Workspace Key Manager Deployment

This guide will assist you in deploying the FlowCrypt Workspace Key Manager on a Virtual Machine (VM) instance of the Google Cloud Platform (GCP).

Configure a VM on GCP

To deploy WKM on GCP, it’s important to ensure that the necessary resources are available and configured properly. This includes creating a VPC network, configuring firewall rules, and setting up a static IP address. By following these steps, you can ensure that your VM is properly configured and accessible from the internet.

Create a VPC network

Please create a new Virtual Private Cloud (VPC) on GCP by following these steps:

1. Go to the sidebar menu and select VPC Network ⮕ VPC Networks ⮕ CREATE VPC NETWORK.
2. Provide the new VPC network with a name, preferably flowcrypt-cse-vpc, and a description.
3. Ensure that the option ULA internal IPv6 range for the VPC network is disabled.
4. Set Subnet creation mode to Automatic.
5. Leave all other settings as default and click on CREATE.

Create a firewall rule

Please follow the steps below to create two firewall rules that will allow access for HTTPS and SSH respectively on your VPC network.

1. Go to the VPC network page and select Firewall. Next, click on CREATE FIREWALL POLICY.
2. Provide a name for the new policy. In this instance, we’d like FlowCrypt WKM to be accessible via HTTPS, so we can use flowcrypt-cse-vpc-allow-https as our policy name.
3. Leave the Deployment scope set as Global.
4. Under the firewall rules settings, click on ADD RULE with a priority of 1000 (higher priority).
5. Set the Source type as IPv4 with an IP range of 0.0.0.0/0.
6. Under the Protocol and ports section, choose the Specified protocol and ports option, tick the TCP checkbox, and specify the port 443.
7. Leave all other options in default then proceed by clicking CREATE.
8. Now that you’ve created a firewall rule to allow access via HTTPS to FlowCrypt WKM, it’s time to set up another one for SSH.
9. On the current webpage where you added the previous rule above, click ADD RULE again but this time give it a description of flowcrypt-cse-vpc-allow-ssh while setting its priority at 2000.
10. Set the Source type as IPv4 with an IP range of 0.0.0.0/0.
11. Under the Protocol and ports section, choose the Specified protocol and ports option, tick the TCP checkbox, and enter port number 22.
12. Click CREATE when done.
13. Finally, in the Associate policy with VPC networks section of the firewall setup, link newly created policies (HTTPS & SSH) to the flowcrypt-cse-vpc VPC Network then hit the CREATE button once more.

Configure an externally-accessible static IP address for a VM

1. Under the VPC network section, click on IP Addresses.
2. Click on RESERVE EXTERNAL STATIC IP ADDRESS.
3. Assign a name to the reserved static address; preferably, use flowcrypt-cse-extip.
4. Select a region and click RESERVE.

Create a Compute Engine VM

1. On the GCP sidebar, click on Compute Engine ⮕ VM Instances ⮕ CREATE INSTANCE.
2. Name the instance as flowcrypt.
3. Additionally, the VM you will be creating will need a hostname associated with it. In the Advanced options section, expand the Networking section and specify the custom hostname of your choice in the Hostname field. This hostname value will later be used when populating the .properties file for secure connection configuration with Key Manager.
4. Select the region to match the location of the static IP.
5. Choose a zone and take note of it as it will be required for future steps.
6. In the Machine configuration section, select Series as E2, and Machine Type as e2-medium (with 2 vCPU and 4 GB memory).
7. In the Firewall configuration section, tick the allow HTTPS traffic checkbox.
8. Click on CREATE.

Attach the served static IP to the VM

1. Please open the VM that you’ve just created and then click on EDIT.
2. In the Network interfaces configuration section, please click on the dropdown menu for default network interfaces.
3. Find External IPv4 address and select the static IP address that you had created earlier (flowcrypt-cse-extip).
4. To finalize these changes, kindly click on SAVE.

Connect to the VM via SSH

1. Please launch the Google Cloud Shell.
2. Connect to the VM using the following command: gcloud compute ssh --zone <chosen-vm-zone> <vm-name> --project <project-id>.

Install FlowCrypt WKM on VM

This section provides step-by-step instructions for installing, configuring, and running the WKM app on a VM running in Google Cloud Platform (GCP).

Install Java

1. To install Java on the VM, use the command sudo apt install default-jre.
2. Verify that you’ve successfully installed Java by running java -version. You should see the version of Java in the output.

