Using Fortanix DSM for Google Workspace Client-Side Encryption

Prev Next

1.0 Introduction

This article describes how to use Fortanix-Data-Security-Manager (DSM) for Google Workspace Client-Side Encryption (CSE).

To perform Google Workspace CSE integration using Fortanix DSM, you will encrypt the Google Workspace applications’ data (such as Google Docs and Google Drive) with a Data Encryption Key (DEK) and use Fortanix DSM API to wrap the DEK before storing it on Google Cloud storage. To decrypt the document, the Google Workspace application will call the Fortanix DSM APIs to unwrap the DEK and then decrypt the data.

2.0 Definitions

  • CSE – Client-Side Encryption:

    With Google Workspace Client-side encryption (CSE), file encryption is handled in the client's browser before it is stored in cloud storage. That way, Google servers cannot access your encryption keys and, therefore, cannot decrypt your data. To use CSE, you'll need to connect Google Workspace to an external encryption key service and an identity provider (IdP). For more information, refer to the Google Documentation.

  • AES – Advanced Encryption Standard:

    Google uses the Advanced Encryption Standard (AES) algorithm to encrypt data at rest. AES is widely used because:

3.0 Prerequisites

Ensure the following:

  • Fortanix DSM must be set up as the encryption key service.

  • An Identity Provider (IdP) - You need to connect to either an external IdP configured on your Google Workspace account or Google identity by creating a client ID in the Google Cloud Platform (GCP) console. Your IdP verifies the identity of users before allowing them to encrypt files or access the encrypted files.

  • An Authorization Provider – Configure an authorization provider to enable CSE for Google Docs, Google Drive, Google Meet, and Google Calendar. This is used to verify information such as the caller’s role, resource name, and so on.

    The key service URL is automatically created using the “Add Instance” page in the wizard.

  • AES Key – The key that wraps and unwraps the DEK.

NOTE

  • The AES key is automatically created using the Add Instance page in the wizard.

  • It is important to decide whether to use a single key or a separate key for each document. After the URI is added to Google Workspace, you need to contact Google support for help to change the URI.

4.0 Key Management Best Practices

For key rotation, you need to perform the following steps:

  • Rotate the key in Fortanix DSM

  • Copy the URL for the new key (the ID will be different)

  • Update the key URL in Workspace CSE

Workspace CSE will use the new key for encryption, but can still decrypt data encrypted with the old key, provided the old key version is not deleted.

When using a URL containing a Group ID, you do not need to do anything other than rotate the key in Fortanix DSM.

NOTE

Ensure not to disable the old key while rotating the security object in Fortanix DSM, as the old key is still required to decrypt the previously encrypted documents. Before disabling the old key, first open the encrypted document and save it again; this will re-encrypt the document using the new key. After completing this process, you can disable the old key.

5.0 Using Fortanix DSM with Google Workspace

Google Workspace CSE encrypts a user’s documents before they leave their web browser. The Workspace application, for example: Google Docs, generates a Data Encryption Key (DEK) in the browser, encrypts the user’s content with that key, and then it calls Fortanix DSM to wrap the DEK with a Key Encryption Key (KEK) managed in Fortanix DSM. It then stores the encrypted data along with the wrapped DEK in cloud storage. When calling the Fortanix DSM APIs, the Workspace application presents two signed JSON Web Tokens (JWTs) in its request that identify the user by their email address used to log in to the Google Workspace application.

Fortanix DSM verifies these JWT tokens based on the account’s CSE configuration and checks whether the user has the necessary permissions to access the KEK before wrapping or unwrapping the DEK.

NOTE

For the user-based authentication method, as described in Section 6.3: Configuring Authorization Providers, the user must be a group administrator in the same group where the KEK is stored to be able to wrap or unwrap the DEK.

