Cloud key management
Google Workspace CSE

External key service setup for Google Workspace CSE

6min

This section describes the steps required to use CryptoHub as an external key service for Google Workspace CSE. This involves deploying the Google Workspace CSE service in CryptoHub, as well as configuring a Key Access Control List Service (KACLS) and Identity Provider (IdP) in the Google Admin Console.

Deploy the Google Workspace CSE service in CryptoHub

1

Open the CryptoHub web dashboard in a browser

2

Log in to CryptoHub with the default Admin identities.

3

Select the Google Workspace CSE (Client-side Encryption) service from the list of available services on the Service Management page.

4

On the Google Workspace CSE service overview page, select [ Deploy ].

5

Specify a Service Name and Service Category, then click [ Next ].

6

(Optional) Select any roles and identities you want to be able to access the service, then click [ Next ].

7

In the Issuance Policy dropdown, select the Issuing CA issuance policy you will use for Google CSE.

8

Select the Identity Provider Type you want to use, then fill in the required fields.

9

In the Service Account Info box, copy and paste in the information from your Google Service Account JSON file. Click [ Deploy ] when finished.

10

You will see a message confirming that the Google Workspace CSE service was successfully deployed.

Selecting Manage Service will bring you to the following page where you can create new service users, view logs, read instructions for using the service, and manage access permissions.

After deployment, it is possible to modify the Issuance Policy and Service Account Info for the service.

To modify the Issuance Policy:

1

Go to Deployed Services > Google Workspace CSE (Client-side Encryption).

2

In the management menu, select [ Edit Service ].

3

Under Issuance Policy, use the drop down list to select a different Issuance Policy.

4

Select [ Save ] at the bottom of the window.

To modify the Service Account:

1

Go to Deployed Services > Google Workspace CSE (Client-side Encryption).

2

In the management menu, select [ Edit Service ].

3

In the Service Account Info box, copy and paste in the information from your Google Service Account JSON file for your new service account.

4

Select [ Save ] at the bottom of the window.

Configurations in the Google admin console

Configuring KACLS and IdP for Client-side encryption

Before outlining the configuration steps, a couple of terms should be defined. KACLS stands for Key Access Control List Service, and this is your external key service (i.e., CryptoHub) that uses this API to control access to encryption keys stored in an external system. IdP's were discussed extensively in the previous section, but to reiterate, IdP stands for Identity Provider, and it is the service that authenticates users before they can encrypt files or access encrypted files. This integration uses VirtuCrypt as the IdP for demonstration purposes, but any IdP that supports OAuth can be used.

KACLS Configuration

1

Sign in to your Google admin console.

Sign in using an account with super administrator privileges.

2

In the main menu select Security > Access and data control > Client-side encryption.

3

Click the External key service card to open it.

4

Click Add external key service.

5

Enter a name for your key service.

6

Enter the URL for your key service (i.e., https://<server ip>/v0/key-encrypt/client).

Google requires this connection to be TLS, with a publicly-trusted certificate. The connection can be through NAT or reverse proxy.

7

To confirm that Google Workspace can communicate with the external key service, click Test connection.

8

To close the card, click Continue.

IdP Configuration

To connect Google Workspace to your identity provider (IdP), you can use a .well-known file or the Admin console. After establishing the connection, you need to allowlist your IdP in the Admin console.

This section will walk through connecting Google Workspace to your IdP using the Admin console. However, this method is meant to serve as a fallback method for the .well-known file method. Please refer to the following Google Workspace documentation instructions on connecting Google Workspace to your IdP using a .well-known file: https://support.google.com/a/answer/10743588#config_wellknown&zippy=%2Coption-to-connectto-your-idp-using-a-well-known-file 

1

Sign in to your Google admin console.

Sign in using an account with super administrator privileges.

2

In the main menu, select Security > Access and data control > Client-side encryption.

3

Under Identity provider configuration, click Configure IdP fallback.

4

Enter the details of your IdP.

  1. In the Name field, specify a descriptive name to help identify your IdP. It will be shown in IdP messages for users.
  2. In the Client ID field, you need to specify the OpenID Connect (OIDC) client ID that the CSE client application uses to acquire a JSON Web Token (JWT). If you're using a third party IDP: You generate this ID using your IdP's admin console. If you're using Google Identity: You generate this ID using the Google Cloud Platform (GCP) Admin console. For details, go to "Create a client ID for Google identity".
  3. In the Discovery URI field, specify the OIDC discovery URL, as defined in this OpenID specification. If you're using a third-party IdP: Your IdP provides you with this URL, which usually ends with /.wellknown/openid-configuration. If you're using Google identity: Use https://accounts.google.com/.well-known/openidconfiguration Note: Configure your discovery URI to allow origin URLs for Cross-Origin Resource Sharing (CORS) calls, as follows:
    • Methods: GET
    • Allowed origins:
      • https://admin.google.com
      • https://client-side-encryption.google.com
      • https://krahsc.google.com/callback
      • https://krahsc.google.com/oidc/cse/callback
      • https://krahsc.google.com/oidc/drive/callback
      • https://krahsc.google.com/oidc/gmail/callback
      • https://krahsc.google.com/oidc/meet/callback
      • https://krahsc.google.com/oidc/calendar/callback
      • https://krahsc.google.com/oidc/docs/callback
      • https://krahsc.google.com/oidc/sheets/callback
      • https://krahsc.google.com/oidc/slides/callback
      • https://client-side-encryption.google.com/callback
      • https://client-side-encryption.google.com/oidc/cse/callback
      • https://client-side-encryption.google.com/oidc/drive/callback
      • https://client-side-encryption.google.com/oidc/gmail/callback
      • https://client-side-encryption.google.com/oidc/meet/callback
      • https://client-side-encryption.google.com/oidc/calendar/callback
      • https://client-side-encryption.google.com/oidc/docs/callback
      • https://client-side-encryption.google.com/oidc/sheets/callback
      • https://client-side-encryption.google.com/oidc/slides/callback
  4. Click Test connection. If Google Workspace can connect to your IdP, the "Connection success" message appears.
  5. Click Add provider to close the card.





Updated 13 Nov 2024
Did this page help you?
PREVIOUS
Identity and access management (IAM)
NEXT
Validation and Testing
Docs powered by Archbee