-
Notifications
You must be signed in to change notification settings - Fork 473
Users Gmail CSE
- API documentation
- Notes
- Definitions
- Create Gmail CSE Identity
- Update Gmail CSE Identity
- Delete Gmail CSE Identity
- Display Gmail CSE Identities
- Create Gmail CSE Key Pair
- Action Gmail CSE Key Pairs
- Display Gmail CSE Key Pairs
- https://developers.google.com/gmail/api/reference/rest/v1/users.settings.cse.identities
- https://developers.google.com/gmail/api/reference/rest/v1/users.settings.cse.keypairs
This is an initial, minimally tested release; proceed with care and report all issues.
Setting up Client Side Encryption is not for the faint of heart; here is a start.
Do I personally understand what's going on here? No, I just added the API calls to GAM.
Two sets of files are required for Gmail CSE, these two variables in gam.cfg control where GAM looks for these files.
You must edit gam.cfg to set the paths you currently use.
gmail_cse_incert_dir
Directory for the S/MIME certificate files used by Gmail Client Side Encryption.
Default: Blank
gmail_cse_inkey_dir
Directory for the Key Access Control List (KACL) wrapped private key data files used by Gmail Client Side Encryption.
Default: Blank
<DomainName> ::= <String>(.<String>)+
<EmailAddress> ::= <String>@<DomainName>
<FilePath> ::= <String>
<Password> ::= <String>
<KeyPairID> ::= <String>
Creates and configures a client-side encryption identity that's authorized to send mail from the user account. Google publishes the S/MIME certificate to a shared domain-wide directory so that people within a Google Workspace organization can encrypt and send mail to the identity.
gam <UserTypeEntity> create cseidentity
(primarykeypairid <KeyPairID>) | (signingkeypairid <KeyPairID> encryptionkeypairid <KeyPairID>)
[kpemail <EmailAddress>]
[formatjson]
One of the following is required:
-
primarykeypairid <KeyPairID>- The configuration of a CSE identity that uses the same key pair for signing and encryption. -
signingkeypairid <KeyPairID> encryptionkeypairid <KeyPairID>- The configuration of a CSE identity that uses different key pairs for signing and encryption.
If kpemail <EmailAddress> is not specified, the user's primary email address is used for the identity.
By default, Gam displays the identity as an indented list of keys and values; the following option causes the output to be in JSON format:
-
formatjson- Display the fields in JSON format.
Associates a different key pair with an existing client-side encryption identity. The updated key pair must validate against Google's S/MIME certificate profiles.
gam <UserTypeEntity> update cseidentity
(primarykeypairid <KeyPairID>) | (signingkeypairid <KeyPairID> encryptionkeypairid <KeyPairID>)
[kpemail <EmailAddress>]
[formatjson]
One of the following is required:
-
primarykeypairid <KeyPairID>- The configuration of a CSE identity that uses the same key pair for signing and encryption. -
signingkeypairid <KeyPairID> encryptionkeypairid <KeyPairID>- The configuration of a CSE identity that uses different key pairs for signing and encryption.
bIf kpemail <EmailAddress> is not specified, the key pair for the user's primary email address is identity updated.
By default, Gam displays the identity as an indented list of keys and values; the following option causes the output to be in JSON format:
-
formatjson- Display the fields in JSON format.
Deletes a client-side encryption identity. The authenticated user can no longer use the identity to send encrypted messages.
You cannot restore the identity after you delete it. Instead, use the create cseidentity to create another identity with the same configuration.
gam <UserTypeEntity> delete cseidentity [kpemail <EmailAddress>]
If kpemail <EmailAddress> is not specified, the identity for the user's primary email address is deleted.
gam <UserTypeEntity> info cseidentity [kpemail <EmailAddress>]
[formatjson]
If kpemail <EmailAddress> is not specified, the user's primary email address is used for the identity.
gam <UserTypeEntity> show cseidentities
[formatjson]
By default, Gam displays the identity as an indented list of keys and values; the following option causes the output to be in JSON format:
-
formatjson- Display the fields in JSON format.
gam <UserTypeEntity> print cseidentities [todrive <ToDriveAttribute>*]
[formatjson [quotechar <Character>]]
By default, Gam displays the information as columns of fields; the following option causes the output to be in JSON format:
-
formatjson- Display the fields in JSON format.
By default, when writing CSV files, Gam uses a quote character of double quote ". The quote character is used to enclose columns that contain
the quote character itself, the column delimiter (comma by default) and new-line characters. Any quote characters within the column are doubled.
The quotechar <Character> option allows you to choose an alternate quote character, single quote for instance, that makes for readable/processable output.
quotechar defaults to gam.cfg/csv_output_quote_char. When uploading CSV files to Google, double quote " should be used.
