Latest enhancements to the Encryption Platform

October 17, 2025

Stormshield Key Management as a service

  • The new Key Access Management feature is dedicated to the Stormshield SDK. It enables:

    • Symmetric encryption and decryption,

    • Asymmetric rewrap to allow Stormshield SDK to retrieve or re-encrypt keys needed to decrypt protected data.

  • You can now configure OPA enforcement for each tenant and feature:

    • For the KACLS, the configuration files are policy.wasm and policy.data.json,

    • For Crypto API, the configuration files are policy-crypto-api.wasm and policy-crypto-api.data.json.

    • For the Key Access Management, the configuration files are policy-kas.wasm and policy-kas.data.json.

    • If a feature is enabled, you must set its policy_enforcement parameter to specify whether the OPA rules must be used or not.

  • When encrypting data with Crypto API, you can now specify the key encryption key (KEK) to be used to encrypt the data encryption key (DEK).

  • Crypto API now supports API key authentication.

  • The new PKI feature allows issuing certificates for mTLS authentication from a Certificate Signing Request (CSR).

  • In the config.json file, you can now specify the format of the logs to be generated, in order to prepare for migration to the new log format.

  • A dedicated log allows you to trace the proxy initialization.

Stormshield SDK

Stormshield SDK 3.0.0 has been released with the following changes:

  • Stormshield SDK now supports offline encryption based on asymmetric operations. Connection to the Stormshield KMaaS is still required to decrypt data.

  • The format of assertions is no longer restricted to strings and objects. You can add your own formats such as the XML-structured format.

  • Stormshield SDK now uses dedicated endpoints to enforce security in the Stormshield KMaaS dedicated KAS module. It is no longer linked to the Crypto API.

For more information, refer to the Stormshield SDK Documentation.

Public API

The following fields have been renamed for more consistency:

  • The "encryptedData" response field for the crypto_api/encrypt route has been renamed "encrypted_data",

  • The "encryptedData" input parameter for the crypto_api/decrypt route has been renamed "encrypted_data".

October 3, 2025

KACLS now supports the Send to Anyone Gmail feature. It allows users to send end-to-end encrypted emails to anyone, even if the recipient uses a different email provider, without having to deploy a complex PKI.

For more information, see the Google documentation.

September 18, 2025

The Stormshield KMaaS now supports the conversion of decrypted Google Sheets into Microsoft Excel files.

For more information, refer to the Google documentation.

September 2, 2025

Stormshield SDK 2.0.0 has been released with the following changes:

New features and improvements

  • Assertions can be added during encryption to enhance security.

  • SDK input data size limit has been removed for greater flexibility.

  • Improved decryption performance for faster data processing.

New behavior

  • The format of data encrypted with version 1.0.0 of Stormshield SDK is not compatible with version 2.0.0. To upgrade, first decrypt the data using version 1.x, then re-encrypt it using a higher version.

  • Modification of the SdsdkZtdf class:

    • The .b64Payload getter has been removed. Use .payload instead.

    • The b64Payload property of the fromJson method has been replaced by payload.

For more information, refer to the Stormshield SDK Documentation.

June 30, 2025

Release of Stormshield SDK

Stormshield Encryption Platform now includes a Software Developer Kit (SDK) which simplifies client-side encryption and zero trust data control in any application.

For more information, refer to the Stormshield SDK Documentation.

December 30, 2024

Gmail message encryption

The Stormshield KMaaS now supports the SHA512withRSA algorithm for key encryption for Gmail.

Mass import of files to Google Drive

The Stormshield KMaaS now supports the mass importing of sensitive data into Google Drive. Data imported from third-party storage are encrypted by the Stormshield KMaaS in Google Drive. See an example on Github googleworkspace. This Beta feature is currently under development at Google.

For more information, refer to the Google documentation and contact Google Support.

SDS CryptoAPI

The new SDS CryptoAPI feature provides two API routes, crypto/encrypt and crypto/decrypt, which enable data to be encrypted and decrypted, completely independently of Google.

SDS CryptoAPI is currently in its alpha version. Stormshield does not guarantee that it will be possible to decrypt data encrypted with this version with a later version of the feature.

Log improvements

Several logs have been added to help you monitor the Stormshield KMaaS.

June 25, 2024

Collaboration with external users

The Stormshield KMaaS now supports the Google feature allowing users to share encrypted files with external partners on Google Drive, Docs, Sheets and Slides.
For more information, refer to the Google documentation.

May 03, 2024

External Google Meet invitations

The Stormshield KMaaS now supports the Google feature that makes it possible for external users to participate in encrypted Google Meet conferences. For more information, refer to the Google documentation.

