Required ENV variables for Virtru Private Keystore (for Google Workspace CSE) configuration
Values to fill out if using CKS (refer to the chart at the end for the values needed for the cse.env)
HMAC_TOKEN_ID=00000000000000000000@tokens.virtru.com
HMAC_TOKEN_SECRET=00000000000000000000
CKS_HMAC_TOKEN_ID=v0000000000000000000@token.virtru.com
CKS_HMAC_TOKEN_SECRET=0000000000000000000000
JWKS_AUTHN_ISSUERS=000000000000000000000
JWKS_AUTHZ_ISSUERS=0000000000000000000000000
JWT_AUD=000000000000000000000
JWT_KACLS_URL=https://csesrv.customer.com
TAKEOUT_CLAIM=cse_takeout
ACM_URL=https://api.virtru.com/acm/api
ACCOUNTS_URL=https://api.virtru.com/accounts/api
CKS_URL=https://cks.customer.com
PORT=9000
USE_SSL=true
#Values to set below if using Drive Labels integration
#DRIVE_LABELS=true
#SERVICE_ACCOUNT_EMAIL=<admin-email@customerdomain.com>
#DRIVE_TIME=15
#DRIVE_LABELS_TIME=15
#ADMIN_TIME=15
#GOOGLE_APPLICATION_CREDENTIALS=/app/cse/credentials.json
Values to fill out if not using CKS
HMAC_TOKEN_ID=00000000000000000000@tokens.virtru.com
HMAC_TOKEN_SECRET=00000000000000000000
#CKS_HMAC_TOKEN_ID=
#CKS_HMAC_TOKEN_SECRET=
JWKS_AUTHN_ISSUERS=000000000000000000000
JWKS_AUTHZ_ISSUERS=0000000000000000000000000
JWT_AUD=000000000000000000000
JWT_KACLS_URL=https://csesrv.customer.com
TAKEOUT_CLAIM=cse_takeout
ACM_URL=https://api.virtru.com/acm/api
ACCOUNTS_URL=https://api.virtru.com/accounts/api
#CKS_URL=
PORT=9000
USE_SSL=true
USE_CKS=false
#SECRET_KEY=0000000000000000
#SECRET_KEYS_PATH=/app/cse/secrets.json
#Values to set below if using Drive Labels integration
#DRIVE_LABELS=true
#SERVICE_ACCOUNT_EMAIL=<admin-email@customerdomain.com>
#DRIVE_TIME=15
#DRIVE_LABELS_TIME=15
#ADMIN_TIME=15
#GOOGLE_APPLICATION_CREDENTIALS=/app/cse/credentials.json
Reference for Google IDP values:
https://support.google.com/a/answer/10743588?hl=en&ref_topic=10742486
Virtru Private Keystore (for Google Workspace CSE) Values Chart
Environment Variable |
Description |
Example |
---|---|---|
HMAC_TOKEN_ID |
The HMAC token credentials used to access Virtru SaaS <Provided by Virtru> |
|
HMAC_TOKEN_SECRET |
0000000000000000000000000 |
|
CKS_HMAC_TOKEN_ID |
The HMAC token credentials used to access the CKS “Values found in the customer CKS server and in the send_to_virtru.tar.gz file” (Only if using CKS option) |
|
CKS_HMAC_TOKEN_SECRET |
0000000000000000000000000 |
|
JWKS_AUTHN_ISSUERS |
A base-64 encoded map of accepted Authentication issuer ids (from the authentication JWT) to the URL where the issuer publishes its JSON Web Keyset. This is dictated by the customer via their IDP, but in the example provided it is Google OAuth. |
Running the command below will give you the base 64 encoded value needed for the cse.env Example for Google IDP: echo '{ "https://accounts.google.com": "https://www.googleapis.com/oauth2/v3/certs" }' | base64 |
JWKS_AUTHZ_ISSUERS |
A base-64 encoded map of accepted Authorization issuer ids (from the authorization JWT) to the URL where the issuer publishes its JSON Web Keyset. This is dictated by Google. |
Running the command below will give you the base 64 encoded value needed for the cse.env echo '{ "gsuitecse-tokenissuer-drive@system.gserviceaccount.com": "https://www.googleapis.com/service_accounts/v1/jwk/gsuitecse-tokenissuer-drive@system.gserviceaccount.com","gsuitecse-tokenissuer-meet@system.gserviceaccount.com": "https://www.googleapis.com/service_accounts/v1/jwk/gsuitecse-tokenissuer-meet@system.gserviceaccount.com","gsuitecse-tokenissuer-calendar@system.gserviceaccount.com": "https://www.googleapis.com/service_accounts/v1/jwk/gsuitecse-tokenissuer-calendar@system.gserviceaccount.com" }' | base64 |
JWT_AUD |
Base-64 encoded JSON map of JWT audiences for authorization and authentication. These are used to ensure that we don’t accept JWTs written by authn or authz issuers for other services. The authz audience, which is sent by Google, will always be cse-authorization , but the authn audience will be configured through the customer’s IDP. For Google OAuth, the authn audience is the OAuth client ID string. |
Running the command below will give you the base 64 encoded value needed for the cse.env Example for Google IDP:
echo '{ "authn": "000000000000000000000000000000000.apps.googleusercontent.com", "authz":"cse-authorization" }' | base64 |
JWT_KACLS_URL |
The URL where the CSE service is hosted which is configured by the customer. This field allows detection of potential man-in-the-middle servers configured by insiders or rogue domain admins. |
|
TAKEOUT_CLAIM |
The JWT claim used to signify if a user has permission to submit a takeout unwrap claim. This will be configured on the authentication token from the customer’s identity provider. |
cse_takeout |
ACM_URL |
The Virtru ACM URL |
|
ACCOUNTS_URL |
The Virtru Accounts URL |
|
CKS_URL |
The CKS URL. Should be wherever the customer’s CKS is accessible from. |
|
PORT |
The port to run the CSE server on |
9000 |
USE_SSL |
Whether the application should use SSL. Set to false to run over HTTP and true to use HTTPS. |
true |
SECRET_KEY |
If NOT using CKS (only available on v3.0.0 and later) (DO NOT LOSE THIS KEY)
Generate a secret key and store it locally on your server:
|
|
HTTPS_PROXY= HTTP_PROXY= |
If using an internal web proxy enter proxy IP or FQDN and listening port for these values to have the container connect via proxy. |
https://myproxy-server.com:443
|
SECRET_KEYS_PATH
|
Path to secrets.json file where secret key(s) are held in the CSE container. Required key format in secrets.json file: {"active":"secret-key","secrets":[{"name":"secret-key","value":"00000000000000000000000000000000"}]} |
/app/cse/secrets.json
|
DRIVE_LABELS |
Flag used to set if Drive Labels feature is being used |
true (default is false) |
GOOGLE_APPLICATION_CREDENTIALS |
If DRIVE_LABELS Flag is set to true, this points to credentials file |
./credentials.json (defaults to unset) |
DRIVE_TIME |
Time taken for Drive Cache to refresh |
3600 |
ADMIN_TIME |
Time taken for Admin Cache to refresh |
86400 |
DRIVE_LABELS_TIME |
Time taken for Drive Labels Cache to refresh |
86400 |
SERVICE_ACCOUNT_EMAIL |
If DRIVE_LABELS Flag is set to true, this is set to email of owner that is used by service account |
unset |