Prerequisites |
---|
View our Technical Overview to get familiar with the running and configuration options. |
An existing project on the Google Cloud Platform. |
This guide will assist you in deploying the FlowCrypt Workspace Key Manager on a Virtual Machine (VM) instance of the Google Cloud Platform (GCP).
You can validate this by navigating to Cloud Console ⮕ API & Services ⮕ Enabled APIs & Services and locating the Compute Engine API in the list.
Configure a VM on GCP
To deploy WKM on GCP, it’s important to ensure that the necessary resources are available and configured properly. This includes creating a VPC network, configuring firewall rules, and setting up a static IP address. By following these steps, you can ensure that your VM is properly configured and accessible from the internet.
Create a VPC network
Please create a new Virtual Private Cloud (VPC) on GCP by following these steps:
- Go to the sidebar menu and select VPC Network ⮕ VPC Networks ⮕ CREATE VPC NETWORK.
- Provide the new VPC network with a name, preferably
flowcrypt-cse-vpc
, and a description. - Ensure that the option ULA internal IPv6 range for the VPC network is disabled.
- Set Subnet creation mode to
Automatic
. - Leave all other settings as default and click on CREATE.
Create a firewall rule
Please follow the steps below to create two firewall rules that will allow access for HTTPS and SSH respectively on your VPC network.
- Go to the VPC network page and select Firewall. Next, click on CREATE FIREWALL POLICY.
- Provide a name for the new policy. In this instance, we’d like FlowCrypt WKM to be accessible via HTTPS, so we can use
flowcrypt-cse-vpc-allow-https
as our policy name. - Leave the Deployment scope set as
Global
. - Under the firewall rules settings, click on ADD RULE with a priority of
1000
(higher priority). - Set the Source type as IPv4 with an IP range of
0.0.0.0/0
. - Under the Protocol and ports section, choose the Specified protocol and ports option, tick the TCP checkbox, and specify the port
443
. - Leave all other options in default then proceed by clicking CREATE.
- Now that you’ve created a firewall rule to allow access via HTTPS to FlowCrypt WKM, it’s time to set up another one for SSH.
- On the current webpage where you added the previous rule above, click ADD RULE again but this time give it a description of
flowcrypt-cse-vpc-allow-ssh
while setting its priority at2000
. - Set the Source type as IPv4 with an IP range of
0.0.0.0/0
. - Under the Protocol and ports section, choose the Specified protocol and ports option, tick the TCP checkbox, and enter port number
22
. - Click CREATE when done.
- Finally, in the Associate policy with VPC networks section of the firewall setup, link newly created policies (HTTPS & SSH) to the
flowcrypt-cse-vpc
VPC Network then hit the CREATE button once more.
Configure an externally-accessible static IP address for a VM
- Under the VPC network section, click on IP Addresses.
- Click on RESERVE EXTERNAL STATIC IP ADDRESS.
- Assign a name to the reserved static address; preferably, use
flowcrypt-cse-extip
. - Select a region and click RESERVE.
Create a Compute Engine VM
- On the GCP sidebar, click on Compute Engine ⮕ VM Instances ⮕ CREATE INSTANCE.
- Name the instance as
flowcrypt
. - Additionally, the VM you will be creating will need a hostname associated with it. In the Advanced options section, expand the Networking section and specify the custom hostname of your choice in the Hostname field. This hostname value will later be used when populating the .properties file for secure connection configuration with Key Manager.
- Select the region to match the location of the static IP.
- Choose a zone and take note of it as it will be required for future steps.
- In the Machine configuration section, select Series as
E2
, and Machine Type ase2-medium
(with 2 vCPU and 4 GB memory). - In the Firewall configuration section, tick the allow HTTPS traffic checkbox.
- Click on CREATE.
Attach the served static IP to the VM
- Please open the VM that you’ve just created and then click on EDIT.
- In the Network interfaces configuration section, please click on the dropdown menu for default network interfaces.
- Find External IPv4 address and select the static IP address that you had created earlier (
flowcrypt-cse-extip
). - To finalize these changes, kindly click on SAVE.
Connect to the VM via SSH
- Please launch the Google Cloud Shell.
- Connect to the VM using the following command:
gcloud compute ssh --zone <chosen-vm-zone> <vm-name> --project <project-id>
.
Install FlowCrypt WKM on VM
This section provides step-by-step instructions for installing, configuring, and running the WKM app on a VM running in Google Cloud Platform (GCP).
Install Java
- To install Java on the VM, use the command
sudo apt install default-jre
. - Verify that you’ve successfully installed Java by running
java -version
. You should see the version of Java in the output.
Download FlowCrypt WKM
- To download the free version, please navigate to the WKM Download page, right-click on the download link, and select Copy link address.