Client-side encryption and data loss prevention

You can now use Client-side encryption information as a condition in a data loss prevention rule (DLP). Google DLP makes it possible to control the content that users are allowed to share in files outside the organization. For more information, refer to the Google documentation.

March 26, 2024

Encrypted import of Excel files into Google Sheets

Users can now import and encrypt Microsoft Excel files into Google Sheets.

For more information, refer to the Google documentation.

Co-host management in Google Meet

The Stormshield KMaaS is now compatible with the Google Meet co-host feature.

For more information, refer to the Google documentation.

External Google Meet invitations

The Stormshield KMaaS now supports Google's Beta feature for inviting external participants to Google Meet conferences.

This Beta feature is currently under development at Google. Contact Google Support for more information on implementation and limitations.

Encryption and signature keys

It is now possible to use different keys to decrypt and sign Gmail messages.

January 17, 2024

Manage comments and action items on Google Docs

The Stormshield KMaaS is now compatible with comment and action item management on Google Docs.

For more information, refer to the Google documentation.

October 24, 2023

Support for Gmail on mobile

With the Stormshield KMaaS, users can now encrypt their emails in Gmail on iOS and Android mobile devices.

September 27, 2023

Edit encrypted Excel files with Google Sheets

Users can now view and edit encrypted Excel files directly with Google Sheets.

For more information, refer to the Google documentation.

September 20, 2023

Bulk file import

The Stormshield KMaaS now supports bulk import of encrypted files into Google Drive using a compatible third-party software.

For more information, refer to the Google documentation.

August 25, 2023

Support for Google Meet

With the Stormshield KMaaS, users can now encrypt confidential video conferences and calls in Google Meet. In addition to the Google Workspace Web Client, this feature is now available on iOS and Android mobile devices.

May 24, 2023

Support for chat messages in Google Meet

The content of Google Meet chat messages can now be secured with the Stormshield KMaaS.

April 27, 2023

Mass extraction and decryption of encrypted data

To ensure that data can be reversed, you can now extract all encrypted data and decrypt all of it in a single action using the Google tool (currently in beta version) and the Stormshield KMaaS. Stormshield must first provide you with a specific configuration. Please note that in the Beta version of the Google tool, only Gmail and Drive files can be used after decryption. Files from other Google Workspace applications are decrypted but not usable.

Identity provider

It is now possible to use OpenID JWKS (JSON Webkey Set) configurations to configure user identity providers.

March 31, 2023

Migration of the KACLS

The Stormshield KMaaS is compatible with Google's new specifications regarding the migration of one KACLS to another, allowing in particular a massive migration in a single operation.

February 28, 2023

Support for Gmail

Gmail messages and attachments can now be secured with the Stormshield KMaaS.

February 16, 2023

Support for Google Drive

With the Stormshield KMaaS, users can now encrypt confidential files in Google Drive and read them. This feature is available on Windows and macOS workstations, and on mobile iOS and Android devices.

Support for Google Calendar

Google Calendar data can now be secured with the Stormshield KMaaS.

Cache

The Stormshield KMaaS now includes a cache for external requests (e.g., openid connect, jwks), which optimizes response time.

December 22, 2022

Gmail beta version support

Google released the beta version of the client-side encryption for Gmail. Gmail messages and attachments can now be secured with the Stormshield KMaaS.

September 29, 2022

Support for Google Meet

Google Meet data can now be secured with the Stormshield KMaaS.

Using two KACLS

The Stormshield KMaaS is compatible with the new Google feature that allows two KACLS to coexist for the purpose of migrating from one service provider to another. For example, new files can be encrypted with the Stormshield KMaaS, while older files protected by another KACLS provider can be decrypted.

April 28, 2022

With the Stormshield KMaaS, you can guarantee the absolute confidentiality of your corporate data and benefit from Google Workspace collaboration tools at the same time, while complying with the regulatory restrictions of your sector.

Users can therefore protect their data before sending it to Google Workspace applications. Unencrypted data and encryption keys are never sent to Google.

The Stormshield KMaaS uses an identity provider (IDP) to authenticate end users, manage their access permissions and their life cycles. Configure the provider you want to use, and find all the detailed steps in the Google documentation.

The following are the features in Stormshield KMaaS:

Protection of files before sharing them Users protect their files on their workstations via their browsers.
Sharing of files in shared spaces Users share their protected files on Google Workspace.
Management of privileges on files The operations that each user can perform depend on the privileges that the Google Workspace administrator has granted in the configuration. For example, the privilege of sharing files with external users who belong to specific domains.
Verification of authorized persons During each operation in which a file is protected or modified, the service will ensure that persons allowed to look up the file are trustworthy.