> For the complete documentation index, see [llms.txt](https://oten.gitbook.io/kms-support/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://oten.gitbook.io/kms-support/google-cse-integration/view-google-cse-files-wrapped-by-workspace-key.md).

# View Google CSE Files Wrapped by Workspace Key

### Objective

Establish a transparent visibility and governance layer for Google Client-Side Encrypted (CSE) files by allowing workspace users to view and manage Google Drive files encrypted with workspace-managed keys, without breaking Google’s native ownership and access model.

***

### Function Purpose

**Centralized Visibility:**\
Allow workspace users to see all Google Drive files that are encrypted using Google CSE and wrapped by keys they have access to, regardless of file ownership or sharing source.

**Key Transparency:**\
Provide clear insight into encryption details, including which key, key version, and workspace are responsible for protecting each file.

**Controlled Re-encryption:**\
Enable authorized users to re-wrap files with a different workspace key, ensuring encryption policies remain aligned with workspace governance and data classification needs.

***

### Current MVP Limitation

**Metadata-Only Scope:**

* The system only reads Google Drive file metadata via Google OAuth.
* File content is never accessed or decrypted by **Oten KMS**.

**CSE-Only Visibility:**

* Only files encrypted with Google Client-Side Encryption are listed.
* Non-CSE files are excluded from the view.

**Permission-Bound Actions:**

* File re-wrap (Change Key) is available only if:
  * The user has explicit permission.
  * The target key is ACTIVE.
  * Google CSE supports re-wrap for the file type.
* Cross-workspace visibility is limited to keys the user already has access to.

***

### Setup Impact

Once authenticated via Google OAuth, the system will automatically:

* Fetch Google Drive file metadata for the logged-in user.
* Filter and group files based on workspace key ownership.
* Display encryption details without requiring any manual key lookup.
* Enforce permission checks before allowing any key change or re-wrap action.

No additional configuration is required from workspace users.\
Re-wrap operations, if permitted, are executed through Google CSE and fully audited.