- Return to the Cloud Shell console and execute the following command:
curl [flowcrypt-wkm-download-link] --output flowcrypt_wkm.zip
. This will initiate the file download process. - After the download is complete, you need to install the
unzip
package to unpack the downloaded file (if you don’t already have it). You can do this by runningsudo apt install unzip
. - Now that you’ve installed
unzip
, you may proceed with unzipping the downloaded zip file viaunzip flowcrypt_wkm.zip
. - Change your current directory to
release/flowcrypt-workspace-key-manager-[release-version]-FREE/
using the commandcd release/flowcrypt-workspace-key-manager-[release-version]-FREE/
. If needed, you can runls release/
to identify the exact path for the extracted WKM files. Once in the correct directory, you can proceed with the key manager configuration.
FlowCrypt WKM Configuration
- We suggest creating a backup of the default configuration file before proceeding. To do this, run
cp flowcrypt-workspace-key-manager.properties flowcrypt-workspace-key-manager.properties.bak
. - To ensure that the jar binary file has the correct permissions to run, execute
chmod +x ./flowcrypt-workspace-key-manager-free.jar
. - The next step is to generate a master key. This can be achieved by running
sudo java -jar flowcrypt-workspace-key-manager-free.jar --create-master-key
. This will output both the master key (store.master.key.value
) and test vector (store.test.vector.value
). Please kindly input both the master key and test vector values in the designated properties file. You may use eithernano
orvim
to edit the properties file.
Authentication configuration
You can choose and configure different IdPs for FlowCrypt WKM. It works with Google Identity as well as other third-party IdPs such as OneLogin and many more.
To configure the IdP and authentication, please follow our Technical Overview guide for instructions on how to set up the FlowCrypt WKM.
Ensure a secure connection for the Key Manager
- Please prepare a
.p12
certificate. - Download it into the VM.
- Edit the
flowcrypt-workspace-key-manager.properties
file. - Look for
api.https.key.file
and update its value with the path where you stored your.p12
certificate, preferably beside the WKM jar file for convenience. - Next, update
api.https.key.password
with your.p12
password and ensure thatapi.https.enabled
is set to true. - Add an external IP entry on
api.accept.hosts
. Find this information by going to GCP’s VM Instance ⮕ VM Instances ⮕ Find the VM instance for FlowCrypt WKM ⮕ Locate External IP labeled as such to add it here along with the VM’s hostname which can be located by following these steps: go to VM instances ⮕ Find theflowcrypt
VM ⮕ View the VM details ⮕ find hostname in the field labeled Hostname. - Lastly, update the
api.url
value with your new hostname on your VM.
Start the FlowCrypt WKM app
- To start the FlowCrypt WKM app, please use
sudo java -jar flowcrypt-workspace-key-manager-free.jar
. - You can confirm if the service is up and running by checking for the line
Listening on https://...
in the command line output. - To confirm it, please visit your browser and enter the value of
api.url
(which is the VM’s hostname) such ashttps://<flowcrypt-wkm-url>/status
.
Configure Google Workspace for CSE
By following these steps, you can enable client-side encryption and ensure that your data is encrypted before it’s transmitted or stored in Google’s cloud-based storage, providing an additional layer of security for your Google Workspace environment.
Add the Key Service URL to Google Admin
- Go to the Google Admin console and navigate to Security ⮕ Access and data control ⮕ Client-side encryption.
- Next, add the external key service.
- Then, include the FlowCrypt WKM URL from the
api.url
properties file. - Verify if it’s reachable by clicking TEST CONNECTION and reviewing the server’s response saying Connection Success.
- Once verified, click on ADD SERVICE.
- Finally, still on the Client-side encryption page, click on ASSIGN, assign the newly added key service as the default, and then click SAVE.
Configure Identity Provider configuration
- Please click on the Set up IdP fallback option.
- Kindly provide the name of your Identity Provider, client ID, and discovery URI.
- Select Implicit as the Grant type and proceed to click on the TEST CONNECTION button.
- If everything has been configured successfully, you should receive a message confirming that the connection was successful.
- Finally, please click on ADD PROVIDER.
Enable client-side encryption for Google Workspace users
- On the Apps section of the client-side encryption page, select the app for which you want to configure CSE. This could be Calendar, Drive and Docs, Gmail, or Meet.
- After selecting an app, choose On for the User access option.
- Repeat this process for all selected apps and then click on SAVE.
Verify Google Workspace CSE
- To verify if Google Workspace CSE is working properly, navigate to Google Drive and click on New. Next, select File upload followed by Encrypt and upload file.
- You can also create new encrypted documents by navigating to Google Drive and clicking on New, then selecting Google Docs followed by Blank encrypted document.