View Google CSE Files Wrapped by Workspace Key

Objective

Establish a transparent visibility and governance layer for Google Client-Side Encrypted (CSE) files by allowing workspace users to view and manage Google Drive files encrypted with workspace-managed keys, without breaking Google’s native ownership and access model.

Function Purpose

Centralized Visibility: Allow workspace users to see all Google Drive files that are encrypted using Google CSE and wrapped by keys they have access to, regardless of file ownership or sharing source.

Key Transparency: Provide clear insight into encryption details, including which key, key version, and workspace are responsible for protecting each file.

Controlled Re-encryption: Enable authorized users to re-wrap files with a different workspace key, ensuring encryption policies remain aligned with workspace governance and data classification needs.

Current MVP Limitation

Metadata-Only Scope:

• The system only reads Google Drive file metadata via Google OAuth.

• File content is never accessed or decrypted by Oten KMS.

CSE-Only Visibility:

• Only files encrypted with Google Client-Side Encryption are listed.

• Non-CSE files are excluded from the view.

Permission-Bound Actions:

• File re-wrap (Change Key) is available only if:

  • The user has explicit permission.

  • The target key is ACTIVE.

  • Google CSE supports re-wrap for the file type.

• Cross-workspace visibility is limited to keys the user already has access to.

Setup Impact

Once authenticated via Google OAuth, the system will automatically:

• Fetch Google Drive file metadata for the logged-in user.

• Filter and group files based on workspace key ownership.

• Display encryption details without requiring any manual key lookup.

• Enforce permission checks before allowing any key change or re-wrap action.

No additional configuration is required from workspace users. Re-wrap operations, if permitted, are executed through Google CSE and fully audited.