Create a CSE Key Pair for the primary address of a user.
gam <UserTypeEntity> create csekeypair
[incertdir <FilePath>] [inkeydir <FilePath>]
[addidentity [<Boolean>]] [kpemail <EmailAddress>]
[showpem] [showkaclsdata] [formatjson|returnidonly]
-
The S/MIME certificate files for the users are in the
incertdir <FilePath>folder/directory. -
If this option is not specified, the directory is taken from
gam.cfg/gmail_cse_incert_dir. -
The files must be named
[email protected]. -
The certificate contains the public key and its certificate chain. The chain must be in PKCS#7 format and use PEM encoding and ASCII armor.
-
The Key Access Control List (KACL) wrapped private key data files are in the
inkeydir <FilePath>folder/directory. -
If this option is not specified, the directory is taken from
gam.cfg/gmail_cse_inkey_dir. -
The files must be named
[email protected]. -
The files are in JSON format with two keys:
-
kacls_url- The URI of the key access control list service that manages the private key. -
wrapped_private_key- Opaque data generated and used by the key access control list service.
-
By default, the pem and kaclsdata fields will not be displayed unless the corresponding showpem and showkaclsdata option is specified.
By default, Gam displays the new key pair as an indented list of keys and values; the following options cause the output to be displayed in alternate forms.
-
formatjson- Display the fields in JSON format. -
returnidonly- Display just the new<KeyPairID>.
If 'addidentityoraddidentity trueis specified, a client-side encryption identity is created with the new key pair. Ifkpemail ` is not specified, the user's primary email address is used for the identity.
By default, Gam displays the identity as an indented list of keys and values; the following option causes the output to be in JSON format:
-
formatjson- Display the fields in JSON format. -
returnidonly- Display just the new<KeyPairID>-<EmailAddress>.
By default, the pem and kaclsdata fields will not be displayed unless the corresponding showpem and showkaclsdata option is specified.
Turns off a client-side encryption key pair. The authenticated user can no longer use the key pair to decrypt incoming CSE message texts or sign outgoing CSE mail.
gam <UserTypeEntity> disable csekeypair <KeyPairID>
[showpem] [showkaclsdata] [formatjson]
By default, Gam displays the disabled key pair as an indented list of keys and values; the following option causes the output to be displayed in alternate forms.
-
formatjson- Display the fields in JSON format.
Turn on a client-side encryption key pair that was turned off. The key pair becomes active again for any associated client-side encryption identities.
gam <UserTypeEntity> ensable csekeypair <KeyPairID>
[showpem] [showkaclsdata] [formatjson]
By default, Gam displays the enabled key pair as an indented list of keys and values; the following option causes the output to be displayed in alternate forms.
-
formatjson- Display the fields in JSON format.
Delete a client-side encryption key pair permanently and immediately. You can only permanently delete key pairs that have been turned off for more than 30 days.
To turn off a key pair, use disable csekeypair.
gam <UserTypeEntity> obliterate csekeypair <KeyPairID>
Gmail can't restore or decrypt any messages that were encrypted by an obliterated key. Authenticated users and Google Workspace administrators lose access to reading the encrypted messages.
By default, the pem and kaclsdata fields will not be displayed unless the corresponding showpem and showkaclsdata option is specified.
gam <UserTypeEntity> info csekeypair <KeyPairID>
[showpem] [showkaclsdata] [formatjson]
By default, Gam displays the key pairs as an indented list of keys and values; the following option causes the output to be in JSON format:
-
formatjson- Display the fields in JSON format.
gam <UserTypeEntity> show csekeypairs
[showpem] [showkaclsdata] [formatjson]
By default, Gam displays the key pairs as an indented list of keys and values; the following option causes the output to be in JSON format:
-
formatjson- Display the fields in JSON format.
gam <UserTypeEntity> print csekeypairs [todrive <ToDriveAttribute>*]
[showpem] [showkaclsdata] [formatjson [quotechar <Character>]]
By default, Gam displays the key pairs as columns of fields; the following option causes the output to be in JSON format:
-
formatjson- Display the fields in JSON format.
By default, when writing CSV files, Gam uses a quote character of double quote ". The quote character is used to enclose columns that contain
the quote character itself, the column delimiter (comma by default) and new-line characters. Any quote characters within the column are doubled.
The quotechar <Character> option allows you to choose an alternate quote character, single quote for instance, that makes for readable/processable output.
quotechar defaults to gam.cfg/csv_output_quote_char. When uploading CSV files to Google, double quote " should be used.
