About client-side encryption

Supported editions for this feature: Enterprise; Education Standard and Education Plus. Compare your edition

You can use your own encryption keys to encrypt your organization's data, in addition to using the default encryption that Google Workspace provides. With Google Workspace Client-side encryption (CSE), content encryption is handled in the client's browser before any data is transmitted or stored in Drive's cloud-based storage. That way, Google servers can't access your encryption keys and decrypt your data.

To use CSE, you'll need to connect Google Workspace to an external encryption key service and an identity provider (IdP).

Your users can share CSE files internally or with external organizations, if those organizations also use Google Workspace and set up CSE.

Why use CSE?

Google Workspace already uses the latest cryptographic standards to encrypt all data at rest and in transit between its facilities. With CSE, however, you have direct control of encryption keys and the identity provider used to access those keys. This additional control can help you strengthen the confidentiality of your sensitive or regulated data.

Your organization might need to use CSE for various reasons—for example:

Privacy—Your organization works with extremely sensitive intellectual property.
Regulatory compliance—Your organization operates in a highly regulated industry, like aerospace and defense, financial services, or government.

Availability of CSE

Google Workspace Client-side encryption is currently available only for the following data:

Google Drive data, including files created with Google Docs Editors (documents, spreadsheets, presentations) and uploaded files, like PDFs and Microsoft Office files.
Google Meet audio and video streams (beta), including screen sharing, transmitted between meeting participants and Google.

CSE will be available for other Google services in a later release.

Getting started with CSE

Expand section | Collapse all & go to top

Overview of setup steps for CSE

Here are the basic steps to set up Google Workspace Client-side encryption.

Step 1: Set up your external encryption key service

First, you'll set up an encryption key service through one of Google's partner services, or build your own service using the Google CSE API. This service controls the top-level encryption keys that protect your data. Learn more

Step 2: Connect Google Workspace to your external key service

Next, you'll add the location (URL) of your external key service, so Google Workspace can connect CSE for supported apps to it. Learn more

Step 3: Connect Google Workspace to your identity provider

For this step, you'll need to connect to either a third-party IdP or Google identity, using either the Admin console or a .well-known file hosted on your server. Your IdP verifies the identity of users before allowing them to encrypt content or access encrypted content. Learn more

Step 4: Turn on CSE for users

You can turn on CSE for any organizational units or groups in your organization. Note, however, that you need to turn on CSE only for users who need to create client-side encrypted content:

Google Drive—You need to turn on CSE only for users who need to create client-side encrypted documents, spreadsheets, and presentations or upload client-side encrypted files to Drive. You don't need to turn on CSE for users who only view and edit files shared with them.
Google Meet (beta)—You need to turn on CSE only for users who need to host client-side encrypted meetings. You don't need to turn on CSE for other participants in meetings.

For details about turning on CSE for users, see Create client-side encryption policies.

CSE user experience

After you set up client-side encryption for your organization, users for whom you enable CSE can use CSE with the following services.

Google Drive

Users can create client-side encrypted documents using Google Docs editors (such as documents and spreadsheets) or encrypt files they upload to Drive, such as PDFs.

Some features aren't available with encrypted files—for example:

If an encrypted file is created with Google Docs Editors, spelling and grammar checking features won't work. Also, only 1 collaborator can edit an encrypted document at a time; however, any number of users can view an encrypted document at the same time.
If a file is encrypted and uploaded to Drive, full-text search and file preview features won't work.

Drive for desktop

You can set up CSE for Drive for desktop when you connect Google Workspace to your IdP.

Drive for Desktop shows synced encrypted files as shortcuts on Windows and symbolic links on Mac. If a user clicks a shortcut or link to an encrypted Docs, Sheets, or Slides file, a new browser window opens.

Users can also:

Encrypt and upload a local file
Read and write some types of encrypted files, such as PDF and Microsoft Office files

Avoid storing decrypted sensitive information in Drive: Inform your Drive for desktop users that if they use the Download and decrypt option in Drive, they should avoid storing the decrypted files in local folders that sync with Drive.

For more information

You can find more details about the user experience and limitations of CSE with Drive in the following resources:

Google Meet (beta)

Users can host client-side encrypted meetings by selecting an option to add encryption when scheduling the meeting in Google Calendar or when starting an instant (unscheduled) meeting.

Some features aren't yet available with encrypted meetings—for example:

Recording meetings (if recording is saved to Drive)
Live streaming
Using a phone for audio
Chat
Polls
Whiteboarding
Meeting room hardware and mobile apps (coming soon)

Possible data loss if you disable or destroy your keys

Warning: If you disable or destroy an encryption key used to encrypt files in Drive, Google Workspace apps can't decrypt those files. Without this key, users can't view, edit, download, or use those files in any way. Before using CSE, make sure you discuss with your external key service how to keep your keys safe, including backup and restore options. Also, make sure you plan any changes to your key service carefully to avoid disrupting users' services.

Requirements for CSE

Administrator requirements

To set up Google Workspace Client-side encryption for your organization, you need to be a Super Admin for Google Workspace.