Google Workspace CSE requires the following APIs from Fortanix DSM:

  • Wrap: POST https://<base_url>/wrap

  • Unwrap: POST https://<base_url>/unwrap

  • Privileged Unwrap: POST https://<base_url>/privileged_unwrap

  • Status Check: GET https://<base_url>/status

    Where <base_url> either identifies a single key or a group in Fortanix DSM. When using a single key, all DEKs are encrypted with the same KEK. When using a group, each Google Workspace document’s DEK will be encrypted with its own dedicated KEK stored in the specified group in DSM and the KEKs are created automatically when the wrap API is called to encrypt a document. The base URL patterns for each case are:

  • For single KEK:
    https://<dsm_domain>/crypto/v1/keys/<key_id>/integrations/workspace_cse

  • For a separate KEK for each document:
    https://<dsm_domain>/crypto/v1/groups/<group_id>/integrations/workspace_cse
    Where,

    • <dsm_domain> is the fully qualified domain name of your Fortanix DSM cluster, for example: “amer.smartkey.io” for the Americas Region of DSM SaaS.

    • <key_id> is the UUID of the KEK in Fortanix DSM.

    • <group_id> is the UUID of the group where you want to store KEKs for Google Workspace applications.

Once you determine the most suitable approach, note the corresponding URL provided in the setup wizard. You can then proceed to configure CSE in the Workspace Admin console.

However, before CSE can be used, ensure that it is properly enabled in your Fortanix DSM account by following the steps outlined in the next section.

6.0 Configuring Workspace CSE in Fortanix DSM

Perform the following steps to configure workspace CSE in the Fortanix DSM:

  1. Log in to the Fortanix DSM user interface (UI). On-premises customers use the KMS URL, and the SaaS customers can use the URLs as listed here based on the application region.

  2. In the DSM left navigation panel, click the Instances menu item, and then select the Cloud Key Management/BYOK check box. Click CONFIGURE on the Google Workspace tile.

    Figure 1: Configure Workspace CSE

NOTE

  • If the DSM Account Administrator has configured the Google Workspace CSE integration before DSM version 4.19, then all existing or new users invited to the account need not accept the DSM account invitation before using the Google Workspace CSE feature.

  • If the DSM Account Administrator has configured the Google Workspace CSE integrations on DSM version 4.19 or later, then all users invited to the account must accept the DSM account invitation and when applicable verify their account emails before using the Google Workspace CSE feature unless the Account Administrator has configured app authentication, as described in Section 6.7: Enabling Google Workspace to Access Keys in Fortanix DSM.

6.1 Adding an Instance

Use the Add Instance page to configure Fortanix DSM integration with Google Workspace CSE.

  1. In the Authentication Type section, select any one of the following options to authenticate the Google Workspace CSE users with Fortanix DSM.

    • As User: If this option is selected, then all users who are invited to use this feature using the Users tab must accept the Fortanix DSM account invitation and if applicable, verify their email address to use this feature. For steps to add a user, refer to Section 6.7: Invite a Google Workspace CSE User.

      NOTE

      This is the previously existing workflow.

    • As App: If this option is selected, then as an Account Administrator, you can add users as an app using the Apps tab, where the app name is the email ID of the CSE user, and the credential is Workspace CSE App Auth. Notably, these Workspace users do not have to accept a DSM user invitation or verify their e-mail address. For steps to add a user as an app, refer to Section 5.7: Invite a Google Workspace CSE User.

      NOTE

      • This workflow was introduced in DSM Release 4.19.

      • Using this method, users will not have the overhead of a full Fortanix DSM account and can only access the CSE-related endpoints.

    Most of the following values are available in a .well-known file provided by the identity providers. For example, https://accounts.google.com/.well-known/openid-configuration.

  2. Provider Name

  3. Logo URL (Optional)

  4. Authorization Endpoint URL

  5. Token Endpoint URL

  6. Authentication Method: Select client_secret_basic.

  7. Signing Key

  8. Issuer URL

  9. User Info Endpoint URL (Optional)

  10. Host Validation: Enable the Validate host check box to verify that the above host matches the hostname in the server certificate, if required.

