β π TinyVault
DIY Google Workspace encryption for ~$0.10/month
GitHub Repo: https://github.com/shawntz/tinyvaultβ
β οΈ IMPORTANT DISCLAIMER : TinyVault is an unaudited, open-source project for personal use and learning. It has NOT been professionally audited or certified for compliance (HIPAA, PCI, FedRAMP, etc.). While it uses secure Google Cloud components, TinyVault itself is a DIY solution. Use at your own risk. For mission-critical or regulated data, consider professionally audited enterprise solutions.
β π‘ What is TinyVault?
TinyVault is a lightweight, self-hosted KACLS endpoint for Google Workspace Client-Side Encryption (CSE). It enables you to encrypt Gmail, Drive, Calendar, and Meet content with your own encryption keysβwithout paying thousands of dollars for enterprise CSE partner solutions.
Best for : Personal use, small teams, learning, non-critical data
NOT for : HIPAA/PCI/regulated data (without your own compliance work), mission-critical enterprise use (without hardening)
β The Problem
Google Workspace CSE requires a third-party key service. Google's official partners charge:
$10-30 per user/month minimum
Enterprise-only pricing (often 50+ user minimums)
Annual contracts starting at $6,000+
For individuals or small teams, this is prohibitively expensive.
β The Solution
TinyVault lets you run your own CSE endpoint for ~$0.10-0.50/month using:
Google Cloud Run (serverless, free tier available)
Google Cloud KMS (secure key storage, FIPS 140-2 validated)
Your own infrastructure and control
β β¨ Features
π Secure : Uses Google Cloud KMS for key management (FIPS 140-2 validated)
π° Cheap : Runs in Cloud Run free tier (~$0.10-0.50/month for single user)
π Simple : Deploy in under 5 minutes with automated scripts
π Custom Domains : Professional setup with your own domain
π³ Docker Ready : Pre-built containers on Docker Hub
π Well Documented : Comprehensive guides and troubleshooting
π Open Source : MIT licensed, contribute and customize freely
β Run Locally with Docker
# Pull the image
docker pull shawnschwartz/tinyvault:latest
# Run with your configuration
docker run -d \
-p 8080:8080 \
-e GCP_PROJECT_ID=your-project \
-e KMS_LOCATION=us-central1 \
-e KMS_KEYRING=cse-keyring \
-e KMS_KEY=cse-key \
-e [email protected] \
-v /path/to/service-account.json:/app/key.json \
-e GOOGLE_APPLICATION_CREDENTIALS=/app/key.json \
--name tinyvault \
shawnschwartz/tinyvault:latest
Copy
β π Security
β Security Maturity Level
Current Status : β οΈ Prototype / Personal Use
TinyVault is:
β NOT security audited by third-party professionals
β NOT penetration tested
β NOT certified for any compliance framework (HIPAA, PCI, FedRAMP, SOC 2, etc.)
β NOT recommended for production enterprise use without significant hardening
β NOT a replacement for professionally audited enterprise CSE solutions
TinyVault IS:
β
Good for : Personal use, learning, experimentation, non-critical data
β
Open source : Code is transparent and auditable (by you or security professionals you hire)
β
Based on secure components : Uses Google Cloud KMS and Cloud Run
If you need compliance certification , you are responsible for:
Hiring security auditors
Penetration testing
Code review
Compliance documentation
Risk assessment
Incident response planning
β What IS Secure (Google Cloud Components)
The underlying Google Cloud infrastructure TinyVault uses:
Google Cloud KMS (where keys are stored):
β
FIPS 140-2 Level 3 validated hardware security modules
β
ISO/IEC 27001 certified
β
SOC 2/3 compliant
β
HIPAA eligible (with BAA)
β
PCI DSS compliant
Google Cloud Run (where TinyVault runs):
β
HTTPS enforced (TLS 1.2+)
β
Automatic SSL certificates
β
ISO 27001, SOC 2/3 certified
β
Infrastructure security managed by Google
β What IS NOT Secure (TinyVault Application)
TinyVault application code :
β οΈ No professional security audit
β οΈ No penetration testing
β οΈ No formal threat modeling
β οΈ No security certifications
β οΈ Minimal input validation
β οΈ No rate limiting by default
β οΈ No WAF (Web Application Firewall) by default
β οΈ Unauthenticated Cloud Run endpoint (by design for KACLS protocol)
β Security Architecture
What's good :
β
Master encryption keys never leave Google Cloud KMS (FIPS 140-2 validated HSMs)
β
Keys are never exposed to the application or stored anywhere except KMS
β
OAuth2 token verification for incoming requests
β
Email-based authorization (restrict to specific users)
β
All KMS operations logged via Cloud Audit Logs
β
HTTPS-only connections enforced by Cloud Run
β
Encrypted data at rest (wrapped DEKs stored with encrypted content)
What could be better :
β οΈ No rate limiting (could be DDoS'd)
β οΈ Cloud Run endpoint is public (required for Google Workspace, but increases attack surface)
β οΈ No request signing/validation beyond OAuth2 token
β οΈ No anomaly detection
β οΈ No intrusion detection
β οΈ Minimal monitoring by default
β Security Recommendations by Use Case
β β
Personal Use (1-5 people, non-sensitive data)
Current security is adequate
Follow the basic security checklist below
Accept that this is DIY software
β β οΈ Small Team (5-20 people, somewhat sensitive data)
Current security is marginal
Add : Rate limiting, WAF (Cloud Armor), monitoring alerts
Consider : Security code review by a professional
Accept risk : This is not enterprise-grade
β β Enterprise / Regulated Data (HIPAA, PCI, etc.)
Current security is insufficient
Required : Full security audit, penetration testing, compliance documentation
Required : Hire security professionals to harden
Recommended : Use a professionally audited CSE partner instead