Cloud key management
Google Workspace Client-Side E...

Configure Identity and Access Management (IAM)

11min

After you set up your external key service and connect it to Google Workspace, you need to connect Google Workspace to your IdP. You can use any IdP that supports OAuth. Your external key service uses the IdP to authenticate users before they can encrypt files or access encrypted files.

Choose your IdP for CSE

If you don't already use a third-party IdP with Google Workspace, choose one the following options to set up your key service IdP:

  • Use a third-party IdP (recommended): Use this method if your security model requires more isolation of your encrypted data from Google.
  • Use Google identity: Use this method if your security model doesn't require additional isolation of your encrypted data from Google.

Choose how to connect to your IdP for CSE

You can set up your IdP—either a third-party IdP or Google identity—by using either a .well-known file that you host on your organization website or the Admin console (which is your IdP fallback). There are several considerations for each method, as described in the following table:

Considerations

.well-known setup

Admin console setup (IdP fallback)

Isolation from Google

IdP settings are stored on your own server.

IdP settings are stored on Google servers.

Admin responsibilities

An IdP admin can manage your setup instead of a Google Workspace Super Admin.

Only a Google Workspace Super Admin can manage your IdP setup.

CSE availability

CSE availability (uptime) depends on the availability of the server that hosts your .well-known file.

CSE availability corresponds to the general availability of Google Workspace services.

Ease of setup

Requires changing DNS settings for your server, outside of the Admin console.

Configure settings in the Admin console.

Sharing outside your organization

Your collaborator's external key service can easily access your IdP settings. You can automate this access and ensure your collaborator's service has immediate access to any changes to your IdP settings.

Your collaborator's external key service can't access your IdP settings in the Admin console. You must provide your IdP settings directly to your collaborator both before you share encrypted files for the first time and any time you change your IdP settings.

Refer to the following Google Workspace knowledgebase article for further details on connecting Google Workspace to an IdP: https://support.google.com/a/answer/10743588?hl=en#zippy=%2Coption-to-connect-to-your-idp-using-a-well-known-file

Set up IAM on the KMES Series 3

You must create two different IdPs on the KMES Series 3. Configure one with the Authentication JSON Web Token (JWT) that the IdP issues to attest a user identity, and configure the other with the Authorization JSON Web Token (JWT) that Google issues to verify that the caller is authorized to encrypt or decrypt a resource. In addition to creating the IdPs, you must create a new role for Google CSE and new identities for all users in your organization who need to use Google CSE.

To set up IAM, perform the following tasks:

  1. Create the Authentication JWT IdP.
  2. Create the Authorization JWT IdP.
  3. Create the CSE role definition.
  4. Create an identity for the CSE user
  5. Set up IAM in Google Workspace.

Create the Authentication JWT IdP

Perform the following steps to create a JWT IdP to allow the identity partner to attest a user's identity: (In this example, VirtuCrypt is serving as the Identity partner.)

1

Go to Identity Management > Identity Providers, right-click the background, and select Add > Provider > JSON Web Token.

2

On the Info tab of the Identity Provider Editor window, specify a name for the IdP and de-select the Enforce Dual Factor checkbox

3

On the JWT Options tab, you can specify an issuer and set leeway and max validity values according to your requirements. The Issuer field is optional, but if you are using VirtuCrypt as the IdP, set this field to vip.

4

On the JWT Key tab, select the JWKS radio button (JWKS stands for JSON Web Key Set).

Two new fields populate in the dialog: JWKS URL and TLS PKI. The JWKS URL is a read-only endpoint URL that points to a list of public keys that verify JSON Web Tokens (JWT). You don't need to configure a CA certificate in the TLS PKI field if the domain configured in the JWKS URL field can be verified by using trusted public internet CAs. However, if you have set up a JWK on your LAN, you must select the custom CA certificate used to sign the domain specified in the JWKS URL field. For the VirtuCrypt use case, leave the TLS PKI field blank because vip.virtucrypt.com has a certificate issued by a trusted public internet CA. If your use case requires you to configure a custom CA certificate, you must download and then copy that certificate to the storage medium configured on the KMES and import the certificate into a Certificate Container in the PKI > Certificate Authorities menu. After you do that, you can browse and select the certificate in the TLS PKI field.

