About
This guide is designed to help you configure Client-Side Encryption (CSE) for Gmail using the Virtru Private Keystore.
Prerequisites
- This document assumes you have a fully functioning Virtru Private Keystore (VPK) for Google Workspace CSE running v.5.9.1 or newer.
- Recommended: Upgrade to the latest Linux or Kubernetes version of CSE to ensure compatibility with the features and commands used in this guide.
- Ensure you are working within your existing CSE project folder ( e.g., Virtru).
- Prior to making changes on your server, we recommend creating a copy of the existing
/cse
directory. - This document assumes you have administrative privileges in Google Workspace.
- Ability to request S/MIME certificates on behalf of users.
Step 1: Enable Required API & Services
The following API & Services might be needed for this deployment to be successful and have the application functioning as expected. Please enable them accordingly and ensure you are following your organization standards.
Note: You do not need to create credentials for these API & Services. However, please make sure follow your organization standards
- Enable Identity and Access Management (IAM) API - This API allows programmatic management of permissions and roles for resources across Google Cloud Platform (GCP).
- Enable Cloud Resource Manager API - Allows applications to manage GCP projects, folders, and organization policies.
- Enable Admin SDK API - This API allows access to Google Workspace management capabilities for users, groups and organizations.
- Enable Gmail API - Allows applications to access and manage Gmail accounts.
- Grant the Gmail API domain-wide access - This is crucial for uploading users’ certificates and private keys.
- Enable Cloud Key Management API (KMS) - Manages cryptographic keys for applications and services.
Click each link and hit the Enable button to activate the respective APIs for your project.
Step 2: Certificate Management
These instructions are for making changes within the Google Admin Console and managing the necessary certificates for enabling S/MIME encryption with Virtru Private Keystore, create a Service Account etc.
- Enable S/MIME Encryption in Google Admin Console:
- Go to the Google Admin Console.
- Navigate to Apps > Google Workspace > Gmail > User Settings.
- Scroll down to S/MIME and enable S/MIME encryption.
- Allow Users to Upload Certificates (Optional):
- Enable Allow Users to Upload Certificates if users need the option to upload their own certificates.
Note: Enabling manual certificate upload options is an alternative to the Python script-based upload method. The manual upload can be revisited once you read through the instructions and understand the process fully.
-
- Obtain the root CA certificate file from the CA that issued the S/MIME certificates.
- Go to Accept these additional root certificates for specific domains and upload the 'ca_root_certificate.crt'.
- Specify your organization’s domain (e.g., '@yourdomain.com') in the Address List to define where this certificate is valid.
- Save and Confirm:
- Save your changes and ensure these settings are active across your organization.
Create a Service Account (SA) in Google Console
- Navigate to Service Accounts in your project folder (e.g., Virtru)
- Click +CREATE SERVICE ACCOUNT and set the following:
- Name: Virtru-SA
- Service account ID: virtru-sa
- Click CREATE AND CONTINUE, then DONE
The Service Account (SA) role/permissions does NOT have to be specified in this step and can be left blank. The permissions for this new SA will be determined in the steps below via Domain Wide Delegation.
Virtru also recommends adhering to your organization's security policies along with this integration.
Generate and Save the SA Key
- In the Service Account’s Key tab, click ADD KEY ‘Create new key
Type: JSON > click CREATE. - Save the downloaded key as keyFile.json
- Copy or move the keyFile.json to your S/MIME directory on your server. Additional details found in this Google Document: https://cloud.google.com/iam/docs/keys-create-delete
Step 3: Add Domain-Wide Delegation (DWD)
Ensure you’re working in the existing project folder (e.g., Virtru) for your CSE
Navigate to domain-wide delegation
- Copy the client_ID/Unique ID from the Service Account’s Details tab or from the keyFile.json
- In Google Admin Console:
- Go to Security > Access and data control > API Controls.
- Under Domain Wide Delegation, select Manage Domain Wide Delegation > Click "Add New"
- Enter the Client ID and scopes for your CSE Version:
In the Client ID field, enter the service account's Client ID. In the OAuth scopes (comma-delimited) field, enter the list of scopes that your application should be granted access to.
- Click Authorize
For next steps, see the CSE for Gmail Integration S/MIME Certificates and Private Keys.