  11. TLS Certificate: Use Global Root CAs or provide a Custom CA certificate.

  12. Prompt (Optional): Select any of the following options for authentication requests:

    NOTE

    If you do not want any value for the Prompt field, then deselect the Consent option. By default, the Consent option is selected.

    • None: Select this option to initiate the silent authentication with the authentication request.

    • Login: Select this option to force a user authentication even if the user has been authenticated already with the authentication request.

    • Consent: Select this option to force prompting the user for consent with the authentication request.

    • Select Account: Select this option to prompt the user to select a user account.

  13. Display (Optional): Select any of the following options for the OAuth server:

    • Page: Select this option to display the consent UI associated with a full user agent window.

    • Popup: Select this option to display the consent UI associated with a pop-up user agent window.

    • Touch: Select this option to display the consent UI associated with a device that leverages a touch user interface.

    • Wap: Select this option to display the consent UI associated with a feature phone display type.

  14. Max Age (Optional): Specifies the maximum amount of time that has elapsed in seconds since the OAuth provider last actively authenticated the end user.

  15. Enter the value for Client ID and Client Secret. To use the IdP to authenticate users in the Fortanix DSM account, the Account Administrator needs to provide "Client ID" and "Client Secret" values. For more information, refer to the User's Guide: Single Sign-On.

  16. Enter the values for the Client ID of CSE application. To set up Google Workspace CSE in Fortanix DSM, you must know the value of the Client ID issued for the CSE client application by the IdP.

    For more information on locating the client_id, refer to Option 1 in the Connect to your identity provider for client-side encryption for Step 2: Configure your .well-known file.

  17. In the Document Encryption section, select any of the following options:

    • Use Single Key to encrypt all Google Workspace documents – Select this option to encrypt all the Google Workspace document DEKs using a single KEK in Fortanix DSM. This option will generate a URL containing the Fortanix DSM Key ID.

    • Automatically create a new key for each document - Select this option to encrypt each Google Workspace document DEK using a new KEK stored in a specific group in Fortanix DSM. This option will generate a URL containing the Fortanix DSM Group ID.

  18. Click NEXT to configure the Identity Providers.

    NOTE

    You can configure only one Google Workspace CSE instance at a time. To create a new one, either edit the existing instance or delete it before starting a new configuration.

    Figure 2: Add an instance

6.2 Configuring Identity Providers

Use the Identity Providers page to configure Fortanix DSM integration with Google Workspace CSE or any third-party IdP. These settings allow Fortanix DSM to authenticate user identities based on the OAuth 2.0 and OpenID Connect protocols.

NOTE

Fortanix DSM does not enforce Single Sign-On (SSO) settings for configured IdPs. However, for security and policy enforcement, Fortanix recommends adding the IdPs under SSO settings as well. For more information, refer to the User's Guide: Single Sign-On.

  1. Identity Provider name: Enter a descriptive name for the IdP.

  2. Valid issuers: Enter one or more valid issuer URLs. Fortanix DSM uses this to validate the iss field in the JWT.

  3. Valid Audiences: Enter one or more valid audiences. Fortanix DSM uses this to validate the aud field in the JWT.

    It is recommended to use fetched signing keys if the IdP rotates signing keys periodically.

    If you are using Google Workspace without a third-party IdP, enter the following values:

    For third-party IdPs, follow the instructions in Connect to identity provider for client-side encryption and provide the same information that you use when configuring your IdP in the Workspace admin console - option 2 (or from the .well-known document of your IdP - option 1).

  4. In the Signing keys section, select either of the following options to validate the JWT signature:

    • STORED SIGNING KEY:

      • Add Public Key: Provide one or more public keys by uploading or pasting the key(s) in PEM format. When specifying multiple keys, specify the Key ID so that keys can be differentiated by their unique Key IDs.

