{"id":28372977,"url":"https://github.com/googleworkspace/drive-cse-upload","last_synced_at":"2025-06-25T12:31:14.372Z","repository":{"id":247838194,"uuid":"825966067","full_name":"googleworkspace/drive-cse-upload","owner":"googleworkspace","description":null,"archived":false,"fork":false,"pushed_at":"2025-04-09T19:14:43.000Z","size":26,"stargazers_count":4,"open_issues_count":1,"forks_count":1,"subscribers_count":1,"default_branch":"master","last_synced_at":"2025-05-29T18:57:39.110Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/googleworkspace.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-07-08T21:14:35.000Z","updated_at":"2025-04-14T17:56:43.000Z","dependencies_parsed_at":"2025-04-08T20:22:43.505Z","dependency_job_id":"577a4240-a03b-4764-aa79-5d65b20d5362","html_url":"https://github.com/googleworkspace/drive-cse-upload","commit_stats":null,"previous_names":["googleworkspace/drive-cse-upload"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/googleworkspace/drive-cse-upload","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/googleworkspace%2Fdrive-cse-upload","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/googleworkspace%2Fdrive-cse-upload/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/googleworkspace%2Fdrive-cse-upload/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/googleworkspace%2Fdrive-cse-upload/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/googleworkspace","download_url":"https://codeload.github.com/googleworkspace/drive-cse-upload/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/googleworkspace%2Fdrive-cse-upload/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":261874317,"owners_count":23223094,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-05-29T18:38:29.233Z","updated_at":"2025-06-25T12:31:14.364Z","avatar_url":"https://github.com/googleworkspace.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Drive CSE Upload\n\nWith\n[Google Workspace Client-side encryption](https://support.google.com/a/answer/10741897)\n(CSE), you can add another layer of encryption to your organization's data —\nlike files and emails — in addition to the default encryption that Google\nWorkspace provides.\n\nFor select Google Workspace editions, admins can import sensitive files from\nthird-party storage using Client-side encryption and the\n[Google Drive API](https://developers.google.com/drive/api/guides/about-sdk),\npreserving the confidentiality of your data. Eligible admins can apply for beta\naccess using\n[this form](http://docs/forms/d/e/1FAIpQLSfCROxYOykvmIiEx0X7rdsGqQwb4iXjc_PJVw83QGNHisgh0A/viewform).\n\nIn this package we are providing a code sample (in the form of a Python library)\nto upload files hosted locally to Google Drive as Client-side encrypted (CSE)\nfiles.\n\n## Project Prerequisites\n\n### Google Cloud\n\n-   Have a [Cloud](https://console.cloud.google.com/) project\n-   Have Google Drive API\n    [enabled](https://developers.google.com/workspace/guides/view-turn-off-apis)\n    for the project\n-   Have a user with an admin rights in that project\n-   Have a\n    [service-account](https://developers.google.com/identity/protocols/oauth2#serviceaccount)\n    configured for the project\n-   Have the service-account provisioned for\n    [Domain Wide Delegation](https://support.google.com/a/answer/162106)\n-   Store the Service Account Private Key File downloaded during the account\n    creation\n\n    Note: The file is only downloaded during creation; you cannot re-download it\n\n### Identity Provider (IDP)\n\n-   Have an OAuth Client ID for Desktop\n-   Download and store the Client Secret File for the configured OAuth Client Id\n\n### Google Admin Console\n\n-   Have [CSE](https://support.google.com/a/answer/14309952) configured for the\n    domain\n-   Have an IDP [configured](https://support.google.com/a/answer/10743588) for\n    the domain\n-   Have a\n    [KACLS](https://developers.google.com/workspace/cse/guides/configure-service)\n    configured for the domain\n\n### Key ACL Service (KACLS)\n\n-   The KACLS must support the `/privilegedwrap`, `/privilegedunwrap`, and\n    `/digest` endpoints\n-   Have the KACLS configured for the domain allow `/privilegedwrap` and\n    `/privilegedunwrap` by the admin user\n-   Have the KACLS configured for the domain allow `/digest` by Google\n-   See https://developers.google.com/workspace/cse/reference\n\n## Installing this Package\n\nThe easiest way to install this package is to get it from [PyPi](https://pypi.org/project/drive-cse-upload/):\n\n```shell\npip install drive-cse-upload\n```\n\nThis will get this package and all of its dependencies.\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\nIf you get this package from GitHub, you'll need to install its dependencies separately.\n\n##### Python\n\n-   Python 3.10.7 or greater\n\n##### Tink Cryptographic Library\n\n-   https://developers.google.com/tink\n\n```shell\npip3 install tink\u003e=1.10.0\n```\n\n##### Google Client Library\n\n-   https://developers.google.com/drive/api/quickstart/python\n\n```shell\npip install --upgrade google-api-python-client google-auth-httplib2 google-auth-oauthlib\n```\n\n\u003c/details\u003e\n\n## Running the Example\n\n-   Set these parameters to match your setup\n\n    -   `SA_KEY_FILE`: The Service Account Private Key File\n    -   `CLIENT_SECRET_FILE`: The OAuth Client Secret File\n    -   `SAVED_CREDS_FILE`: Where to store the IDP Oauth credentials\n    -   `AS_USER`: Upload the file as this user (an email-address)\n    -   `INPUT_FILE` The file to upload\n    -   `PARENT_ID` The parent folder/shared-drive for the uploaded file\n        (optional)\n\n    Note: The first three files listed above contain sensitive information that\n    should be protected. Users must ensure that the files passed-in / created\n    are not readable by anyone but their owner.\n\n```shell\n$ python example.py \\\n  --sa-key-file \"${SA_KEY_FILE}\" \\\n  --client-secret-file \"${CLIENT_SECRET_FILE}\" \\\n  --saved-creds-file \"${SAVED_CREDS_FILE}\" \\\n  --as-user \"${AS_USER}\" \\\n  \"${INPUT_FILE}\"\n```\n\nThis will upload and validate the file `${INPUT_FILE}` to `${AS_USER}`'s root\nMyDrive.\n\n```shell\n$ python example.py \\\n  --sa-key-file \"${SA_KEY_FILE}\" \\\n  --client-secret-file \"${CLIENT_SECRET_FILE}\" \\\n  --saved-creds-file \"${SAVED_CREDS_FILE}\" \\\n  --as-user \"${AS_USER}\" \\\n  --parent-id \"${PARENT_ID}\" \\\n  \"${INPUT_FILE}\"\n```\n\nThis will upload and validate the file `${INPUT_FILE}` as a child of the folder\nor shared-drive designated by `${PARENT_ID}`.\n\nAs part of the upload process, you'll be prompted to open a browser window with\na URL for authenticating with the IDP. Enter the admin user credentials there to\ncontinue.\n\nWhen done, the code will print the name and the id of the newly uploaded file.\nYou can see the file in the Drive web client. To ensure that the file is\nuploaded correctly, now try the \"Download and decrypt\" action. This should\ndownload the decrypted file to your local host.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgoogleworkspace%2Fdrive-cse-upload","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fgoogleworkspace%2Fdrive-cse-upload","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgoogleworkspace%2Fdrive-cse-upload/lists"}