About Google Workspace CSE
The Google Workspace Admin Help website explains that you can use your encryption keys to encrypt your organization’s data as a supplement to the default encryption that Google Workspace provides. With Google Workspace CSE, the client browser handles content encryption before any data is transmitted or stored in the Google Drive cloud-based storage. That way, Google servers can’t access your encryption keys and, therefore, can’t decrypt your data. To use CSE, you must connect Google Workspace to an external encryption key service (such as VirtuCrypt) and an Identity Provider (IdP), which authenticates users before they can encrypt or access client-side encrypted content. Your organization might need to use CSE for the following reasons:- Privacy: Your organization works with extremely sensitive intellectual property.
- Regulatory Compliance: Your organization operates in a highly regulated industry, like aerospace and defense, financial services, or government.
About VirtuCrypt
The VirtuCrypt Hardened Enterprise Security Cloud service offers organizations cloud access to the Futurex innovative data security solutions suite. We designed VirtuCrypt from the ground up to provide customization and flexibility while addressing compliance mandates and industry standards. We incorporated all the critical elements of a secure cloud service, such as privacy, data security, continuous monitoring, incident management, and endpoint security, into a state-of-the-art technology platform. The VirtuCrypt Hardened Enterprise Security Cloud provides the following benefits:- Rapid deployment and fulfillment of a needed service
- Reduced capital and operational expenses for hardware, training, compliance, and more
- On-the-fly scalability, ensuring unexpected increases in throughput are easily met
- High availability data center architecture with SLA-backed uptime
- Immediate access to the latest firmware updates, features, and hardware
- Established reliability, with over 40 years of experience providing innovative solutions and 24x7x365 support to organizations worldwide
How Google CSE works
Google CSE uses the following encryption process:- User-created document: The browser generates content.
- DEK generation: The browser requests a unique Data Encryption Key (DEK) for each document from the Key Access Control List Service (KACLS).
- Identity verification: IdP authenticates the user.
- Key wrapping: KACLS wraps the DEK with the Key Encryption Key (KEK). The KEK ensures that the underlying keys remain secure even if stored in a less secure environment.
- Content encryption: The browser encrypts content with the DEK.
- Storage: Stores the encrypted content and the wrapped DEK in Google.
The VirtuCrypt role in CSE
VirtuCrypt performs the following roles in the Key Management life cycle for CSE: -Generate keys: -Algorithm: AES-256 -Rotate keys: -Default period: 30 days -Rotation type: Automatic -Backward compatibility: Maintained -Store keys: -Location: VirtuCryptGoogle Workspace CSE // Enterprise Key Management service- Backup: Encrypted Offsite
Personal keys in VirtuCrypt
Personal keys in VirtuCrypt encrypt data for Google CSE. The first time you create an encrypted document or encrypt and upload a file to Google Drive, VirtuCrypt generates a new Personal Key for you. You can view your personal keys in the VirtuCrypt Intelligence Portal (VIP) by selecting the Google Workspace CSE // Enterprise Key Management service in your VIP account and go to Personal Keys in the left-side menu.Only one Personal Key can be active at a time for CSE users. After a key rotates, it remains stored in VirtuCrypt, and you can use it to decrypt all documents previously encrypted with that key. Every document encrypted after you rotate a key is encrypted by using the new active key.