About
This guide is designed to help you configure Virtru Private Keystore (for Google Workspace CSE)
Assumptions
- Create a CSE project folder ( e.g., Virtru).
- This document assumes you have administrative privileges in Google Workspace.
Step 1: Enable Required API & Services
The following API & Services might be needed for this deployment to be successful and have the application functioning as expected. Please enable them accordingly and ensure you are following your organization standards.
Note: You do not need to create credentials for these API & Services. However, please make sure follow your organization standards
- Enable Identity and Access Management (IAM) API - This API allows programmatic management of permissions and roles for resources across Google Cloud Platform (GCP).
- Enable OAuth 2.0 Client ID - Needed for creating OAuth credentials to connect Google Workspace apps with Virtru.
- Enable Google Drive API - Required to enable CSE for Google Drive.
- Enable Google Calendar API - Required to enable CSE for Google Calendar.
- Enable People API - Helpful for managing and verifying user profiles and permissions in Google Workspace.
Click each link and hit the Enable button to activate the respective APIs for your project.
Step 2: Create a Virtru Project Folder
-
Navigate to Resource Manager:
- Go to IAM & Admin > Manage Resources in Google Cloud Console.
-
Create a New Project Folder:
- Name: "Virtru"
- Organization: e.g, yourdomain.com
- Location: Select the new folder as the project location, e.g., yourdomain.com
-
Assign IAM Roles to users or service accounts under IAM & Admin > IAM.
- admin@yourdomain.com - This should be the Principal and a user with Console/Workspace admin privileges.
- User Role - Owner
Note: creating IAM roles can be optional in some cases, please make sure you are following your organization standards.
Step 3: Create OAuth 2.0 Credentials
-
Access Google Cloud Console:
- Go to the Google Cloud Console.
-
Select the Correct Project e.g., Virtru:
- In the top left navigation bar, ensure that you have selected the project you created specifically for Virtru CSE integration.
-
Navigate to APIs & Services (refer to Step 1):
- From the Navigation menu (three horizontal lines in the top-left corner), select ENABLE APIS AND SERVICES > Credentials > Enable the Apis & Services from Step 1.
-
Configure the OAuth Consent Screen:
- If this is your first time creating credentials, you’ll need to configure the consent screen:
- Click Configure consent screen.
- Select User Type (Internal for organizational use only, External for public access if required by your organization).
- Complete the App Information section
- App name: Virtru-CSE
- User support email: admin@yourdomain.com
- Developer contact information: admin@yourdomain.com
-
Save and Continue through each section, providing details as necessary, then return to the Credentials page.
Note: Scopes & Test users are not required in this step.
- If this is your first time creating credentials, you’ll need to configure the consent screen:
-
Create OAuth 2.0 Client ID:
- Back in APIs & Services > Credentials, click Create Credentials and select OAuth client ID.
- Application Type: Web Application
- Name: Virtru-CSE-OAuth
- Back in APIs & Services > Credentials, click Create Credentials and select OAuth client ID.
-
Specify Authorized JavaScript Origins:
- Under Authorized JavaScript origins add the URIs provided in the link.
-
Specify Authorized Redirect URIs:
- Under Authorized Redirect URIs, add the following URIs provided in the link (these allow the OAuth process to redirect back to your application securely).
-
Create and Save OAuth Client ID:
- Click Create to generate the OAuth client ID.
- Once created, download and save the Client ID + Client Secret—these will be needed for the CSE.env configuration.
-
Verify and Finalize Setup:
- Double-check that all URIs are correct and that the consent screen is properly configured.
- Save your OAuth Client ID and Secret securely for use in your CSE setup.
This setup will allow Google Identity Provider (IdP) to authenticate users for Virtru’s CSE with Google Workspace applications. Please refer to Google’s official documentation when configuring your application.
Step 4: Google Workspace Set Up(with Google IdP Fallback Option)
Note: This setup should be completed after the CSE server is up and running.
-
Access Google Admin Console:
- Go to the Google Admin Console and sign in with an admin account.
- Navigate to Data > Compliance > Client-side encryption > Identity provider (IdP) configuration.
-
Encryption with external key service > Click Add
- Name: Virtru-CSE
- URL: csesrv.yourdomain.com
- Click TEST CONNECTION > ADD SERVICE
-
Add OAuth Client ID for Virtru:
- In Identity provider configuration, click Add/Configure IdP.
- Enter Client ID Details: Use the OAuth 2.0 Client ID and Client Secret from your Google Cloud Console setup in Step 3.
-
To Set Google as the Fallback IdP (use Option 2, Step 3 in this link):
- Under Identity provider configuration, select Use Google as fallback IdP. This allows users to authenticate with Google as the default option for CSE.
- Name: Google IDP for Virtru-CSE
- Client ID: Enter the OAuth Client ID - e.g, 123456789-eOauthID.apps.googleusercontent.com
- Discovery URI: https://accounts.google.com/.well-known/openid-configuration
- Click, TEST CONNECTION
- Grant type: Implicit
- Enable Supported Applications: Select applications (Google Drive, Gmail, Meet (optional), Calendar, Docs, Sheets, Slides) to activate CSE with your selected IdPs.
- Save Configuration > Click SAVE to apply settings > Test the IdP Integration by accessing Google Drive and verifying that the Google fallback IdP prompts for authentication. Additional IdPs (like Okta) will appear as options if configured.
-
Select the Apps:
- Calendar, Drive and Docs, Meet (optional), Gmail (only if CSE for Gmail is configured).
-
Add Additional IdPs (Optional):
- Google Workspace supports multiple IdPs, allowing you to add additional IdPs like Okta for future flexibility.
- To add another IdP, repeat the Add IdP step and configure it with the chosen provider’s OAuth credentials.
This configuration provides a flexible authentication setup for Virtru CSE, with Google as the fallback IdP and the option to integrate other providers like Okta if desired. Please refer to Google’s official documentation when configuring your application.
For next steps, see the CSE Install - First Instance Linux Server, RHEL Server (using Podman) or Kubernetes Server.