      Figure 3: Configure signing keys

    • FETCHED SIGNING KEY:

      • Key URL: Enter the URL where Fortanix DSM can retrieve the public keys. The endpoint must return signing keys in either:

        • JWK Set format: Refer to Section 5 of RFC 7517 for details.

        • JSON mapping key IDs to base64-encoded public keys in DER format.

      • Cache duration: Set this value to control how long DSM caches the fetched keys.

        Figure 4: Configure fetched signing keys

  5. Click NEXT to configure the Authorization Providers.

6.3 Configuring Authorization Providers

This section describes how to configure one or more authorization providers. Authorization providers enable Fortanix DSM to validate authorization tokens issued by Google for Workspace CSE APIs. Each Workspace application (for example, Drive, Meet, Calendar) may require distinct authorization settings.

Perform the following steps:

  1. Select one or more of the following default Workspace applications:

    • Google Drive and Docs

    • Google Meet

    • Google Calendar

    Figure 5: Authorization provider

  2. Click ADD ANOTHER AUTHORIZATION PROVIDER to configure an additional authorization provider and do the following:

    1. Provider Name: Enter a name for the custom provider.

    2. Key URL: Enter the URL from which the public signing key(s) will be fetched.

    3. Cache Duration: Enter the time, in seconds, that DSM should cache the fetched keys to improve performance.

    4. Valid Issuers: Specify one or more valid issuers to validate the iss field in the authorization JWT. For example: [email protected] is used for Google Drive and Docs.

    5. Valid Audiences: Specify one or more valid audiences to validate the aud field in the authorization JWT. For example: cse-authorization is used for Google Drive and Docs.

    Figure 6: Configure authorization provider

  3. Click NEXT to review the listing.

6.4 Reviewing the Added Instance

After configuring the instance for Google Workspace CSE, review the configuration details before finalizing the setup.

The Review page displays a summary of the configured instance. Verify that all information is correct.

Figure 7: Review and save the instance

Click the SAVE button to complete the setup. When you save the instance:

  • Fortanix DSM generates a Key Service URL for the configured instance.

  • Fortanix DSM automatically creates a Google Workspace CSE group associated with the instance.

After saving, the summary page displays the generated Key Service URL. Copy this URL and use it in the Google Workspace Admin Console to configure document encryption for Google Workspace CSE.

Figure 8: Copy key service URL

6.5 Invite a Google Workspace CSE User

Perform the following steps to invite a user to use the Google Workspace CSE feature using the User authentication method:

  1. In the DSM left navigation panel, click the Users menu item, and then click the + button to invite a new Google Workspace CSE user.

  2. Enter the user’s email address in the Enter e-mail to invite field.

  3. Select the Role for the user as Account Member and provide the necessary Group Administrator, Group Auditor, or Group Custom Role permission, or select the Role as Account Administrator as described in the User’s Guide: Authorization.

  4. Click the INVITE button.

    Figure 9: Invite user using user authentication

Perform the following steps to invite a user to use the Google Workspace CSE feature using the App authentication method:

  1. In the DSM left navigation panel, click the Apps menu item, and then click the + button to add a new Google Workspace CSE user as an app.

  2. For the App name field, enter the Google Workspace CSE user’s email ID.

  3. Select the Authentication method as Workspace CSE App Auth.

  4. Assign the app to a Google Workspace CSE group in DSM.

  5. Click the SAVE button to create the user as an app.

    Figure 10: Invite user using app authentication

6.6 Editing and Deleting an Instance

You can edit any of the provided information in the Google Workspace CSE instance using the Edit button corresponding to each widget on the screen.

You can also remove the Google Workspace CSE instance using the DELETE button available at the end of the screen.

Figure 11: Edit or delete an instance

6.7 Enabling Google Workspace to Access Keys in Fortanix DSM

Google Workspace CSE needs a URL to access the KEK stored in Fortanix DSM. This URL is generated in the Review wizard.

