Cloud key management

Google Workspace CSE

10min
this document provides information about integrating {{ch}} and google workspace client side encryption (cse) for additional information about {{ch}} , see the {{ch}} administrator guide about google workspace cse from the google workspace admin help website, you can use your own encryption keys to encrypt your organization data as a supplement to the default encryption that google workspace provides with google workspace cse, the client browser handles content encryption before any data is transmitted or stored in the google drive cloud based storage that way, google servers can't access your encryption keys and, therefore, can't decrypt your data to use cse, you must connect google workspace to an external encryption key service and an identity provider (idp) what is {{ch}} ? cryptohub is the most flexible and versatile cryptographic platform in the industry it combines every cryptographic function within our extensive solution suite you can operate {{ch}} within a simple web dashboard to deploy virtual cryptographic modules, fulfilling most use cases purpose of the integration google workspace already uses the latest cryptographic standards to encrypt all data at rest and in transit between its facilities with cse, however, you have direct control of encryption keys and the identity provider used to access those keys to further strengthen the security of your data your organization might need to use cse for the following reasons privacy your organization works with extremely sensitive intellectual property regulatory compliance your organization operates in a highly regulated industry, like aerospace and defense, financial services, or government basic setup tasks for google workspace cse perform the following tasks to set up cse set up your external encryption key service first, set up an encryption key service through one of the google partner services (such as cryptohub) this service controls the top level encryption keys that protect your data connect google workspace to your external key service next, specify the location of your external key service, so google workspace can connect cse for supported apps to it connect google workspace to your identity provider for this step, you must connect to an identity provider (idp) your idp verifies the identity of users before allowing them to encrypt content or access encrypted content this guide covers three idp options ( learn more ) virtucrypt (detailed in the main document) google idp detailed in (detailed in appendix b google idp configuration docid\ mme3zc9jo1ww0tnhgysuw ) okta (detailed in appendix c configure okta idp docid\ cxuihvqgbbh9 pelq784s ) turn on cse for users as needed you can turn on cse for any unit or group in your organization for details about turning on cse for users, see create client side encryption policies note, however, that you must turn on cse for only those users who need to create client side encrypted content by using the following tools google drive you must turn on cse for only users who need to create client side encrypted documents, spreadsheets, and presentations or upload client side encrypted files to drive you don't need to turn on cse for users who only view and edit files shared with them google meet you must turn on cse only for users who need to host client side encrypted meetings you don't need to turn on cse for other participants in meetings google service level requirements for cse this section explores various requirements for cse users administrator requirements to set up google workspace client side encryption for your organization, you must be a super admin for google workspace user requirements users must conform to the following requirements users need a google workspace enterprise plus, google workspace for education plus, or enterprise essentials license to use cse to create or upload files host meetings users can have any google workspace or cloud identity license to to view, edit, or download an existing file encrypted with cse join a cse meeting users with a consumer google account (such as gmail users) can't access cse files or participate in cse meetings to view or edit encrypted files, users must use either the google chrome or microsoft edge browser to join a cse meeting, users must be invited or added during the meeting knocking isn't available for cse meetings access to cse files and meetings depends on your organization cse policies external user requirements external users must conform to the following requirements during the beta, external users must have a google workspace license to access your content encrypted with cse users with a consumer google account or a visitor account can't access files encrypted with cse external organizations must also set up cse, either in the admin console or with a well known file your external encryption service must allowlist the third party idp service used by the external domain or the individuals you want to use cse you can usually find the idp service in their publicly available well known file if one is set up otherwise, contact the google workspace admin of the external organization for their idp details client side encryption process after an administrator enables cse for the organization and specified users, those users can choose to create encrypted documents by using the google workspace collaborative content creation tools, like docs and sheets, or encrypt files they upload to google drive, such as pdfs after the user encrypts a document or file google workspace generates a dek in the client browser to encrypt the content google workspace sends the dek and authentication tokens to your third party key access control list service (kacls) for encryption by using a url you provide to the google workspace organization administrator your kacls uses this api to encrypt the content and sends the obfuscated, encrypted data back to google workspace google workspace stores the obfuscated, encrypted data in the cloud only users with cse enabled and access to your kacls can access the data for more details, see encrypt and decrypt files personal keys and key rotation in {{ch}} personal keys in {{ch}} are used for encrypting data for google cse the first time a user creates an encrypted document or encrypts and uploads a file to google drive, {{ch}} generates a new personal key specifically for that user personal keys created for cse are aes 256 data encryption keys {{ch}} users can view their personal keys by going to the users menu for the deployed google cse service, selecting their user, and selecting keys automatic key rotation by default, the validity period for newly generated personal keys is set to 1 month only one personal key can be active at a time for cse users after a key rotates, it remains stored in {{ch}} ,you can use it to decrypt any documents encrypted with that key every document encrypted after you rotate a key is encrypted by using the new active key