Detailed Setup Guide

I. Set up KMS KACLS Service for Google Workspace

  • Emails utilizing the wrap/unwrap mechanism must ensure they share the same Key service (KMS KACLS Service URL) in order to successfully send and receive emails to one another.

  • In addition, in the admin.google.com, the admin must also ensure that this correct Key service has been added and assigned in order to use the feature.

II. How to get your credentials (Service account & CA certificated)

  1. Open Google Cloud Console

  1. Navigate to Service Accounts

  • Go to IAM & Admin -> Service Accounts

  • If you don’t have a project yet, create a new project before proceeding:

  • Input Project name and select Organization:

  • New project is created:

  1. Create a Service Account

  • Click Create service account -> Enter Service account name -> Click Done

  • Skip optional steps:

    • Permissions

    • Principals with access Key

  • New service account is created

  1. Generate service account key

  • Click on created service account -> Keys -> Add key -> Create new key -> Choose JSON -> Create -> Download and Save file

Note: you must have role Organization Policy Administrator (roles/orgpolicy.policyAdmin) to get Service account key.

  1. Enable Gmail API

  • Search for Gmail API

  • Click on Enable for Gmail API

  1. Upload service account key at KMS system

  • Admin go to Organization Admin -> Gmail Provisioning feature

  • Click on Start verification

  • Upload the downloaded JSON file to the required system below

  • Click Verify and waiting verification process

  1. Download CA Certificate

  • After service account is verified -> CA file will be auto generate by system

  • Admin need to download file and go to next step

  • Download file to local

  1. Upload to Google Admin Console

  • Open Google workspace admin console: admin.google.com

  • Navigate to Apps -> Google Workspace -> Gmail -> User setting

  • At S/MIME section, enable S/MIME encryption for sending and receiving emails

  • Then, enable Allow users to upload their own certificates

  • Then, click ADD button -> UPLOAD ROOT CERTIFICATE

  • Upload CA file with .pem formatformat

  • Input Org domain

  • Click Done and waiting for Google approve (around 24 hours)

  • Approval process maybe take upto 24 hours, refer doc link

III. Setup provisioning job for email & send/receive mail

  1. Setup provisioning job

  • Click on Provisioning setup

  • Select Manual input or Upload file with provided template

    • Note: The emails being used must share the same key service (KACLS) in order to be authorized to use the key for Wrap/Unwrap operations.

  • Select a workspace

  • Select a key (Symmetric AES or CHACHA20 256bits)

  • Click on Start provisioning and waiting until job completed

  1. Send/Receive mail with encryption/decryption method

  • After provisioning job is completed

  • User can compose new email

  • Turn on Additional encryption

  • Mail is encrypted

  • When sending mail, user need to sign in to verify account

  • Receiver received mail with encryption

  • Then, receiver must sign in to verify account to view the content email body

PreviousHow It WorksNext2026

Last updated