Configuring Google Workspace Client-side encryption

You must indicate the URL of the external key service and the identity provider in the Google Workspace administration console.

For more information, refer to the Google documentation Use client-side encryption for users' data.

External key service is the section in the Google Workspace administration console in which you specify information for the KACLS.

With the KACLS, several external key services can be used in your Google Workspace tenant's administration console. For example, if you want separate services for each distinct organizational unit (OU) in your organization for various Google applications (Meet, Drive, ...).

In standalone mode, you must enter a UUID for every tenant installed so that their associated KEKs will be available. For further information, refer to the section Adding KEKs to the file.

If you are using a Key Management System (KMS), the tenant's UUID is included in the attributes of the KEK. For more information, refer to the section Configuring symmetric encryption KEKs in KMS mode.

With the KACLS, several tenants can be used on the same instance of the encryption service. For example, if your organization has several domains, you can manage each tenant independently for each domain.

An external key service must be specified for each tenant.

  • The Name of the external key service can be shown in error messages that the end user will see.

  • The URL of the external key service consists of the following:

    Address of the Stormshield KMaaS instance that you are installingE.g., https://cse.example.com/api/v1
    Tenant UUID

    E.g., a4670b0-4bc11-4290-a5bd-498c2e1fb0bf

    You must generate a v4 UUID to identify tenants, even when there is only one on your instance.

EXAMPLE
https://cse.example.com/api/v1/a4670b0-4bc11-4290-a5bd-498c2e1fb0b

Google applications will use this URL, so it must be a public address.

For more information, refer to the Google documentation Connect to your IdP for CSE.