Gmail only: Upload encryption keys for client-side encryption

18min
To use Google Workspace Client-side encryption (CSE) for Gmail, you must enable the Gmail API and give it access to your entire organization. Then, for each user, you need to use the Gmail API to upload an S/MIME (Secure/Multipurpose internet Mail Extensions) certificate (public key) and private key metadata to Gmail. If you use an encryption key service, you must also encrypt (or wrap) users' private key metadata by using your key service.
At any time, you can switch to a different key service by uploading new S/MIME certificate and private key metadata encrypted by your new service.
About S/MIME
S/MIME is a widely accepted, industry-standard protocol for digitally signing and encrypting emails to ensure message integrity and security. Gmail CSE relies on the S/MIME 3.2 IETF standard to send and receive secure MIME data. S/MIME requires email senders and recipients to have their X.509 certificates trusted by Gmail. 
Set up the Gmail API
Perform the following tasks to set up the GMail API:
1 | Enable the Gmail API
1
Create a new GCP project. For details, go to Creating and managing projects. 

Note You use the project ID to grant the API domain-wide access. 
2
Go the Google API Console and enable the Gmail API for the new project. For details, go to Enabling an API in your Google Cloud project. 
2 | Create a domain-wide service account
1
In the Google Cloud console, go to the Service accounts page and create a domain-wide service account. For details, go to Create and manage service accounts. 
2
Create a service account private key, and save the key to a JSON file on to your local system, such as svc_ acct_creds.json. This file contains the credentials you use when setting up Gmail for users. For details, go to Create and manage service account keys. 
3 | Grant the Gmail API domain-wide access
This step uses the service account you created to give the Gmail API edit access to all your users.
1
Follow the instructions for Control API access with domain-wide delegation. 
2
Enter the following when prompted: 
Client ID: Client ID of the service account created in the preceding Step 2.
OAuth scopes:
https://www.googleapis.com/auth/gmail.settings.basic 
https://www.googleapis.com/auth/gmail.settings.sharing 
https://www.googleapis.com/auth/gmail.readonly 
Paste each scope into a separate field.
Turn on Gmail CSE for users
Turn on CSE for Gmail for the organizational units or groups. For details, go to Turn client-side encryption on or off. 
For organizational units, you can set all emails (compose, reply, and forward) to be encrypted by default. Users can still turn off encryption if needed. Requires having the Assured Controls add-on. 
Set up CSE S/MIME certificates for users
After you set up Gmail API and turn on Gmail CSE for users in the Admin console, you can set up CSE S/MIME certificates and private key metadata for your users. 
After a new user is fully provisioned on the Google workspace with the correct permissions for GCSE, they should immediately be able to use the file encryption functionality of GCSE with no further implementation required on the  service. When a user is automatically generated by the  GCSE service, if they have the correct licenses in the workspace, their encrypted email (S/MIME) certificates should also automatically be created.
The following section details the manual process.
Prepare S/MIME certificates and private key metadata 
This section applies to users who uses Gmail CSE to either send or receive emails.
Using a certificate authority (CA), generate an S/MIME public/private key pair with a certificate chain. The S/MIME leaf/client certificate must include the user’s primary Gmail address as a subject name or SAN extension subject. 
You can use the following OpenSSL command to generate the S/MIME leaf certificate: 
Shell
openssl req -new -newkey rsa:2048 -nodes -keyout mykey.pem -out mycsr.csr
openssl req -new -newkey rsa:2048 -nodes -keyout mykey.pem -out mycsr.csr
﻿
The email should be the CN. No other DN fields are needed. 
Next, you must retrieve the leaf/client CSR generated above signed by either of the following methods: 
A CA root certificate trusted by Google: For a list of root certificates, go to CA certificates trusted by Gmail for S/MIME. 
A CA not trusted by Google: For example, to use your own CA, you can add its root certificate in the Admin console. For details, go to Manage trusted certificates for S/MIME. 
If you use a CA that's not trusted by Google and users send client-side encrypted emails outside your organization, the receiver must also trust the CA. 
Obtain the certificate with CAs in PKCS7 PEM format
1
On a computer that has OpenSSL installed, run the following command in a terminal: 
Shell
openssl crl2pkcs7 -nocrl -certfile cert_88231_ca_bundle.crt --certfile cert_88231.crt -out user.p7pem

