This guide includes instructions to configure the Virtru Private Keystore for CSE.
Assumptions:
-
This document assumes you have completed the Google Console/Admin Changes.
-
Virtru Private Keystore for CSE Gmail is configured within your environment.
The setup and upload of S/MIME certificates and private keys for Google Workspace CSE can technically be done on “any computer”, as long as it has the required software (Python 3, OpenSSL) and access to the relevant files. However, there are a few considerations for choosing where to run these commands.
Running the Python script and related commands on the CSE (Client-Side Encryption) server is recommended for these reasons:
1. Consistency and Security:
- Running on the CSE server ensures that sensitive files, such as private keys and certificates, remain in a secure and consistent environment.
- The server environment is likely already configured to handle these files securely and may have the necessary permissions and network configurations.
2. Access to the Keystore:
- Since you’ll need to reference the 'kacls_url' (the URL of the key service configured in the Admin console) and upload to Google, having everything in one place (like the CSE server) can simplify configuration and reduce network complexities.
- If the CSE server is set up with specific access rules or firewall configurations, running the script directly there may prevent additional configuration or access issues.
3. Simplicity in Management:
- Managing key files and certificates on a dedicated server (the CSE server) centralizes and simplifies the process, particularly in cases where you need to repeat or update the uploads.
Steps for Running on the CSE Server
If you decide to run the script on the CSE server, here’s the streamlined process:
1. Download and Extract the Python Script:
- Download or copy the Python script package (.zip) content on the CSE server and extract the files into a working directory.
wget https://dl.google.com/clientsideencryption/gmail-cse-scripts/latest/customer_cli.zip
or
curl -O https://dl.google.com/clientsideencryption/gmail-cse-scripts/latest/customer_cli.zip
then
apt install unzip
unzip customer_cli.zip
2. Create a Virtual Environment and Install Dependencies:
- In the working directory, create a virtual environment and install the required modules:
python3 -m venv cli_env
source cli_env/bin/activate
pip install -r requirements.txt
3. Prepare Directories for Wrapped Keys and Certificates:
- If the directories does not exists, create directories for storing wrapped private keys and certificates:
mkdir -p /var/virtru/cse/wrapped-private-keys
mkdir -p /var/virtru/cse/p7pem-certs
- Convert Certificates to P7 PEM Format (if needed) - If you have certificates in '.p7b' format, convert them to '.p7pem' using:
openssl pkcs7 -inform DER -in old_name.p7b -outform PEM -out new_name.p7pem
4. Upload Users' Key Pairs and Certificates:
- Use the JSON file with service account credentials ('keyFile.json'), stored securely on the server, to upload wrapped private keys and certificates:
python cse_cmd.py insert \
--creds /var/virtru/cse/keyFile.json \
--inkeydir /var/virtru/cse/wrapped-private-keys \
--incertdir /var/virtru/cse/p7pem-certs
5. Verify Key Pairs and Identities:
- After uploading, verify that the users have valid key pairs and identities in Gmail:
python cse_cmd.py list_keypair
python cse_cmd.py list_identity
Alternative: Running on Another Computer
If you prefer, these steps can be run on a local machine (e.g., a Mac, Linux, or Windows computer) as long as:
- The machine has secure access to the required key and certificate files.
- The machine can access the CSE server and Google API endpoints (network permissions).
In this case, you’ll need to securely transfer files like 'keyFile.json' back to the CSE server after configuration to maintain a consistent and secure environment.
For next steps, see the CSE for Gmail Integration Test Procedures.