Basic concepts

This page explains the basic concepts of Client-Side Encryption (CSE), including the encryption flow and shared responsibility.

Overview

The diagram shows the encryption flow between four components: the user browser, the Identity Provider (IdP), the KACLS external key service, and Google Workspace.

1. Authenticate: The browser contacts the Identity Provider to verify the user identity. Only authorized users can request encryption keys.
2. Identity token: The IdP returns a signed identity token to the browser. KACLS uses this token later to confirm the user authorization.
3. Wrap / unwrap key: The browser sends the identity token to KACLS along with a key operation request. For encryption, KACLS wraps (encrypts) the data encryption key. For decryption, it unwraps the key.
4. Wrapped key: KACLS returns the wrapped key to the browser. The raw key never leaves KACLS and is never visible to Google.
5. Send encrypted data: The browser encrypts the content locally and uploads only the ciphertext to Google Workspace. Google stores data it cannot read.
6. Retrieve encrypted data: When you open an encrypted file or email, Google Workspace returns the ciphertext to the browser. The browser then asks KACLS to unwrap the key and decrypts the content locally.

Shared responsibility

Before you can use CSE, you must provide configuration data to STACKIT (see here). STACKIT then deploys a new instance for you. STACKIT ensures smooth operation of your CSE instance. You are responsible for configuring the CSE instance in your Google Workspace. If you prefer, STACKIT can handle this configuration for you.

STACKIT secures your CSE instance including the keys used for encryption and decryption. STACKIT has no access to you encrypted data. The customer is responsible for their Google Workspace and their data stored in it.

The customer is responsible for keeping their data safe. Never share passwords or secrets with anyone.