5

Select [ OK ] to save.

6

Right-click the IdP that you created and select Add > Mechanism > JSON Web Token.

7

On the Info tab of the Authentication Mechanism Editor window, specify a name for the authentication mechanism.

8

Leave the default settings on the Identifiers and Claims tabs, and select [ OK ] to save.

Create the Authorization JWT IdP

Perform the following steps to create a JWT IdP to allow Google to verify that the caller is authorized to encrypt or decrypt a resource:

1

Go to Identity Management > Identity Providers, right-click the background, and select Add > Provider > JSON Web Token.

2

On the Info tab of the Identity Provider Editor window, specify a name for the IdP and de-select the Enforce Dual Factor checkbox.

3

On the JWT Options tab, you can specify an issuer and set leeway and max validity values according to your requirements. The issuer field is optional, but an appropriate value might be [email protected].

4

On the JWT Key tab, select JWKS and then specify https://www.googleapis.com/service_ accounts/v1/jwk/[email protected] in the JWKS URL field. Leave TLS PKI blank because the www.googleapis.com domain can be verified by using trusted public internet CAs. Therefore, you don't need to configure a custom CA certificate.

5

Select [ OK ] to save.

6

Right-click the IdP that you created and select Add > Mechanism > JSON Web Token.

7

On the Info tab of the Authentication Mechanism Editor window, specify a name for the authentication mechanism.

8

Leave the default settings in the Identifiers and Claims tabs, and select [ OK ] to save.

Create the role definition for CSE

1

Go to the Identity Management > Roles menu and select [ Add ].

2

In the Role Editor window, specify a Name for the role, set the Role class to Principal, and set Logins Required to 1.

Principal roles have view permissions on any objects created by that principal role. This makes sharing encrypted documents possible within an organization because all CSE users are assigned the same principal role. For example, suppose one CSE user in your organization shares a document with another CSE user. The second CSE user's browser can decrypt the document by using the first user's Personal Key since that Personal Key was created by the shared CSE principal role. However, all encrypted documents that the second user creates are encrypted with their Personal Key.

3

On the Permissions tab, select the following permissions:

Permission

Subpermission



Cryptographic Operations

Unwrap, Wrap



Keys

Only the top-level Keys permission


4

On the Advanced tab, leave the values set to the default settings.

5

Select [ OK ] to finish creating the role.

Create an identity for the CSE user

1

Go to the Identity Management > Identities menu, right-click the background, and select Add > User.

2

Leave Storage set to Application and in the Name field, enter the CSE user's email address with which they log in to Google Workspace.

3

On the Assigned Roles tab, select the Role that you just created.

4

On the Device Info tab, leave the values set to the default settings.

5

On the Authentication tab, select [ Add ] to add the following credentials: the Authentication JWT IdP and the Authorization JWT IdP. Remove the default Password credential after configuring the authentication and authorization JWT credentials.

6

Select [ OK ] to finish creating the identity.

Set up IAM in Google Workspace

You must turn on Google Workspace Client-side encryption (CSE) for all users who need to do any of the following tasks:

  • Create or upload encrypted files to Google Drive
  • Host encrypted meetings with Google Meet (beta)

You don't need to turn on CSE for users who need only to view or edit encrypted files or attend meetings. However, external users need to use an identity provider (IdP) allowlisted by your domain. For details, see External user requirements in About client-side encryption.

To turn on CSE for users, you need to turn on CSE for the organizational units or configuration groups to which the users belong.

At any time, you can disable CSE for users by turning CSE off for the organizational units or configuration groups they belong to. If you disable CSE for users, any existing client-side encrypted content remains encrypted and accessible.

Perform the following action to set up IAM in Google Workspace:

1

Follow the steps in this Google Workspace knowledge base article to perform the following IAM setup actions for CSE in Google Workspace:

  1. Set the default key service for your organization.
  2. Turn CSE on or off for users.