Using Fortanix DSM for Google Workspace Client-Side Encryption

1.0 Introduction

This article describes how to use Fortanix Data Security Manager (DSM) for Google Workspace Client-Side Encryption (CSE).

To perform Google Workspace CSE using Fortanix DSM, you will encrypt the Google Workspace applications’ data (such as Google Docs and Google Drive) with a Data Encryption Key (DEK) and use Fortanix DSM API to wrap the DEK before storing it on Google Cloud storage. To decrypt the document, the Google Workspace application will call the Fortanix DSM APIs to unwrap the DEK and then decrypt the data.

2.0 Definitions

• CSE – Client-Side Encryption:

  With Google Workspace Client-side encryption (CSE), file encryption is handled in the client's browser before it is stored in cloud storage. That way, Google servers cannot access your encryption keys and, therefore, cannot decrypt your data. To use CSE, you'll need to connect Google Workspace to an external encryption key service and an identity provider (IdP). Refer to Google Documentation for more details.

• AES – Advanced Encryption Standard:

  Google uses the Advanced Encryption Standard (AES) algorithm to encrypt data at rest. AES is widely used because:

  • Both AES256 and AES128 are recommended by the National Institute of Standards and Technology (NIST) for long-term storage use (as of November 2015).
  • AES is often included as part of customer compliance requirements.
    For more information please see Advanced Encryption Standard.

3.0 Prerequisites

• Fortanix DSM must be set up as the encryption key service.
• An Identity Provider (IdP) - you need to connect to either an external IdP configured on your Google Workspace account, or Google identity by creating a client ID in the Google Cloud Platform (GCP) console. Your IdP verifies the identity of users before allowing them to encrypt files or access the encrypted files.
• An Authorization Provider – Configure an authorization provider to enable CSE for Google Docs and Google Drive, Google Meet, and Google Calendar. This is used to verify information such as the caller’s role, resource name, and so on.
  The key service URL is automatically created using Add Instance page in the wizard.
• AES key – The key that wraps and unwraps the DEK.

4.0 Key Management Best Practices

For key rotation, you need to perform the following steps:

• Rotate the key in Fortanix DSM
• Copy the URL for the new key (the id will be different)
• Change the URL in Workspace CSE

Workspace CSE will use the new key to encrypt but can still decrypt old data that was encrypted with the old key (if you delete the old version).

When using a URL containing a Group ID, you do not need to do anything other than rotate the key in Fortanix DSM.

5.0 Using Fortanix DSM with Google Workspace

5.1 Overview

Google Workspace CSE encrypts user’s documents before it leaves their web browser. The Workspace application, for example: Google Docs, generates a Data Encryption Key (DEK) in the browser, encrypts user contents with that key, and then it calls Fortanix DSM to wrap the DEK with a key in Fortanix DSM. It then stores the encrypted data along with the wrapped DEK in cloud storage. When calling the Fortanix DSM APIs, the Workspace application presents two signed JSON Web Tokens (JWT) with its request that identifies the user by their email address used to log in to the Google Workspace application.

Fortanix DSM will verify these JWT tokens based on the account CSE configurations and check whether the user has proper access to the Key Encryption Key (KEK) before wrapping/unwrapping the DEK.

Google Workspace CSE requires the following APIs from Fortanix DSM:

• Wrap: POST https://<base_url>/wrap
• Unwrap: POST https://<base_url>/unwrap
• Privileged Unwrap: POST https://<base_url>/privileged_unwrap
• Status Check: GET https://<base_url>/status

  Where <base_url> either identifies a single key or a group in Fortanix DSM. When using a single key, all DEKs are encrypted with the same KEK. When using a group, each Google Workspace document’s DEKs will be encrypted with its own dedicated KEK stored in the specified group in DSM and the KEKs are created automatically when wrap API is called to encrypt a document. The URL patterns for each case are:

• For single KEK:
  https://<dsm_domain>/crypto/v1/keys/<key_id>/integrations/workspace_cse
• For separate KEK for each document:
  https://<dsm_domain>/crypto/v1/groups/<group_id>/integrations/workspace_cse
  Where,
  • <dsm_domain> is the fully qualified domain name of your Fortanix DSM cluster, for example: “smartkey.io” for DSM SaaS.
  • <key_id> is the UUID of the KEK in Fortanix DSM.
  • <group_id> is the UUID of the group where you want to store KEKs for Google Workspace applications.

After you decide which approach suits your needs best, you should note the correct URL from the wizard and move on to configuring CSE in the Workspace admin console. But to enable CSE in your Fortanix DSM account, you need to follow the steps in the next section.

