Workspace Client-Side Encryption (CSE). For additional information about CryptoHub, see the CryptoHub Administrator Guide.

About Google Workspace CSE

The Google Workspace Admin Help website explains that you can use your encryption keys to encrypt your organization’s data as a supplement to the default encryption that Google Workspace provides. With Google Workspace CSE, the client browser handles content encryption before any data is transmitted or stored in the Google Drive cloud-based storage. That way, Google servers can’t access your encryption keys and, therefore, can’t decrypt your data. To use CSE, you must connect Google Workspace to an external encryption key service (such as CryptoHub) and an Identity Provider (IdP), which authenticates users before they can encrypt or access client-side encrypted content.

How Google CSE works

Google CSE uses the following encryption process:
  1. User-created document: The browser generates content.
  2. DEK generation: The browser requests a unique Data Encryption Key (DEK) for each document from the Key Access Control List Service (KACLS).
  3. Identity verification: IdP authenticates the user.
  4. Key wrapping: KACLS wraps the DEK with the Key Encryption Key (KEK). The KEK ensures that the underlying keys remain secure even if stored in a less secure environment.
  5. Content encryption: The browser encrypts content with the DEK.
  6. Storage: Stores the encrypted content + the wrapped DEK in Google.
Google servers never access unwrapped DEKs or unencrypted content. The separation of duties principle ensures that Google handles encrypted data while your organization controls the keys through CryptoHub.
For more details, see documentation on encrypting and decrypting files at developers.google.com/workspace/cse/guides/encrypt-and-decrypt-data.

What is CryptoHub?

CryptoHub is the most flexible and versatile cryptographic platform in the industry, combining every cryptographic function within our extensive solution suite. You can operate CryptoHub within a simple web dashboard to deploy virtual cryptographic modules, fulfilling most use cases.

The CryptoHub roles in CSE

CryptoHub performs the following roles in the Key Management life cycle in CSE: -Generate keys: -Algorithm: AES-256 -Rotate keys: -Default period: 30 days -Rotation type: Automatic -Backward compatibility: Maintained -Store keys: -Location: CryptoHub HSM -Backup: Encrypted Offsite

Personal keys in CryptoHub

Personal Keys in CryptoHub encrypt data for Google CSE. The first time you create an encrypted document or encrypt and upload a file to Google Drive, CryptoHub generates a new Personal Key for you. CryptoHub users can view their Personal Keys by going to theUsersmenu for the deployed Google CSE service, selecting their user, and selectingKeys.
Only one Personal Key can be active at a time for CSE users. After a key rotates, it remains stored in CryptoHub, and you can use it to decrypt all documents previously encrypted with that key. Every document encrypted after you rotate a key is encrypted by using the new active key.