Validation and Testing
In this section, we will do the following:
- Validate that Google Workspace can successfully connect to the external key service (i.e., CryptoHub)
- Validate that Google Workspace can successfully connect to the configured Identity Provider (IdP)
- Test the creation of a blank encrypted Google Doc
- Test encrypting and uploading a file to Google Drive
- Test sharing an encrypted Google Doc
Sign in to your Google admin console.
Sign in using an account with super administrator privileges.
In the main menu, select Security > Access and data control > Client-side encryption.
Click Test connection.
If Google Workspace can connect to CryptoHub, a green checkmark and the "Your external key service is active" message appears.
Sign in to your Google admin console.
Sign in using an account with super administrator privileges.
In the main menu, select Security > Access and data control > Client-side encryption.
Click the Identity provider configuration card to open it.
Click Test connection.
If Google Workspace can connect to your IdP, the "Connection success" message appears.
After a new user has been fully provisioned on the Google workspace with the correct permissions for GCSE they should immediately be able to use the file encryption functionality of GCSE with no further implementation required on the CryptoHub service.
Sign in to Google Drive with your CSE user.
Click the New button. then select Google Docs > Blank encrypted document.
A message will appear warning you that intelligent features such as spelling and grammar won't work with encrypted files, collaboration features will be limited, and only certain people can access encrypted files due to admin settings. Click Create.
If this is the first encryption operation you have attempted with Google Workspace CSE, the following message will appear at the top of the page prompting you to sign in with your identity provider: "Sign in with your identity provider (VIP Identity) to access files encrypted with a customer key - Sign in"
Click Sign In, which will redirect you to your IdP's website to sign in. After signing in and allowing your IdP access to your Google Account, you will be redirected back to the Google Doc, which should now be encrypted. A confirmation message will appear if encryption is successful. Then you can edit and save the document per the normal process.
Sign in to Google Drive with your CSE user.
Click the New button, then select File upload > Encrypt and upload file.
A message will appear warning you that some features, such as full-text search and file preview, will be unavailable and that only certain people can access encrypted files due to admin settings. Click Select file.
If this is the first encryption operation you have attempted with Google Workspace CSE, you will be prompted to sign with your identity provider. If this is the case, click Sign In, which will redirect you to your IdP's website to sign in. After signing in and allowing your IdP access to your Google Account, you will be redirected back to Google Drive, and the encrypted file upload will commence. Uploads are displayed in the bottom-right corner of the page, and once the upload completes, you will see a green checkmark and an updated status message.
The first time that a Google CSE user creates an encrypted document or encrypts and uploads a file to Google Drive, a Personal Key is created in CryptoHub specifically for that user. The Personal Key is then used for all CSE operations performed by that user in Google Workspace.
CryptoHub users can view their Personal Keys by navigating to the Users menu for the deployed Google CSE service, selecting their user, then selecting Keys.
Sign in to Google Drive with your CSE user.
Right-click the encrypted document you would like to share and select Share, or, if you have the document open, you can click the Share button in the upper-right corner of the page.
In the following dialog, add people and groups you would like to share the encrypted document with and then click Done.
Only share encrypted documents with other Google CSE users that your company administrator has set up with an account in VIP. If they do not have a user configured in VIP, they will not be able to decrypt, view, and edit the file you are sharing.
Users you shared the encrypted file with will receive an email notifying them that a document has been shared with a link to open the document.
After the user clicks Open in the email they received, their browser will be redirected to sign in to Google. After signing in to Google (using the same email configured for their user in VIP), they will be redirected to the shared Google Doc.
After a few seconds, a message will appear at the top of the page prompting the user to sign in to their identity provider. Click Sign in.
The user will be redirected to the configured Identity Provider (IdP) to sign in. After signing in and allowing the IdP access to the Google Account, the user will be redirected back to the Google Doc, which should now be encrypted. A confirmation message will appear if encryption is successful. Then the document can be edited and saved per the normal process.