5.2 Configuring Workspace CSE in Fortanix DSM

1. Log in to Fortanix DSM as an account administrator and click the Integrations tab in the left panel.
2. On the Integrations page, click CONFIGURE on the Goggle Workspace Figure 1: Configure Workspace CSE

5.3 Adding an Instance

Validate the Google-issued authorization tokens by adding an instance for Google Workspace users.

The following image illustrates the Add Instance page:

Figure 2: Add an Instance

Perform the following steps:

1. Enter the value for the discovery document URL of the OpenID Connect IdP in Enter discovery document URL field.
   This URL has the following general form:
   

   https://{domain}[/{path}]/.well-known/openid-configuration

   The /{path} part is optional (denoted with []).

   For example:

   • https://accounts.google.com/.well-known/openid-configuration
   • https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration
     NOTE

     Microsoft uses the following general pattern:
     Microsoftonline.com/{tenant}/v2.0/.well-known/openid-configuration
     where {tenant} is either common or a tenant id, see the following reference for details: https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-protocols-oidc#fetch-the-openid-connect-metadata-document
2. Enter the value for Client ID and Client Secret. In order to use the IdP to authenticate users in the Fortanix DSM account, the Account Administrator needs to provide "Client ID" and "Client Secret" values. These are documented in the Single Sign-On Guide.
   
   NOTE

   The rest of the configuration parameters listed in the SSO guide are retrieved using the discovery document URL described in Step 1 above.
3. Enter the values for Client ID of CSE application. In order to set up Google Workspace CSE in Fortanix DSM, you must know the value of "Client ID" issued for the CSE client application by the IdP.
   

   See instructions for client_id in the table found in (Option 1) To connect to your IdP using a .well-known file -> Step 2. Configure your .well-known file in the following page: Connect to your identity provider for client-side encryption.

4. Select either of the following Document Encryption options:
   • Use Single Key to encrypt all Google Workspace documents – Select this option to encrypt all the Google workspace documents using a single key in Fortanix DSM. This option will generate a URL containing the Fortanix DSM Key ID.
   • Automatically create a new key for each document - Select this option to encrypt each Google workspace document using a new key stored in a specific group in Fortanix DSM. This option will generate a URL containing the Fortanix DSM Group ID.
5. Click the NEXT button to configure the Identity Providers.
   
   NOTE

   You can only create a single Google Workspace CSE instance at any given time. To add a new instance, edit the existing instance with new values or delete the instance and create a new instance.

5.4 Configure Identity Providers

Configure the Identity Providers that authenticate users for Google Workspace.

The following image illustrates the Identity Providers page:

Figure 3: Identity Providers

1. Enter a descriptive name for IdP in Identity Provider name field.
2. Select either of the following Signing keys. These are used to validate the signature on the authentication JWT. 
   • Stored Signing Key:
     • Add Public Key: Provide one or more public keys by uploading or pasting the key(s) in PEM format. When specifying multiple keys, specify the Key ID so that keys can be differentiated by their unique Key IDs.
       
   • FETCHED SIGNING KEY:
     • Key URL: Specify a URL where the signing keys can be fetched from. The specified URL should return the signing keys in one of the following formats:
       • JWK Set: please refer to Section 5 of RFC 7517 for details.
       • A JSON object mapping key IDs to base64 encoded public keys in DER format.
     • Cache Duration: To improve performance, Fortanix DSM will cache the fetched keys, but you can control how long the keys are cached.
       
   • Valid issuers: one or more valid issuers. This information is used to validate the iss field of the JWT.
   • Valid Audiences: one or more valid audiences. This information is used to validate the aud field of the JWT.
   It is recommended to use fetched signing keys if the signing keys are rotated periodically. 
   If you are not using any external IdP with your Workspace account, then use the following values for the identity provider:
   • Identity Provider name: Google
   • Signing keys: FETCHED
     • Key URL: https://www.googleapis.com/oauth2/v3/certs 
     • Cache duration: 86400 seconds (1 day)
   • Valid issuers: https://accounts.google.com 
   • Valid audiences: you need to follow the instructions in “Create a client ID for Google identity” and copy the OAuth client ID you created here. 

   For third-party IdPs follow the instructions in Connect to identity provider for client-side encryption and provide the same information that you use when configuring your IdP in the Workspace admin console - option 2 (or from the .well-known document of your IdP - option 1)

3. Click NEXT to configure the Authorization Providers.

5.5 Configuring Authorization Providers

Configure one or more authorization providers that allow the service to validate the Google-issued authorization tokens for Workspace CSE APIs. Different Workspace applications might require different authorization settings.

