Skip to main content

Upload a file from local-host to Google Drive as a Client Side Encrypted (CSE) document

Project description

Drive CSE Upload

With Google Workspace Client-side encryption (CSE), you can add another layer of encryption to your organization's data — like files and emails — in addition to the default encryption that Google Workspace provides.

For select Google Workspace editions, admins can import sensitive files from third-party storage using Client-side encryption and the Google Drive API, preserving the confidentiality of your data. Eligible admins can apply for beta access using this form.

In this package we are providing a code sample (in the form of a Python library) to upload files hosted locally to Google Drive as Client-side encrypted (CSE) files.

Project Prerequisites

Google Cloud

  • Have a Cloud project

  • Have Google Drive API enabled for the project

  • Have a user with an admin rights in that project

  • Have a service-account configured for the project

  • Have the service-account provisioned for Domain Wide Delegation

  • Store the Service Account Private Key File downloaded during the account creation

    Note: The file is only downloaded during creation; you cannot re-download it

Identity Provider (IDP)

  • Have an OAuth Client ID for Desktop
  • Download and store the Client Secret File for the configured OAuth Client Id

Google Admin Console

  • Have CSE configured for the domain
  • Have an IDP configured for the domain
  • Have a KACLS configured for the domain

Key ACL Service (KACLS)

  • The KACLS must support the /privilegedwrap, /privilegedunwrap, and /digest endpoints
  • Have the KACLS configured for the domain allow /privilegedwrap and /privilegedunwrap by the admin user
  • Have the KACLS configured for the domain allow /digest by Google
  • See https://developers.google.com/workspace/cse/reference

Installing this Package

The easiest way to install this package is to get it from PyPi:

pip install drive-cse-upload

This will get this package and all of its dependencies.

Details

If you get this package from GitHub, you'll need to install its dependencies separately.

Python
  • Python 3.10.7 or greater
Tink Cryptographic Library
pip3 install tink>=1.10.0
Google Client Library
pip install --upgrade google-api-python-client google-auth-httplib2 google-auth-oauthlib

Running the Example

  • Set these parameters to match your setup

    • SA_KEY_FILE: The Service Account Private Key File
    • CLIENT_SECRET_FILE: The OAuth Client Secret File
    • SAVED_CREDS_FILE: Where to store the IDP Oauth credentials
    • AS_USER: Upload the file as this user (an email-address)
    • INPUT_FILE The file to upload
    • PARENT_ID The parent folder/shared-drive for the uploaded file (optional)

    Note: The first three files listed above contain sensitive information that should be protected. Users must ensure that the files passed-in / created are not readable by anyone but their owner.

$ python example.py \
  --sa-key-file "${SA_KEY_FILE}" \
  --client-secret-file "${CLIENT_SECRET_FILE}" \
  --saved-creds-file "${SAVED_CREDS_FILE}" \
  --as-user "${AS_USER}" \
  "${INPUT_FILE}"

This will upload and validate the file ${INPUT_FILE} to ${AS_USER}'s root MyDrive.

$ python example.py \
  --sa-key-file "${SA_KEY_FILE}" \
  --client-secret-file "${CLIENT_SECRET_FILE}" \
  --saved-creds-file "${SAVED_CREDS_FILE}" \
  --as-user "${AS_USER}" \
  --parent-id "${PARENT_ID}" \
  "${INPUT_FILE}"

This will upload and validate the file ${INPUT_FILE} as a child of the folder or shared-drive designated by ${PARENT_ID}.

As part of the upload process, you'll be prompted to open a browser window with a URL for authenticating with the IDP. Enter the admin user credentials there to continue.

When done, the code will print the name and the id of the newly uploaded file. You can see the file in the Drive web client. To ensure that the file is uploaded correctly, now try the "Download and decrypt" action. This should download the decrypted file to your local host.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

drive_cse_upload-1.0.0.tar.gz (16.0 kB view details)

Uploaded Source

Built Distribution

drive_cse_upload-1.0.0-py3-none-any.whl (27.6 kB view details)

Uploaded Python 3

File details

Details for the file drive_cse_upload-1.0.0.tar.gz.

File metadata

  • Download URL: drive_cse_upload-1.0.0.tar.gz
  • Upload date:
  • Size: 16.0 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/5.1.1 CPython/3.11.8

File hashes

Hashes for drive_cse_upload-1.0.0.tar.gz
Algorithm Hash digest
SHA256 ac614218e2474c8d1bc18bc2a7628011a819403c20fe5a239eb916bb0a6b24f1
MD5 664d80cc3cfb7d145aedff5f6f4d0e9c
BLAKE2b-256 ec4f964ed880c6a8d49506152df7717bf5fb419405a5e50d78bcc73bbbc34939

See more details on using hashes here.

File details

Details for the file drive_cse_upload-1.0.0-py3-none-any.whl.

File metadata

File hashes

Hashes for drive_cse_upload-1.0.0-py3-none-any.whl
Algorithm Hash digest
SHA256 09889ec274cbf6176f3809d9e95c56a4af6c987e3e62312e70ea8445477acf9d
MD5 66034e74c4621a0cf1e94a0d0cbb96bb
BLAKE2b-256 b2d68cf7722d25cfe9efce55d8650fe9ae693feaf65cdf83857ed769e7b9ddaf

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page