Use the resource URL in your Workspace admin console as your “key service URL”.

  1. Log in to admin.google.com with an administrator account and click Security -> Client-side encryption.

  2. Under Add external key service:

    1. Enter a name for the external key service, provide the URL that you copied in the above step, and then click Continue.

    2. Click TEST CONNECTION and make sure the connection is successful.

    3. Click Add Service -> Continue to finish the configuration.

  3. Under Add identity provider, enter the details of the well-known identity provider that you provided in Fortanix Google CSE settings in Section 5.3: Adding an Instance.

  4. Click TEST CONNECTION and make sure the connection is successful.

  5. Click Add Provider to add the IdP.

  6. Under Apps, click the Drive and Docs icon:

    1. Client-side encryption status -> Turn it ON

    2. Default external key service -> Select the newly added key service from drop down

Add_External_Key_Service_and_Identity_Provider.png

Figure 12: Add external key service and identity provider

After completing the Workspace settings, follow the steps listed in About client-side encryption - Google Workspace Admin Help. You should be able to go to Google Docs and create an encrypted document. If everything works, you will see audit log messages on the key(s) in Fortanix DSM showing requests coming from your browser.

7.0 Configure Gmail CSE in Fortanix DSM

With Gmail Workspace CSE, security administrators of an organization can send and receive client-side encrypted emails within or outside their organization. The encryption scheme uses asymmetric private keys and certificates for authentication and key agreement for message encryption. As the security administrator of an organization, you can now configure Google Workspace CSE in Fortanix DSM to enable the relevant CSE endpoints to support users signing and decrypting messages in Gmail.

7.1 Gmail CSE Prerequisites

  • Refer to the Prerequisites in Section 3.0: Prerequisites.

  • The user must have a Google Workspace Enterprise Plus, Education, or Education Plus Tier and a Google Workspace CSE integration configured in Fortanix DSM.

  • Users can create a main or master wrapping AES key separate from the default one for the integration that will be used to wrap the RSA private keys in a later step.

7.2 Add an Instance

Validate the Google-issued authorization tokens by adding an instance for Google Workspace users. Refer to Section 5.3: Adding an Instance for more details.

7.3 Configure Identity Provider

Configure the Identity Providers that authenticate users for Google Workspace. Refer to Section 5.4: Configure Identity Providers for more details.

7.4 Configure Authorization Provider

Configure Gmail as the authorization provider. To configure Gmail as an authorization provider, enter the following values:

  1. Enter a name for the provider, for example: Gmail

  2. Key URL: https://www.googleapis.com/service_accounts/v1/jwk/[email protected]

  3. Cache Duration: 86400 seconds

  4. Valid Issuers: [email protected]

  5. Valid Audiences: cse-authorization

The following image illustrates the entered values in the respective fields:

Figure 13: Configure Gmail authorization provider

7.5 Review the Added Instance

Review the information on the added instance for the Gmail Workspace CSE. Refer to Section 5.6: Reviewing the Added Instance for more details.

7.6 Invite a Gmail Workspace CSE User

To add users for Gmail CSE, create an app with the authentication method Workspace CSE App Auth.

7.7 Create Wrapped Private Key

  1. Refer to Section 6.7: Enabling Google Workspace to Access Keys in Fortanix DSM for steps to access the KEK stored in Fortanix DSM.

    1. Follow Steps 1-5 in Section 6.7: Enabling Google Workspace to Access Keys in Fortanix DSM.

    2. In Step 6 in Section 6.7: Enabling Google Workspace to Access Keys in Fortanix DSM, under Apps, click the Gmail icon:

      1. Client-side encryption status - Turn it ON.

      2. Default external key service - Select the newly added key service from drop down.

        Gmail_Add_Ext_IDP.png

        Figure 14: Add additional key service and identity provider

    3. Complete the Workspace CSE settings. Follow Steps 1 to 7 in Section: CSE Setup Overview in About client-side encryption - Google Workspace Admin Help.

