Skip to main content
This section describes the steps required to use CryptoHub as an external key service for Google Workspace CSE. This involves deploying the Google Workspace CSE service in CryptoHub, as well as configuring a Key Access Control List Service (KACLS) and Identity Provider (IdP) in the Google Admin Console.

Deploy the CSE service

Perform the following steps to deploy the Google Workspace CSE service in CryptoHub:
1
Open the CryptoHub web dashboard in a browser
2
Log in to CryptoHub with the default Admin identities.
3
Select the Google Workspace CSE (Client-side Encryption) service from the list of available services on the Service Management page.
4
On the Google Workspace CSE service overview page, select [ Deploy ].
5
Specify a Service Name and Service Category, and select [ Next ].
6
(Optional) Select any roles and identities you want to access the service, and select [ Next ].
7
Choose if you want New Users Enabled By Default.
8
Specify the desired Rotation Period for Personal Keys.
9
In the Issuance Policy drop-down menu, leave the External CA option selected because CryptoHub does not issue the certificates Google CSE uses.
10
Leave selected the default KACLS URL that is auto-populated.
11
Select the Identity Provider Type you want to use (such as Existing, OpenID Connect, VirtuCrypt VIP, or VirtuCrypt Test), and fill in the required fields.
12
In the Service Account Info box, copy and paste the information from your Google Service Account JSON file. Select [ Deploy ] when finished.
A message displays confirming that the Google Workspace CSE service was successfully deployed.
13
Optionally, if you select Manage Service, you can create new service users, view logs, read instructions for using the service, and manage access permissions.
After deployment, you can modify the Issuance Policy and Service Account Info for the service. To modify the Issuance Policy, perform the following steps:
1
Go to Deployed Services> Google Workspace CSE (Client-side Encryption).
2
In the management menu, select [ Edit Service ].
3
Under Issuance Policy, use the drop-down list to select a different Issuance Policy.
4
Select [ Save ] at the bottom of the window.
To modify the Service Account:
1
Go to Deployed Services> Google Workspace CSE (Client-side Encryption).
2
In the management menu, select [ Edit Service ].
3
In the Service Account Info box, copy and paste the information from your Google Service Account JSON file for your new service account.
4
Select [ Save ] at the bottom of the window.

Configurations in the Google Admin console

This section covers the Key Access Control List Service (KACLS) and Identity Provider (IdP) configuration steps. KACLS is the external key service (such as CryptoHub) that uses this API to control access to encryption keys stored in an external system. The IdP is the service that authenticates users before they can encrypt files or access encrypted files. This integration uses VirtuCrypt as the IdP for demonstration purposes, but you can use any IdP that supports OAuth.

Configure KACLS

Perform the following steps to configure KACLS:
1
Sign in to your Google admin console atadmin.google.com/. Seesupport.google.com/a/answer/182076.
Sign in using an account with super administrator privileges (support.google.com/a/answer/2405986#super\admin).
2
In the main menu, selectSecurity> Access and data control > Client-side encryption.
3
Select the External key service card to open it.
4
Select Add external key service.
5
Enter a name for your key service.
6
Enter the URL for your key service (such as https://<server ip>/v0/key-encrypt/client).
Google requires this connection to be TLS, with a publicly trusted certificate. The connection can be through NAT or a reverse proxy.
7
To confirm that Google Workspace can communicate with the external key service, select [ Test connection ].
8
To close the card, select [ Continue ].

Configure IdP

To connect Google Workspace to your IdP, you can use a .well-known file or the Admin console. After establishing the connection, you must allowlist your IdP in the Admin console. This section demonstrates connecting Google Workspace to your IdP by using the Admin console. However, this method should be a fallback method for the .well-known file method. Refer to the following Google Workspace documentation instructions on connecting Google Workspace to your IdP using a .well-known file: https://support.google.com/a/answer/10743588#config_wellknown&zippy=%2Coption-to-connectto-your-idp-using-a-well-known-file
1
Sign in to your Google admin console atadmin.google.com/. Seesupport.google.com/a/answer/182076.
Sign in using an account with super administrator privileges (support.google.com/a/answer/2405986#super\admin).
2
In the main menu, select Security> Access and data control > Client-side encryption.
3
Under Identity provider configuration, select Configure IdP fallback.
4
Enter the details of your IdP:
  1. In the Name field, specify a descriptive name to help identify your IdP. It displays in IdP messages for users.
  2. In the Client ID field, specify the OpenID Connect (OIDC) client ID that the CSE client application uses to acquire a JSON Web Token (JWT). If you use a third party IDP: Generate this ID by using your IdP admin console. If you use Google Identity: Generate this ID by using the Google Cloud Platform (GCP) Admin console. For details, go to Create a client ID for Google identity(
support.google.com/a/answer/10743588#id_google&zippy=%2Ccreate-a-client-id-for-google-identity). 3. In the Discovery URI field, specify the OIDC discovery URL, as defined in this OpenID specification (openid.net/specs/openid-connect-discovery-1_0.html).If you use a third-party IdP: Your IdP provides you with this URL, which usually ends with /.wellknown/openid-configuration. If you use Google identity: Use https://accounts.google.com/.well-known/openidconfiguration.Configure your discovery URI to enable origin URLs for Cross-Origin Resource Sharing (CORS) calls, as follows:
  • Methods: GET
  • Allowed origins:
    • https://admin.google.com
    • https://client-side-encryption.google.com
    • https://krahsc.google.com/callback
    • https://krahsc.google.com/oidc/cse/callback
    • https://krahsc.google.com/oidc/drive/callback
    • https://krahsc.google.com/oidc/gmail/callback
    • https://krahsc.google.com/oidc/meet/callback
    • https://krahsc.google.com/oidc/calendar/callback
    • https://krahsc.google.com/oidc/docs/callback
    • https://krahsc.google.com/oidc/sheets/callback
    • https://krahsc.google.com/oidc/slides/callback
    • https://client-side-encryption.google.com/callback
    • https://client-side-encryption.google.com/oidc/cse/callback
    • https://client-side-encryption.google.com/oidc/drive/callback
    • https://client-side-encryption.google.com/oidc/gmail/callback
    • https://client-side-encryption.google.com/oidc/meet/callback
    • https://client-side-encryption.google.com/oidc/calendar/callback
    • https://client-side-encryption.google.com/oidc/docs/callback
    • https://client-side-encryption.google.com/oidc/sheets/callback
    • https://client-side-encryption.google.com/oidc/slides/callback
  1. Select [ Test connection ]. If Google Workspace can connect to your IdP, the Connection success message appears.
  2. Select Add provider to close the card.