The following image illustrates the Authorization Providers page:

Figure 4: Authorization Provider

Perform the following steps:

1. Select Google Drive and Docs, Google Meet, and Google Calendar if you want to configure this option as an authorization provider. The authorization provider settings will be automatically included for Google Drive and Google Docs, Google Meet, and Google Calendar.
   If you want to add another authorization provider, then:
2. If you want to add another authorization provider, then click the ADD ANOTHER AUTHORIZATION PROVIDER button.
   • Enter a name for the provider.
   • Key URL: Enter the remote public key location.
   • Cache duration: Fortanix DSM will cache the keys to improve performance, but you can control how long the keys are cached.
   • Valid issuers: One or more valid issuers. This information is used to validate the iss field of the authorization JWT. For example, gsuitecse-tokenissuer-drive@system.gserviceaccount.com  is used for Google Drive and Docs.
   • Valid Audiences: One or more valid audiences. This information is used to validate the aud field of the authorization JWT. For example, cse-authorization is used for Google Drive and Docs.
     The following image illustrates the entered values in the respective fields:
   Figure 5: Configure Authorization Provider
   
3. Click NEXT to review the listing.

5.6 Reviewing the Added Instance

Review the information on the added instance for the Google Workspace CSE. This page confirms that your Google workspace CSE instance is set up.

The following image illustrates the Review page:

Figure 6: Review and Save Instance

Click SAVE to save the instance and generate the Key Service URL.

In the summary page, copy the Key Service URL for using it in Google Workspace Admin Console to encrypt all Google Workspace CSE documents.

Figure 7: Copy Key Service URL

5.7 Editing and Deleting and Instance

You can edit any of the provided information in the Google Workspace CSE instance using the Edit button corresponding to each widget on the screen.

You can also remove the Google Workspace CSE instance using the DELETE button available at the end of the screen.

Figure 8: Edit or Delete an Instance

5.8 Enabling Google Workspace to Access Keys in Fortanix DSM

Google Workspace CSE needs a URL to access the KEK stored in Fortanix DSM. This URL is generated in the Review wizard.  

Use the above resource URL in your Workspace admin console as your “key service URL”.

1. Log in to admin.google.com with an administrator account and click Security -> Client-side encryption.
2. Under Add external key service:
   1. Enter a name for the external key service, provide the URL that you copied in the above step, and then click Continue.
   2. Click TEST CONNECTION and make sure the connection is successful.
   3. Click Add Service -> Continue to finish the configuration.
3. Under Add identity provider, enter the details of the well-known identity provider that you provided in Fortanix Google CSE settings in Section 5.3.
   • Name: Enter a name
   • Client ID: Enter the OauthID that you added to Fortanix DSM in Section 5.3.
   • Discovery URI: https://accounts.google.com/.well-known/openid-configuration
   • Grant type: Implicit
4. Click TEST CONNECTION and make sure the connection is successful.
5. Click Add Provider to add the IdP.
6. Under Apps, click the Drive and Docs icon:
   1. Client-side encryption status -> Turn it ON
   2. Default external key service -> Select the newly added key service from drop down

Figure 9: Add External Key Service and Identity Provider

After completing the Workspace settings, follow the steps listed in About client-side encryption - Google Workspace Admin Help. You should be able to go to Google Docs and create an encrypted document, if everything works you will see audit log messages on the key(s) in DSM showing requests coming from your browser.

6.0 Frequently Asked Questions

• How to identify the security object associated with the Google document when using Group ID?
  When using Group ID, Fortanix DSM creates a security object for each document that is encrypted from Google CSE and you can identify the security object associated with a document in Fortanix DSM by clicking on the encrypted document in Gdrive and paying close attention to the document URL that contains the security object.  
• How can I segregate the security objects created by multiple teams in Google Workspace since all the security objects are created in a single group in Fortanix DSM when using Fortanix DSM Group ID in KMS URL?
  When using Group ID in KMS URL, all the security objects are created in the default group. However, you can create multiple groups, for example HR, Finance, IT, and so on, and move the associated security objects manually to the new group from the default group.
  One point to note is that when you move an object to a different group, users still need to be group admin in that group to be able to use the key to wrap/unwrap, otherwise they would get an access control error. This security requirement is the best way to restrict all the users having permissions to decrypt documents in all the security objects they are not supposed to.