Need more help? Ask on the GAM Discussion Group
Update History
Installation
- How to Install GAM7
- How to Upgrade GAMADV-XTD3 to GAM7
- How to Upgrade Legacy GAM to GAM7
- How to Update GAM7
- Install GAM as Python Library
- GAM7 on Chrome OS Devices
- GAM7 on Android Devices
- Google Network Addresses
- HTTPS Proxy
- SSL Root CA Certificates
- How to Uninstall GAM7
Configuration
- Authorization
- GAM Configuration
- Running GAM7 securely on a Google Compute Engine
- Using GAM7 with a delegated admin service account
- Using GAM7 with a YubiKey
Notes and Information
- Upgrade Benefits
- Questions? Visit the GAM Discussion Forum
- Scripts
- Other Resources
- Drive REST API v3
- BNF Syntax
- GAM Return Codes
- Python Regular Expressions
- Rclone
Definitions
Command Processing
- Bulk Processing
- Command Line Parsing
- Command Logging and Progress
- Command data from Google Docs/Sheets/Storage
- CSV Special Characters
- CSV Input Filtering
- CSV Output Filtering
- Meta Commands and File Redirection
- Permission matches
- Tag Replace
- Todrive
Collections
Client Access
- Addresses
- Administrators
- Alert Center
- Aliases
- Calendars
- Calendars - Access
- Calendars - Events
- Chrome Auto Update Expiration Counts
- Chrome Browser Cloud Management
- Chrome Device Needs Attention Counts
- Chrome Installed Apps
- Chrome Policies
- Chrome Printers
- Chrome Version Counts
- Chrome Version History
- ChromeOS Devices
- Classroom - Courses
- Classroom - Guardians
- Classroom - Invitations
- Classroom - Membership
- Cloud Channel
- Cloud Identity Devices
- Cloud Identity Groups
- Cloud Identity Groups - Membership
- Cloud Identity Policies
- Cloud Storage
- Context Aware Access Levels
- Customer
- Domains
- Domains - Verification
- Domain People - Contacts & Profiles
- Domain Shared Contacts - Global Address List
- Email Audit Monitor
- Find File Owner
- Google Data Transfers
- Groups
- Groups - Membership
- Inbound SSO
- Licenses
- Mobile Devices
- Organizational Units
- Reports
- Reseller
- Resources
- Send Email
- Schemas
- Shared Drives
- Sites
- Users
- Unmanaged Accounts
- Users - Signout and Turn off 2-Step Verification
- Vault - Takeout
- Version and Help
Special Service Account Access
Service Account Access
- Users - Analytics Admin
- Users - Application Specific Passwords
- Users - Backup Verification Codes
- Users - Calendars
- Users - Calendars - Access
- Users - Calendars - Events
- Users - Chat
- Users - Classification Labels
- Users - Classroom - Profile
- Users - Deprovision
- Users - Contacts
- Users - Contacts - Delegates
- Users - Drive - File Selection
- Users - Drive - Activity/Settings
- Users - Drive - Cleanup
- Users - Drive - Comments
- Users - Drive - Copy/Move
- Users - Drive - Files-Display
- Users - Drive - Files-Manage
- Users - Drive - Orphans
- Users - Drive - Ownership
- Users - Drive - Permissions
- Users - Drive - Query
- Users - Drive - Revisions
- Users - Drive - Shortcuts
- Users - Drive - Transfer
- Users - Forms
- Users - Gmail - Client Side Encryption
- Users - Gmail - Delegates
- Users - Gmail - Filters
- Users - Gmail - Forwarding
- Users - Gmail - Labels
- Users - Gmail - Messages/Threads
- Users - Gmail - Profile
- Users - Gmail - S/MIME
- Users - Gmail - SendAs/Signature/Vacation
- Users - Gmail - Settings
- Users - Group Membership
- Users - Keep
- Users - Looker Studio
- Users - Meet
- Users - Classroom - Profile
- Users - People - Contacts & Profiles
- Users - Photo
- Users - Profile Sharing
- Users - Shared Drives
- Users - Spreadsheets
- Users - Tasks
- Users - Tokens
- Users - YouTube
GAM Tutorials
- Managing Users, Groups, Aliases, Domains, Mobile and Chrome Devices, and Resource Calendars
- Group Settings
- Data Transfers
- Print Users, Groups, Aliases, Mobile and Chrome OS devices, OUs, Licenses and Reports
- Managing Custom User Schemas
- User Email Settings
- User Security Settings
- Managing Classroom
- Managing Devices
- Chrome Policy Settings
- Chrome Browser Management
- Calendar Settings
- Unmanaged Users and Invitations
- Google Drive Management
- Inbound SSO Settings
- Managing Admins
- Domain Verification
- Printers