Google Calendar

I. Event Creation Flow: Scheduling a Secured Event

When an organizer creates an encrypted event in Google Calendar:

  1. DEK Generation: Google generates a unique Data Encryption Key (DEK) specifically for that individual calendar event.

  2. Metadata Encryption: Google encrypts the sensitive fields (Title, Description, and Attachments) using this local DEK.

  3. Key Protection Request: Google sends the DEK to Oten KMS to be wrapped.

  4. Key Wrapping: Oten KMS wraps (encrypts) the DEK using your Customer Managed Key (CMK) after verifying the organizer's permissions.

  5. Encrypted Storage: The encrypted event data and the wrapped DEK are stored by Google. Accessing the event details requires the key to be unwrapped.

II. Viewing Flow: Accessing an Encrypted Event

When an invitee or the organizer views the encrypted event:

  1. Authorization Check: Google retrieves the encrypted event and sends the wrapped DEK to Oten KMS.

  2. Key Unwrapping: Oten KMS verifies the identity of the user (checking if they are on the guest list or have proper access) and unwraps the DEK using the CMK.

  3. Client-Side Decryption: The plain-text DEK is returned to the user’s browser, which then decrypts the event details locally.

  4. Private Viewing: The user sees the meeting title and description clearly, while Google’s servers only see encrypted "blobs" of data.

III. Maximize feature potential

  • To optimize the use of this features across browsers and mobile apps, please configure your settings as follows:

    • For mobile app:

      • Update the related apps to the latest version for the best experience (example: Gmail is 6.0.260406).

      • Chrome is the recommended default browser.

      • Android: If it does not work properly in the app, clear the cache and try again.

    • For desktop app browser: Chrome (or Chromium core browser) is the recommended default browser.

  • These features work reliably in web browsers. On the mobile app, availability depends on the app version and Google's support, so usage may vary by version and is not always consistent.

IV. Supported services, applications, and data types when using Google CSE

Service
Apps
Data that's client-side encrypted
Data that's not client-side encrypted

Google Calendar

  • Web browser

  • Android mobile app

  • iOS mobile app

Note:

  • To optimize the use of Google Calendar, you must fully configure the Client ID for all related services: Calendar, Drive, Meet, and Gmail.

  • For Android, users need to install Chrome and set it as the default browser in order to use it.

  • For mobile app: Chrome is the recommended default browser.

  • Event description

  • Attached Drive files (if CSE for Drive is turned on)

  • Meet audio and video streams (if CSE for Meet is turned on)

Any content other than the event description, attachments, and Meet data, such as:

  • Event title

  • Event starting and ending times

  • Attendees list

  • Booked rooms

  • Join by phone numbers

  • Link for Meet

Last updated