SafeNet Trusted Access for Google Workspace Client Side Encryption (CSE)
Google Workspace CSE allows encryption of any data prior to sending it to the cloud storage.
As the encryption Key and Key management tools are managed at the client side, a trust mechanism is required between Key management tool and Google Workspace CSE to leverage the key to decrypt the file uploaded on the Cloud.
The Google Workspace CSE template provides the ability to allow Google Workspace users to create encrypted files in the Google space, such as, Google Drive. Oauth 2.0 trust is created between Google Workspace CSE and SafeNet Trusted Access allowing encryption and decryption.
Configuring SafeNet Trusted Access for Google Workspace CSE is a three-step process:
1.SafeNet Trusted Access setup
2.Google Workspace CSE setup
3.Verify encryption using the target application
To add and activate the Google Workspace CSE application in SafeNet Trusted Access, perform the following steps:
1.Add an application in STA using the Google Workspace CSE template. Click here to refer to the instructions.
The following information generated under Google Workspace CSE Setup will be needed while configuring STA for Google Workspace CSE:
•WELL KNOWN CONFIGURATION URL
2.In the Applications pane, you will notice that the application that you added in the above step is currently in inactive state by default. To configure and activate this application, click on the Google Workspace CSE application and proceed to the next step.
3.Under STA Setup, perform the following steps:
a.In the VALID REDIRECT URL field, ensure that https://krahsc.google.com/callback or https://client-side-encryption.google.com is entered.
NOTE SafeNet Trusted Access does not support more than one Valid Redirect URL. Google is currently transitioning from one redirect URL value to the other. If after configuring the integration you get a redirect url error on the IDP, switch to the other Valid Redirect URL value.
b.In the USERINFO SIGNATURE ALGORITHM field, ensure that RSA-SHA256 is selected.
c.In the REQUEST SIGNATURE ALGORITHM field, ensure that RSA-SHA256 is selected.
d.Under User Identity Claims, ensure the following:
– In the NAME field, email is entered.
– In the VALUE field, select the attribute that contains the user’s Google Workspace email address.
e.Click Save Configuration to save the details and activate the Google Workspace CSE application in SafeNet Trusted Access.
4.On the Assignment tab, assign the application to users.
Optionally, a policy can be applied to users and applications.
As prerequisites, you must have the following:
> A Google Workspace domain
>Google Workspace administrator access
>CipherTrust Manager administrator access
Configuring SafeNet Trusted Access for Google Workspace CSE requires:
>Enabling Google Workspace CSE in CipherTrust Manager
>Creating an External Key Service endpoint in Google Workspace CSE
>Adding a Key Service endpoint on Google Workspace
CipherTrust Manager (formerly known as Next Generation KeySecure) offers the industry leading enterprise key management solution that enables organizations to centrally manage encryption keys, provide granular access control, and configure security policies. Click here for more details on CipherTrust Manager.
Perform the following steps to set up the Cloud Key Manager facility of CipherTrust Manager and add SafeNet Trusted Access as an identity provider (IdP).
2.On the Cypher Trust Manager window, select Cloud Key Manager.
3.In the left pane, under Services, click Google Workspace CSE.
4.In the right pane, under Google Workspace Client Side Encryption, under IDENTITY PROVIDERS, click + Create Identity Provider.
5.On the Create Identity Provider window, under Configure Identity Provider, perform the following steps:
b.Ensure that the OpenID configuration URL option is selected, and then in the below field, enter the SafeNet Trusted Access WELL KNOWN CONFIGURATION generated step 1 of SafeNet Trusted Access Setup.
For example, if the WELL KNOWN CONFIGURATION URL is <Your SafeNet IDP Base URL>/.well-known/openid-configuration, the Issuer URL will be <SafeNet IDP Base URL>.
d.Under Confirm and create, click Save.
Perform the following steps to create an external key service endpoint in Google Workspace CSE:
1.Perform the steps 1 to 3 as mentioned in the Enabling Google Workspace CSE in CipherTrust Manager section.
2.On the Google Workspace Client Side Encryption window, under ENDPOINTS, click + Create Endpoint.
3.On the Create Endpoint window, perform the following steps:
b.In the Authentication Audience field, enter the CLIENT ID generated in step 1 of SafeNet Trusted Access Setup.
c.In the Endpoint URL Hostname field, enter a URL for Google CypherTrust Manager. For example, ctm.yourgoogledomain.com
d.Under Identity Provider, ensure that,
– The Selected option is selected.
–The identity provider (for example, STA) is listed that you created in step 5(a) of Enabling Google Workspace CSE in CipherTrust Manager.
A new endpoint URL will be generated under the ENDPOINTS list.
Perform the following steps to add the key service endpoint on Google Workspace:
1.Log in to admin.google.com using the same administrator credentials as used for Google Workspace CSE.
2.On the Google Admin window, on the top left-hand side, click to open the console menu.
3.On the Google Admin menu, click Security > Client-side encryption.
4.On the Client-Side encryption window, click on the External Key service section.
5.On the Edit external key service window, perform the following steps:
a.In the Name of external key service field, enter the name of the external key service (for example, STA_ep) that you created in step 3(a) of Creating External Key Service Endpoint in Google Workspace CSE.
b.In the URL of External Key Service field, enter the Endpoint URL generated in step 3(e) of Creating External Key Service Endpoint in Google Workspace CSE.
c.Click TEST CONNECTION to ensure that the connection is successful.
After successful connection, the Connection success message is displayed.
6.Click CONTINUE and then click YES, SAVE CHANGES.
7.On the Client-Side encryption window, click Identity provider configuration.
8.On the Edit your identity provider window, perform the following steps:
a.In the Name field, enter the identity provider display name (for example, STA).
b.In the Client ID field, enter the CLIENT ID generated in step 1 of SafeNet Trusted Access Setup.
c.In the Discovery URI field, enter the WELL KNOWN CONFIGURATION URL generated in step 1 of the SafeNet Trusted Access Setup section.
d.Under Grant type, select the Implicit option.
1.Navigate to the target application, https://drive.google.com.
2.Log in to the application using your Google Workspace user credentials.
3.On the Drive window, click New > Google Docs > Blank encrypted document.
4.Before you can edit the document, it prompts you to sign in with SafeNet Trusted Access.
5.Log in using you SafeNet Trusted Access credentials.
6.Edit and save the document.
The saved document will appear as an encrypted document in your drive space.
© 2021 SafeNet Trusted Access. Various trademarks are held by their respective owners.