Set up the external key service for Google Workspace CSE
This section describes how to configure the KMES Series 3 as an external key service for Google Workspace CSE. You complete some configuration in the KMES Series 3 application interface and some in the Google Admin Console.
Complete the following tasks in the KMES interface:
- Define the Key Access Control List (KACL) URL.
- Enable the Host API commands.
The following sections describe how to perform these tasks.
Log in to the KMES Series 3 application interface with the default Admin identities.
Go to the Administration > Configuration menu and select Google API options
In KACL URL, enter the URL for your key service (for example, https://<server ip>:<port>/kmes/v7/key-encrypt/client).
Google requires this connection to be TLS, with a publicly-trusted certificate. The connection can be through NAT or reverse proxy.
Select [ Save ] to finish.
Go to the Administration > Configuration menu and select Host API Options.
Select the KACL command, which enables Google client-side key wrap and unwrap.
Select [ Save ] to finish.
The Key Access Control List Service (KACLS) is your external key service (such as KMES Series 3) that uses an API to control access to encryption keys stored in an external system. The IdP, discussed in previous sections of this guide, authenticates users before they can encrypt files or access encrypted files. This integration uses VirtuCrypt as the IdP, but you can use any IdP that supports OAuth.
Complete the following tasks in the Google Admin console for client-side encryption:
- Configure the Key Access Control List Service (KACLS).
- Configure the IdP.
The following sections describe how to perform these tasks.
Sign in to your Google admin console by using an account with super administrator privileges.
In the main menu, select Security > Access and data control > Client-side encryption.
Select the External key service card to open it.
Select [ Add external key service ].
Enter a name for your key service.
Enter the URL for your key service (such as https://<server ip>:<port>/kmes/v7/key-encrypt/client).
Google requires this connection to be TLS, with a publicly-trusted certificate. The connection can be through NAT or reverse proxy.
To confirm that Google Workspace can communicate with the external key service, select [ Test connection ].
To close the card, select [ Continue ].
To connect Google Workspace to your IdP, you can use a .well-known file or the Admin console. After establishing the connection, you need to allowlist your IdP in the Admin console.
This section shows how to connect Google Workspace to your IdP by using the Admin console. However, this method serves as a fallback method for the .well-known file method. See the following Google Workspace documentation instructions on connecting Google Workspace to your IdP using a .well-known file: https://support.google.com/a/answer/10743588#config_wellknown&zippy=%2Coption-to-connect-to-your-idp-using-a-well-known-file
Sign in to your Google admin console by using an account with super administrator privileges.
In the main menu, select Security > Access and data control > Client-side encryption.
Under Identity provider configuration, select [ Configure IdP fallback ].
Enter the details of your IdP.
In Name, specify a descriptive name to help identify your IdP. This name displays in IdP messages for users.
In Client ID, specify the OpenID Connect (OIDC) client ID that the CSE client application uses to acquire a JSON Web Token (JWT) based on the following scenarios:
- If you're using a third-party IdP: Generate this ID by using your IdP admin console.
- If you're using Google identity: Generate this ID by using the Google Cloud Platform (GCP) Admin console. For instructions, go to the following link: Create a client ID for Google identity.
In Discovery URI, specify the OIDC discovery URL, as defined in this OpenID specification, based on the following scenarios:
- If you're using a third-party IdP: Your IdP provides you with this URL, which usually ends with /.wellknown/openid-configuration.
- If you're using Google identity: Use https://accounts.google.com/.well-known/openidconfiguration.
Configure your discovery URI to allow origin URLs for Cross-Origin Resource Sharing (CORS) calls, as follows:
- Methods: GET
- Allowed origins:
- https://admin.google.com
- https://client-side-encryption.google.com
- https://krahsc.google.com/callback
- https://krahsc.google.com/oidc/cse/callback
- https://krahsc.google.com/oidc/drive/callback
- https://krahsc.google.com/oidc/gmail/callback
- https://krahsc.google.com/oidc/meet/callback
- https://krahsc.google.com/oidc/calendar/callback
- https://krahsc.google.com/oidc/docs/callback
- https://krahsc.google.com/oidc/sheets/callback
- https://krahsc.google.com/oidc/slides/callback
- https://client-side-encryption.google.com/callback
- https://client-side-encryption.google.com/oidc/cse/callback
- https://client-side-encryption.google.com/oidc/drive/callback
- https://client-side-encryption.google.com/oidc/gmail/callback
- https://client-side-encryption.google.com/oidc/meet/callback
- https://client-side-encryption.google.com/oidc/calendar/callback
- https://client-side-encryption.google.com/oidc/docs/callback
- https://client-side-encryption.google.com/oidc/sheets/callback
- https://client-side-encryption.google.com/oidc/slides/callback
In the Grant type field, select the OAuth flow you want to use for OIDC based on the following scenarios:
- If you're using a third-party IdP: Use either the Implicit or Authorization code with PKCE grant type.
- If you're using Google identity: Use only the Implicit grant type.
Select [ Test Connection ].
If Google Workspace can connect to your IdP, the Connection success message displays.
Select [ Add Provider ] to close the card.