Set up the external key service for Google Workspace CSE

this section describes how to configure the {{k3}} as an external key service for google workspace client side encryption (cse) you complete some configuration in the {{k3}} application interface and some in the google admin console configure settings in the {{k3}} application interface complete the following tasks in the {{k}} interface define the key access control list (kacl) url enable the host api commands the following sections describe how to perform these tasks define the kacl url perform the following steps to define the kacl url for google client side encryption log in to the {{k3}} application interface with the default admin identities go to the administration > configuration menu and select google api options in kacl url , enter the url for your key service (for example, https //\<server ip> \<port>/kmes/v7/key encrypt/client ) google requires this connection to be tls with a publicly trusted certificate the connection can be through nat or reverse proxy select \[ save ] to finish enable the commands perform the following steps to enable the required host api commands go to the administration > configuration menu and select host api options select the kacl command, which enables google client side key wrap and unwrap select \[ save ] to finish configure settings in the google admin console the key access control list service (kacls) is your external key service (such as {{k3}} ) that uses an api to control access to encryption keys stored in an external system the (identity provider) idp, discussed in previous sections of this guide, authenticates users before they can encrypt files or access encrypted files this integration uses {{vc}} as the idp, but you can use any idp that supports oauth complete the following tasks in the google admin console for client side encryption configure the kacls configure the idp the following sections describe how to perform these tasks configure the kacls perform the following steps to configure the kacls sign in to your google admin console by using an account with super administrator privileges in the main menu, select security > access and data control > client side encryption select the external key service card to open it select \[ add external key service ] enter a name for your key service enter the url for your key service (such as https //\<server ip> \<port>/kmes/v7/key encrypt/client ) google requires this connection to be tls with a publicly trusted certificate the connection can be through nat or a reverse proxy to confirm that google workspace can communicate with the external key service, select \[ test connection ] to close the card, select \[ continue ] configure the idp to connect google workspace to your idp, you can use a well known file or the admin console after establishing the connection, you must allowlist your idp in the admin console this section shows how to connect google workspace to your idp by using the admin console however, this method serves as a fallback method for the well known file method see the following google workspace documentation instructions on connecting google workspace to your idp using a well known file https //support google com/a/answer/10743588#config wellknown\&zippy=%2coption to connect to your idp using a well known file https //support google com/a/answer/10743588#config wellknown\&zippy=%2coption to connect to your idp using a well known file sign in ( admin google com/ ) to your google admin console ( support google com/a/answer/182076 ) by using an account with super administrator privileges ( support google com/a/answer/2405986#super admin ) in the main menu, select security > access and data control > client side encryption under identity provider configuration , select \[ configure idp fallback ] enter the details of your idp in name , specify a descriptive name to help identify your idp this name displays in idp messages for users in client id , specify the openid connect (oidc) client id that the cse client application uses to acquire a json web token (jwt) based on the following scenarios if you're using a third party idp generate this id by using your idp admin console if you're using google identity generate this id by using the google cloud platform (gcp) admin console for instructions, go to the following link create a client id for google identity in discovery uri , specify the oidc discovery url, as defined in this openid specification ( openid net/specs/openid connect discovery 1 0 html ), based on the following scenarios if you're using a third party idp your idp provides you with this url, which usually ends with / wellknown/openid configuration if you're using google identity use https //accounts google com/ well known/openidconfiguration configure your discovery uri to allow origin urls for cross origin resource sharing (cors) calls, as follows methods get allowed origins https //admin google com https //client side encryption google com https //krahsc google com/callback https //krahsc google com/oidc/cse/callback https //krahsc google com/oidc/drive/callback https //krahsc google com/oidc/gmail/callback https //krahsc google com/oidc/meet/callback https //krahsc google com/oidc/calendar/callback https //krahsc google com/oidc/docs/callback https //krahsc google com/oidc/sheets/callback https //krahsc google com/oidc/slides/callback https //client side encryption google com/callback https //client side encryption google com/oidc/cse/callback https //client side encryption google com/oidc/drive/callback https //client side encryption google com/oidc/gmail/callback https //client side encryption google com/oidc/meet/callback https //client side encryption google com/oidc/calendar/callback https //client side encryption google com/oidc/docs/callback https //client side encryption google com/oidc/sheets/callback https //client side encryption google com/oidc/slides/callback in the grant type field, select the oauth flow you want to use for oidc based on the following scenarios if you're using a third party idp use either the implicit or authorization code with pkce grant type if you're using google identity use only the implicit grant type select \[ test connection ] if google workspace can connect to your idp, the connection success message displays select \[ add provider ] to close the card