# Detailed Setup Guide
### I. Set up KMS KACLS Service for Google Workspace
* Emails utilizing the wrap/unwrap mechanism must ensure they share the same Key service (KMS KACLS Service URL) in order to successfully send and receive emails to one another.
* In addition, in the [admin.google.com](http://admin.google.com), the admin must also ensure that this correct Key service has been added and assigned in order to use the feature.
### II. How to get your credentials (Service account & CA certificated)
1. **Open Google Cloud Console**
* Access to [console.cloud.google.com](http://console.cloud.google.com) and Sign in.
2. **Navigate to Service Accounts**
* Go to IAM & Admin -> Service Accounts
* If you don’t have a project yet, create a new project before proceeding:
* Input Project name and select Organization:
* New project is created:
3. **Create a Service Account**
* Click Create service account -> Enter Service account name -> Click Done
* Skip optional steps:
* Permissions
* Principals with access Key
* New service account is created
4. **Generate service account key**
* Click on created service account -> **Keys -> Add key -> Create new key -> Choose JSON -> Create -> Download and Save file**
**Note**: you must have role **Organization Policy Administrator** (roles/orgpolicy.policyAdmin) to get Service account key.
5. **Enable Gmail API**
* Search for **Gmail API**
* Click on **Enable** for Gmail API
6. **Upload service account key at KMS system**
* Admin go to Organization Admin -> Gmail Provisioning feature
* Click on Start verification
* Upload the **downloaded JSON file** to the required system below
* Click **Verify** and waiting verification process
7. **Download CA Certificate**
* After service account is verified -> **CA file will be auto generate by system**
* Admin need to **download file** and go to next step
* Download file to local
8. **Upload to Google Admin Console**
* Open Google workspace admin console: [admin.google.com](http://admin.google.com)
* Navigate to Apps -> Google Workspace -> Gmail -> User setting
* At S/MIME section, enable **S/MIME encryption for sending and receiving emails**
* Then, enable **Allow users to upload their own certificates**
* Then, click **ADD** button -> **UPLOAD ROOT CERTIFICATE**
* Upload CA file with .pem formatformat
* Input Org domain
* Click **Done** and waiting for Google approve (around 24 hours)
* Approval process maybe take upto 24 hours, refer doc [link](https://knowledge.workspace.google.com/admin/support/troubleshooting/how-changes-propagate-to-google-services?visit_id=639099359861759319-1195085483\&rd=1)
### III. Setup provisioning job for email & send/receive mail
1. **Setup provisioning job**
* Click on Provisioning setup
* Select Manual input or Upload file with provided template
* **Note:** The emails being used must share the same key service (KACLS) in order to be authorized to use the key for Wrap/Unwrap operations.
* Select a workspace
* Select a key **(Symmetric AES or CHACHA20 256bits)**
* Click on **Start provisioning** and waiting until job completed
2. **Send/Receive mail with encryption/decryption method**
* After provisioning job is completed
* User can compose new email
* Turn on Additional encryption
* Mail is encrypted
* When sending mail, user need to sign in to verify account
* Receiver received mail with encryption
* Then, receiver must sign in to verify account to view the content email body
* Then, receiver must sign in to verify account to view the content email body