Download FlowCrypt WKM

1. To download the free version, please navigate to the WKM Download page, right-click on the download link, and select Copy link address.
2. Return to the Cloud Shell console and execute the following command: curl [flowcrypt-wkm-download-link] --output flowcrypt_wkm.zip. This will initiate the file download process.
3. After the download is complete, you need to install the unzip package to unpack the downloaded file (if you don’t already have it). You can do this by running sudo apt install unzip.
4. Now that you’ve installed unzip, you may proceed with unzipping the downloaded zip file via unzip flowcrypt_wkm.zip.
5. Change your current directory to release/flowcrypt-workspace-key-manager-[release-version]-FREE/ using the command cd release/flowcrypt-workspace-key-manager-[release-version]-FREE/. If needed, you can run ls release/ to identify the exact path for the extracted WKM files. Once in the correct directory, you can proceed with the key manager configuration.

If you’re interested in the paid version, please contact us through the FlowCrypt Enterprise Request Form.

FlowCrypt WKM Configuration

1. We suggest creating a backup of the default configuration file before proceeding. To do this, run cp flowcrypt-workspace-key-manager.properties flowcrypt-workspace-key-manager.properties.bak.
2. To ensure that the jar binary file has the correct permissions to run, execute chmod +x ./flowcrypt-workspace-key-manager-free.jar.
3. The next step is to generate a master key. This can be achieved by running sudo java -jar flowcrypt-workspace-key-manager-free.jar --create-master-key. This will output both the master key (store.master.key.value) and test vector (store.test.vector.value). Please kindly input both the master key and test vector values in the designated properties file. You may use either nano or vim to edit the properties file.

Authentication configuration

You can choose and configure different IdPs for FlowCrypt WKM. It works with Google Identity as well as other third-party IdPs such as OneLogin and many more.

To configure the IdP and authentication, please follow our Technical Overview guide for instructions on how to set up the FlowCrypt WKM.

Ensure a secure connection for the Key Manager

1. Please prepare a .p12 certificate.
2. Download it into the VM.
3. Edit the flowcrypt-workspace-key-manager.properties file.
4. Look for api.https.key.file and update its value with the path where you stored your .p12 certificate, preferably beside the WKM jar file for convenience.
5. Next, update api.https.key.password with your .p12 password and ensure that api.https.enabled is set to true.
6. Add an external IP entry on api.accept.hosts. Find this information by going to GCP’s VM Instance ⮕ VM Instances ⮕ Find the VM instance for FlowCrypt WKM ⮕ Locate External IP labeled as such to add it here along with the VM’s hostname which can be located by following these steps: go to VM instances ⮕ Find the flowcrypt VM ⮕ View the VM details ⮕ find hostname in the field labeled Hostname.
7. Lastly, update the api.url value with your new hostname on your VM.

Start the FlowCrypt WKM app

1. To start the FlowCrypt WKM app, please use sudo java -jar flowcrypt-workspace-key-manager-free.jar.
2. You can confirm if the service is up and running by checking for the line Listening on https://... in the command line output.
3. To confirm it, please visit your browser and enter the value of api.url (which is the VM’s hostname) such as https://<flowcrypt-wkm-url>/status.

Configure Google Workspace for CSE

By following these steps, you can enable client-side encryption and ensure that your data is encrypted before it’s transmitted or stored in Google’s cloud-based storage, providing an additional layer of security for your Google Workspace environment.

Add the Key Service URL to Google Admin

1. Go to the Google Admin console and navigate to Security ⮕ Access and data control ⮕ Client-side encryption.
2. Next, add the external key service.
3. Then, include the FlowCrypt WKM URL from the api.url properties file.
4. Verify if it’s reachable by clicking TEST CONNECTION and reviewing the server’s response saying Connection Success.
5. Once verified, click on ADD SERVICE.
6. Finally, still on the Client-side encryption page, click on ASSIGN, assign the newly added key service as the default, and then click SAVE.

Configure Identity Provider configuration

1. Please click on the Set up IdP fallback option.
2. Kindly provide the name of your Identity Provider, client ID, and discovery URI.
3. Select Implicit as the Grant type and proceed to click on the TEST CONNECTION button.
4. If everything has been configured successfully, you should receive a message confirming that the connection was successful.
5. Finally, please click on ADD PROVIDER.

Enable client-side encryption for Google Workspace users

1. On the Apps section of the client-side encryption page, select the app for which you want to configure CSE. This could be Calendar, Drive and Docs, Gmail, or Meet.
2. After selecting an app, choose On for the User access option.
3. Repeat this process for all selected apps and then click on SAVE.

Verify Google Workspace CSE

1. To verify if Google Workspace CSE is working properly, navigate to Google Drive and click on New. Next, select File upload followed by Encrypt and upload file.
2. You can also create new encrypted documents by navigating to Google Drive and clicking on New, then selecting Google Docs followed by Blank encrypted document.