Skip to main content
Welcome to Virtru's support portal. As we work to make this page more accessible to screen readers, please contact us at support@virtru.com for technical support.

Linux: Google CSE Labels Integration

  • Updated

As a continuation of the Google CSE Labels Integration, please follow these steps to successfully configure the Attribute-based Access Control (ABAC) feature on your Linux server. This document assumes you have completed the Google Console/Admin Changes.

Prior to making on your server, we recommend creating a copy of the existing /cse directory on your Linux server.

Step 1: Deploy CSE labels

  1. Create a file on your Linux server called keyFile.json in /var/virtru/cse and add the contents of the private key that was generated with the Service Account in Step 2 of the GCP portion.
  2. Add the bolded line to your existing run.sh file. This is the file path to the keyFile.json that the Docker run script will reference.
docker run --detach\
--env-file ./cse.env\
-p 443:9000 \
-v /var/virtru/cse/server.cert:/run/secrets/server.cert \
-v /var/virtru/cse/server.key:/run/secrets/server.key \
-v /var/virtru/cse/keyFile.json:/app/cse/credentials.json \
--restart unless-stopped \
--name cse-v<Latest Tagged Version> \
containers.virtru.com/cse:v<Latest Tagged Version>
  1. Add the following variables in the cse.env file to enable the Drive Labels feature:
SERVICE_ACCOUNT_EMAIL=<admin-email@customerdomain.com>
DRIVE_LABELS=true
DRIVE_TIME=15
DRIVE_LABELS_TIME=15
ADMIN_TIME=15
GOOGLE_APPLICATION_CREDENTIALS=/app/cse/credentials.json

 

Step 2: Deploy, Verify and Test

  1. If you have an existing container running please stop and remove
    docker stop <container-id>
     docker rm <container-id>
  2. Execute your run script with new variables from your var/virtru/cse directory. 
    sh run.sh
  3. Verify the deployment:
    docker ps
    docker logs -f <containter-name>
  1. Test by creating a blank encrypted file in Google Drive
    • Apply a label to the file that matches the parameters from previous steps 
    • Share the file with authorized parties, and also with a user(s) that should not have access to viewing, or editing the file, as a test.

The intended experience will be:

  • Authorized parties: Will be able to view, edit the file (depending on permissions set)
  • Unauthorized parties: Will be presented with a message “Key service responded with an error. Contact your admin.”

Usage Limits

As this feature flag leverages the Drive Labels API, there are some Google-specific limitations to keep in mind. These limitations and details are linked below for your reference:

Related articles