openssl crl2pkcs7 -nocrl -certfile cert_88231_ca_bundle.crt --certfile cert_88231.crt -out user.p7pem
﻿
Get the private key in encrypted PKCS8 format with a password 
1
On a computer that has OpenSSL installed, run the following command in a terminal: 
Shell
openssl pkcs8 -topk8 -inform PEM -in user.key -outform PEM -out user.p8 -v2 aes-256-cbc
openssl pkcs8 -topk8 -inform PEM -in user.key -outform PEM -out user.p8 -v2 aes-256-cbc
﻿
Wrap certificates and private key metadata 
Use your key service (such as ) to encrypt, or wrap, the S/MIME private key metadata. 
Upload PKCS8 Key through the CryptoHub web dashboard 
1
Go to the  web dashboard in a browser. 
2
Log in to the  using the default Admin identities (Admin1 and Admin2).
3
Select the Google Workspace CSE (Client-side Encryption) service from the list of deployed services on the Service Management page. 
4
Go to the Users view for the service and select the mail icon next to the user for whom you're wrapping the PKCS #8 private key. 
5
In the Wrap Private Key dialog, enter a password to wrap the PKCS #8 private key under, select [ Upload ], and select the file to upload. 
6
﻿ sends the wrapped PKCS #8 private key to your browser. Download the file when prompted. 
7
Open the wrapped PKCS #8 private key file in a text editor and copy (or preferably cut) the encrypted key blob to your clipboard. 
8
Open a new file in the text editor. Then, copy and paste in the following JSO:
JSON
{
      "kacls_url": "https://cryptohub-demo.com/v0/key-encrypt/client",
      "wrapped_private_key": ""
}

{
      "kacls_url": "https://cryptohub-demo.com/v0/key-encrypt/client",
      "wrapped_private_key": ""
}
﻿
First, change cryptohub-demo.com to the actual domain of your . Then, paste the encrypted key blob into the wrapped_private_key value and save the file with the name [email protected]. 
Upload the user S/MIME certificates and private key metadata to Gmail 
Use the Gmail API to upload each public key S/MIME certificate chain and private key metadata for each user to Gmail and set them as the preferred keys for the users by creating an identity. 
Compete the following steps for each user by using the private key file you downloaded when creating a domain-wide service account for authentication and Google's Python script. 
1
Prepare the keys directory and copy the encrypted keys.
Shell
mkdir -p keys
cp user.p7pem ./keys/[email protected]
cp user.wrap ./keys/[email protected]
mkdir -p keys
cp user.p7pem ./keys/demo@futurex.com.p7pem
cp user.wrap ./keys/demo@futurex.com.wrap
﻿
2
Upload the certificate chain and private key metadata by using the Gmail API call keypairs.create. 
Shell
python cse_cmd.py insert_keypair --creds projectname-9a4ed8338919.json --inkeydir ./keys --incertdir ./keys
python cse_cmd.py insert_keypair --creds projectname-9a4ed8338919.json --inkeydir ./keys --incertdir ./keys
﻿
3
Enable the keypair for the user's primary email address by using the Gmail API call identities.create. 
Shell
python cse_cmd.py insert_identity --creds projectname-9a4ed8338919.json --userid [email protected] --kpemail [email protected] --kpid ANe1Bmjz20ByAdWIjbHBYUXsS8BF82RxJ1Oa13cGxWT_B0RpXmVHmE8
python cse_cmd.py insert_identity --creds projectname-9a4ed8338919.json --userid demo@-futurex.com --kpemail demo@futurex.com --kpid ANe1Bmjz20ByAdWIjbHBYUXsS8BF82RxJ1Oa13cGxWT_B0RpXmVHmE8
﻿
The identities.create call requires the key pair ID returned in the response body of the keypairs.create call. 
Enabling the key pair for a user email address: 
Creates a CSE identity authorized to send email from the user account. 
Configures Gmail to use the private key metadata to sign outgoing CSE mail. 
Publishes the certificate to a shared domain-wide repository so other CSE users in your organization can encrypt messages sent to this user. 
After you upload the certificates, it can take up to 24 hours for them to be available in Gmail, although it usually happens much faster. 
Configure Gmail for encrypted emails
1
Compose a new email in Gmail: When writing your email, you can click on the lock icon next to the recipient's name to choose the level of encryption. 
Green: Strong encryption, both parties have S/MIME enabled. 
Gray: The email will be encrypted, but the recipient's identity isn't verified. 
Red: The recipient does not support encryption. 
Track which users have been provisioned S/MIME in CryptoHub 
You can track which users have been provisioned S/MIME for Google CSE in the CryptoHub using the Users menu for the service. 
1
Go to Deployed Services > Google Workspace CSE (Client-side Encryption). 
2
In the management menu, select [ Users ]. 
3
In the list of users, users who have been provisioned S/MIME have an expiration date listed under S/MIME Expiration. 
Delete a user's S/MIME identity/user pairing from Google 
You can use the  to delete the identity/user pairing, which you send to Google by using cURL REST calls. To do so, follow these steps 
1
Go to Deployed Services > Google Workspace CSE (Client-side Encryption). 
2
In the management menu, select [ Users ]. 
3
For a user that has been provisioned S/MIME, select the X icon for G-mail Key Remove for the user. 
﻿
Updated 13 Nov 2024
Did this page help you?
External key service setup for Google Workspace CSE
Code signing