Overview
This document outlines the prerequisites to ensure a smooth deployment of the Virtru Private Keystore (VPK) for Google Workspace Client-Side Encryption (CSE).
Jump To:
Prerequisites
Google Workspace Sync
- Action: Sync your Google Workspace tenant with Virtru.
- Guide: Follow this Google Workspace Sync Guide (prerequisite for provisioning Virtru CKS and CSE servers).
Note:
- The Virtru Private Keystore for Virtru Solutions is optional and not required for CSE deployment.
- To leverage Virtru as a backend key provider for CSE, two server-side applications must be installed and configured on separate servers.
- These applications are containerized with Docker and will be pulled from a private Virtru repository.
Gmail-Specific Prerequisites
-
For Gmail Users Only:
- Follow Google’s Documentation to enable CSE for Gmail.
- Request S/MIME certificates for users leveraging this capability.
- Refer to the Virtru Gmail CSE Support Article for full instructions.
Recommended Configurations
-
Distributed Configuration:
- A high availability load balancer connected to:
- 2 or more hosts
- (Optional) 2 or more locations
- A high availability load balancer connected to:
-
Minimum Configuration:
- A high availability load balancer connected to 2 hosts, each running a single container.
- Additional resources are recommended for resiliency.
Access
To ensure a smooth VPK setup, ensure access and rights for the following services:
Service | Required Access/Rights |
---|---|
DNS |
|
Load Balancer |
|
Host |
|
Firewall |
|
Container Registry |
|
SSL Certificates |
|
Syslog/SIEM |
|
Network
-
Load Balancer Configuration:
- Deploy VPK in a High Availability (HA) configuration with at least 1 VPK container on 2 separate hosts.
- Backup and recovery plans are strongly recommended.
- Note: Load balancer-specific steps are outside the scope of this document. Consult your load balancer’s manual for guidance.
Warning: Deploying a single Virtru Private Keystore is highly discouraged.
Tip: Load balancer configurations can be performed after individual server installation.
SSL Certificates
As part of the configuration, you need an SSL certificate and private key for the domain used for CSE.
Steps to Generate SSL Certificates:
- Determine the FQDN for the CSE domain (e.g.,
https://csesrv.yourdomain.com
). - Obtain a CA-signed SSL certificate and private key.
- Combine certificate components into a single file:
cat [path-to-certificate] [path-to-intermediate-cert-1] ... [path-to-root-cert] > server.cert
- Ensure your private key is saved separately:
cat [path-to-private-key] > server.key
Next Steps
Refer to the Google Admin Console Changes for further configuration instructions.