      • You should have generated an S/MIME (Secure/Multipurpose Internet Mail Extensions) certificate for each user who will use Gmail CSE to either send or receive emails.

        NOTE

        To send and receive signed and encrypted emails outside the organization, you will need to provision the users with certificates issued by a commercial Certificate Authority.

      • Next, for each user’s private key, you need to make a /wrapkey request.

      • When creating your private key metadata, the user must manually do either of the following using the /wrapkey endpoint in DSM

        • Import the private key into DSM, and then create the wrap key request.

        • Inline the key in the wrap key request.

      • After you have the wrapped response, configure the CBOR (Concise Binary Object Representation) serialization, and then base64 encode the resulting string.

        NOTE

        The user must structure the wrapped response using the CDDL (Concise Data Definition Language) format below before generating the metadata blob.

        # 
        # The CDDL for the wrapped private key metadata that will be serialized in CBOR and encoded using base64.
        # 
        WorkspaceCseWrappedPrivateKey = {
            wrapped_key: bytes,       ; The private key wrapped as a blob returned 
                                      ;     from the /wrapkey endpoint
            wrapping_key: tstr,       ; The Uuid of the wrapping key
            obj_type: tstr,           ; The object type of the wrapped key, for now should be "Rsa".
            iv: bytes,              ; The iv used during wrapping of the private key 
                                      ;     returned from the /wrapkey endpoint
            mode: tstr,             ; The mode used during wrapping, see this page for a list of valid modes
                                      ; https://support.fortanix.com/hc/en-us/articles/360028212271-Wrapping-a-Key
            ? ad: bytes,              ; The optional authenticated data used during wrapping
            ? tag: bytes,             ; The optional tag used during wrapping
        }
      • Google requires you to now format the wrapped private key generated above and save it in a file with a .wrap extension. For example, [email protected].

      The wrapped private key must have a JSON object with the following two required fields:

      {
        "kacls_url": "URL provisioned in the workspace for the base CSE integration",
        "wrapped_private_key": "base64 encoded bytes"
      }

7.8 Provisioning User Key-Pairs

Next, you need to upload the S/MIME certificate and private key metadata encrypted by DSM to Gmail.

NOTE

The Workspace CSE administrator:

  • Must have their GCP service account set up and save the credentials somewhere accessible.

  • Will need the metadata blob for each user and their certificate chains.

  • Will need the kacls_url that is listed in the Google Admin Console.

  1. To upload users’ certificates and wrapped private keys to Gmail, refer to the script in Set up your Organization for Gmail client-side encryption to make the appropriate API calls to Google.

  2. After following the steps, you should be able to go to Gmail to encrypt and sign email messages. If everything works, you will see audit log messages on the key(s) in Fortanix DSM showing requests coming from your browser.

8.0 Frequently Asked Questions

  • How to identify the security object associated with the Google document when using the Group ID?

    When using Group ID, Fortanix DSM creates a security object for each document that is encrypted from Google CSE and you can identify the security object associated with a document in Fortanix DSM by clicking on the encrypted document in Google drive and paying close attention to the document URL that contains the security object.

  • How can I segregate the security objects created by multiple teams in Google Workspace, since all the security objects are created in a single group in Fortanix DSM when using Fortanix DSM Group ID in KMS URL?

    When using the Group ID in the KMS URL, all the security objects are created in the default group. However, you can create multiple groups, for example HR, Finance, IT, and so on, and move the associated security objects manually to the new group from the default group.
    One point to note is that when you move an object to a different group, users still need to be group members in that group to be able to use the key to wrap/unwrap, otherwise, they would get an access control error. This security requirement is the best way to ensure correct permissions over the keys that users need to decrypt documents.