You can use your own encryption keys to encrypt your organization's data, instead of using the encryption that Google Workspace provides. With Google Workspace Client-side encryption (CSE), file encryption is handled in the client's browser before it's stored in Drive's cloud-based storage. That way, Google servers can't access your encryption keys and, therefore, can't decrypt your data. To use CSE, you'll need to connect Google Workspace to an external encryption key service and an identity provider (IdP).
Why use CSE?
Google Workspace already uses the latest cryptographic standards to encrypt all data at rest and in transit between its facilities. With CSE, however, you have direct control of encryption keys and the identity provider used to access those keys to further strengthen the security of your data.
Your organization might need to use CSE for various reasons—for example:
- Privacy—Your organization works with extremely sensitive intellectual property.
- Regulatory compliance—Your organization operates in a highly regulated industry, like aerospace and defense, financial services, or government.
Availability of CSE
Google Workspace Client-side encryption is currently available only for Google Drive data, including files created with Google Docs Editors (documents, spreadsheets, presentations) and uploaded files, like PDFs. CSE will be available for other Google services in a later release.
Sign up for the CSE beta
Administrators for Google Workspace Enterprise Plus or Education Plus can apply for the CSE beta program.
Getting started with CSE
Here are the basic steps to set up Google Workspace Client-side encryption.
Step 1: Set up your external encryption key service
First, you'll set up an encryption key service through one of Google's partner services, or build your own service using the Google CSE API. This service controls the top-level encryption keys that protect your data. Learn more
Step 2: Connect Google Workspace to your external key service
Next, you'll specify the location of your external key service in the Google Admin console, so Google Workspace can connect to it. Learn more
Step 3: Connect Google Workspace to your identity provider
For this step, you'll need to connect to either a third-party IdP or Google identity, using either the Admin console or a .well-known file hosted on your server. Your IdP verifies the identity of users before allowing them to encrypt files or access encrypted files. Learn more
Step 4: Enable CSE for users
You can enable CSE for any organizational units or groups in your organization. Note, however, that you need to enable CSE only for users that you want to create client-side encrypted documents, spreadsheets, and presentations or upload client-side encrypted files to Drive. You don't need to enable CSE for users who only view and edit files shared with them. Learn more
After you set up client-side encryption for your organization, users for whom you enable CSE can choose to create encrypted documents using Google Docs editors (such as documents and spreadsheets) or encrypt files they upload to Drive, such as PDFs.
Note that some features aren't available with encrypted files. For example:
- If an encrypted file is created with Google Docs Editors, spelling and grammar checking features won't work. Also, only 1 collaborator can edit an encrypted document at a time; however, any number of users can view an encrypted document at the same time.
- If a file is encrypted and uploaded to Drive, full-text search and file preview features won't work.
For more information about the user experience and limitations of CSE, see:
To set up Google Workspace Client-side encryption for your organization, you need to be a Super Admin for Google Workspace.
- To use CSE to create or upload files, users need a Google Workspace Enterprise Plus, Google Workspace for Education Plus, or Enterprise Essentials license. To view, edit, or download an existing file encrypted with CSE, users can have any type of Google Workspace or Cloud Identity license. Only users with a consumer Google Account (such as Gmail users) can't access CSE files.
- To view or edit encrypted files, users must use either the Google Chrome or Microsoft Edge browser.
External recipient requirements
- During the beta, external recipients must have a Google Workspace license to access your content encrypted with CSE. Recipients with a consumer Google Account or a visitor account can't access files encrypted with CSE.
- External organizations must also set up CSE, either in the Admin console or with a .well-known file.
- Your external encryption service must allowlist the third-party IdP service that's used by the external domain or the individuals you want to share CSE files with. You can usually find the IdP service in their publicly available .well-known file, if they set up one. Otherwise, contact the external organization's Google Workspace admin for their IdP details.
You can view the following logs and reports:
View the history of changes to your organization's CSE settings.
Go to ReportsAudit logAdmin.
Encrypted files upload/download report
Get a report on the number of encrypted files that are uploaded and downloaded over time.
Go to SecurityDashboardClient-side encryption.
Encrypted files investigation report
Use the security investigation tool to get a report on Drive activity for encrypted files.
- Go to SecurityInvestigation tool.
- Click Data source Drive log events.
- Click Add condition Add condition Encrypted.
- Set the condition to True.
- Click Search.
Client-side encryption FAQ
Where can I find information about Google's default encryption?
Which partner key management services can I use with CSE?
Can I use Google as my key management service?
What data is encrypted with CSE?
- All file content, such as the body of a document
- Embedded content, like images in a Google doc
What data is not encrypted with CSE?
- File title
- File metadata, such as owner, creator, and last-modified time
- Drive labels (also called Drive metadata)
- Linked content that’s outside of Docs or Drive (for example, a YouTube video linked from a Google document)
- User preferences, such as Docs header styles