User requirements

Users need a Google Workspace Enterprise Plus or Google Workspace for Education Plus license to use CSE to:
- Create or upload files
- Host meetings
Users can have any type of Google Workspace or Cloud Identity license to:
- To view, edit, or download an existing file encrypted with CSE
- Join a CSE meeting
Users with a consumer Google Account (such as Gmail users) can't access CSE files or participate in CSE meetings.
To view or edit encrypted files, users must use either the Google Chrome or Microsoft Edge browser.
To join a CSE meeting, users must be invited or added during the meeting. Knocking isn't available for CSE meetings.
Access to CSE files and meetings depends on your organization's CSE policies.

External user requirements

External organizations that your users will collaborate with must also set up CSE, either in the Admin console or with a .well-known file.
External users must have a Google Workspace license to access your content encrypted with CSE. Users with a consumer Google Account or a visitor account can't access files encrypted with CSE.
Your external encryption service must allowlist the third-party IdP service that's used by the external organization's users you want your users to share CSE files with. You can usually find the IdP service in their publicly available .well-known file, if they set up one. Otherwise, contact the external organization's Google Workspace admin for their IdP details.

External users need to share identity information: Make sure you inform the external organization's admin that their users need to provide their authentication token to your key service to view or edit encrypted files owned by your organization. The authentication process requires a user to share their IP address and other information. For details, see Authentication tokens in the Client-side encryption API Reference guide.

View logs and reports for CSE

You can view the following CSE logs and reports for Drive. Logs and reports aren't yet available for Meet.

Audit log

View the history of changes to your organization's CSE settings.

Go to ReportsAudit logAdmin.

Encrypted files upload/download report

Get a report on the number of encrypted files that are uploaded and downloaded over time.

Go to SecurityDashboardClient-side encryption.

Encrypted files investigation report

Use the security investigation tool to get a report on Drive activity for encrypted files.

Go to SecurityInvestigation tool.
Click Data source Drive log events.
Click Add condition Add condition Encrypted.
Set the condition to True.
Click Search.

Client-side encryption FAQ

Expand section | Collapse all & go to top

General questions

Where can I find information about Google's default encryption?

For details about Google's default encryption, go to the Google Cloud site.

How is CSE different from end-to-end (e2e) encryption?

With end-to-end encryption (e2e), encryption and decryption always occur on the source and destination devices (such as on mobile phones for instant messaging). Encryption keys are generated on the client, so as an administrator, you don't have control over the keys on the clients and who can use them. In addition, you don't have visibility into which content users have encrypted.

With client-side encryption (CSE), encryption and decryption also always occur on the source and destination devices, which in this case are the clients' browsers. However, with CSE, clients use encryption keys that are generated and stored in a cloud-based key management service, so you can control the keys and who has access to them. For example, you can revoke a user's access to keys, even if that user generated them. Also, with CSE, you can monitor users' encrypted files.

Setting up CSE

Which partner key management services can I use with CSE?

Google has partnered with the following key management services for use with CSE:

Can I use Google as my key management service?

No, you'll need to use an external key management service to set up Google Workspace Client-side encryption. With CSE, you control your own encryption keys, and Google can't access them to decrypt your data.

How do I limit which users or groups have access to my external key service?

You manage the access control list (ACL) for encryption keys through your external key service. Contact your encryption provider for more information.

How do I set up CSE for shared drives?

You don't need to set up CSE specifically for shared drives. The external key service you set up in the Admin console works for files in both My Drive and shared drives.

Working with CSE files

What data is encrypted with CSE?

Google Drive:

All file content, such as the body of a document
Embedded content, like images in a Google Docs file

Google Meet (beta):

Media stream (video and audio data) transmitted between meeting participants and Google

What data is not encrypted with CSE?

Google Drive:

File title
File metadata, such as owner, creator, and last-modified time
Drive labels (also called Drive metadata)
Linked content that’s outside of Docs or Drive (for example, a YouTube video linked from a Google document)
User preferences, such as Docs header styles

Google Meet (beta):

Any data other than the media stream (audio and video).

Can I re-encrypt existing files with a different encryption key?

This feature will be available in a later release.

Can I switch encryption for a file to Google's default encryption?

This feature will be available in a later release.

How do I decrypt exported files?

To decrypt CSE files you export using the Data Export tool or Google Vault, you can use the decrypter, a command-line utility. For details, see Decrypt exported client-side encrypted files.

Can I retain, search, and export encrypted files in Google Vault?

Yes, if your Google Workspace edition has Google Vault, you can retain, search for, and export CSE files in Vault. You can search for client-side encrypted files by their metadata, such as title and owner. However, you can’t search their content, search by file type, preview the content, or download from the preview view. For details, see Working with client-side encrypted files in Vault.

Scanning CSE files

Does Drive automatically scan CSE files for security threats?

CSE files aren't scanned for phishing and malware, because Google's servers don't have access to these files' content.

Can I run DLP scans for content in CSE files?

Data loss prevention (DLP) scans can't access client-side encrypted content in files. However, because DLP scans can access a file's metadata like the file title and Drive labels, which isn't encrypted, they can still help to prevent leaks of sensitive data.

Using CSE with Drive for desktop

Does Drive for desktop sync CSE files?

Drive for desktop shows synced encrypted files as shortcuts on Windows and symbolic links on Mac.

Does Drive for desktop re-encrypt downloaded CSE files if they're synced back to Drive?

No, a CSE file that's downloaded and decrypted in a local folder that syncs with Drive will be stored in clear text in Drive.

Was this helpful?

How can we improve it?