Supported editions for this feature: Enterprise; Education Standard and Education Plus. Compare your edition
You can use your own encryption keys to encrypt your organization's data, in addition to using the default encryption that Google Workspace provides. With Google Workspace Client-side encryption (CSE), content encryption is handled in the client's browser before any data is transmitted or stored in Drive's cloud-based storage. That way, Google servers can't access your encryption keys and decrypt your data.
To use CSE, you'll need to connect Google Workspace to an external encryption key service and an identity provider (IdP).
Your users can share CSE files internally or with external organizations, if those organizations also use Google Workspace and set up CSE.
Why use CSE?
Google Workspace already uses the latest cryptographic standards to encrypt all data at rest and in transit between its facilities. With CSE, however, you have direct control of encryption keys and the identity provider used to access those keys. This additional control can help you strengthen the confidentiality of your sensitive or regulated data.
Your organization might need to use CSE for various reasons—for example:
- Privacy—Your organization works with extremely sensitive intellectual property.
- Regulatory compliance—Your organization operates in a highly regulated industry, like aerospace and defense, financial services, or government.
Availability of CSE
Google Workspace Client-side encryption is currently available only for the following data:
- Google Drive data, including files created with Google Docs Editors (documents, spreadsheets, presentations) and uploaded files, like PDFs and Microsoft Office files.
- Google Meet audio and video streams (beta), including screen sharing, transmitted between meeting participants and Google.
CSE will be available for other Google services in a later release.
Getting started with CSE
Expand section | Collapse all & go to top
Here are the basic steps to set up Google Workspace Client-side encryption.
Step 1: Set up your external encryption key service
First, you'll set up an encryption key service through one of Google's partner services, or build your own service using the Google CSE API. This service controls the top-level encryption keys that protect your data. Learn more
Step 2: Connect Google Workspace to your external key service
Next, you'll add the location (URL) of your external key service, so Google Workspace can connect CSE for supported apps to it. Learn more
Step 3: Connect Google Workspace to your identity provider
For this step, you'll need to connect to either a third-party IdP or Google identity, using either the Admin console or a .well-known file hosted on your server. Your IdP verifies the identity of users before allowing them to encrypt content or access encrypted content. Learn more
Step 4: Turn on CSE for users
You can turn on CSE for any organizational units or groups in your organization. Note, however, that you need to turn on CSE only for users who need to create client-side encrypted content:
- Google Drive—You need to turn on CSE only for users who need to create client-side encrypted documents, spreadsheets, and presentations or upload client-side encrypted files to Drive. You don't need to turn on CSE for users who only view and edit files shared with them.
- Google Meet (beta)—You need to turn on CSE only for users who need to host client-side encrypted meetings. You don't need to turn on CSE for other participants in meetings.
For details about turning on CSE for users, see Create client-side encryption policies.
After you set up client-side encryption for your organization, users for whom you enable CSE can use CSE with the following services.
Google Drive
Users can create client-side encrypted documents using Google Docs editors (such as documents and spreadsheets) or encrypt files they upload to Drive, such as PDFs.
Some features aren't available with encrypted files—for example:
- If an encrypted file is created with Google Docs Editors, spelling and grammar checking features won't work. Also, only 1 collaborator can edit an encrypted document at a time; however, any number of users can view an encrypted document at the same time.
- If a file is encrypted and uploaded to Drive, full-text search and file preview features won't work.
Drive for desktop
You can set up CSE for Drive for desktop when you connect Google Workspace to your IdP.
Drive for Desktop shows synced encrypted files as shortcuts on Windows and symbolic links on Mac. If a user clicks a shortcut or link to an encrypted Docs, Sheets, or Slides file, a new browser window opens.
Users can also:
- Encrypt and upload a local file
- Read and write some types of encrypted files, such as PDF and Microsoft Office files
Avoid storing decrypted sensitive information in Drive: Inform your Drive for desktop users that if they use the Download and decrypt option in Drive, they should avoid storing the decrypted files in local folders that sync with Drive.
For more information
You can find more details about the user experience and limitations of CSE with Drive in the following resources:
- Get started with encrypted files in Drive, Docs, Sheets & Slides
- Collaborate on encrypted Docs, Sheets, and Slides
Google Meet (beta)
Users can host client-side encrypted meetings by selecting an option to add encryption when scheduling the meeting in Google Calendar or when starting an instant (unscheduled) meeting.
Some features aren't yet available with encrypted meetings—for example:
- Recording meetings (if recording is saved to Drive)
- Live streaming
- Using a phone for audio
- Chat
- Polls
- Whiteboarding
- Meeting room hardware and mobile apps (coming soon)
Administrator requirements
To set up Google Workspace Client-side encryption for your organization, you need to be a Super Admin for Google Workspace.
User requirements
- Users need a Google Workspace Enterprise Plus or Google Workspace for Education Plus license to use CSE to:
- Create or upload files
- Host meetings
- Users can have any type of Google Workspace or Cloud Identity license to:
- To view, edit, or download an existing file encrypted with CSE
- Join a CSE meeting
- Users with a consumer Google Account (such as Gmail users) can't access CSE files or participate in CSE meetings.
- To view or edit encrypted files, users must use either the Google Chrome or Microsoft Edge browser.
- To join a CSE meeting, users must be invited or added during the meeting. Knocking isn't available for CSE meetings.
- Access to CSE files and meetings depends on your organization's CSE policies.
External user requirements
- External organizations that your users will collaborate with must also set up CSE, either in the Admin console or with a .well-known file.
- External users must have a Google Workspace license to access your content encrypted with CSE. Users with a consumer Google Account or a visitor account can't access files encrypted with CSE.
- Your external encryption service must allowlist the third-party IdP service that's used by the external organization's users you want your users to share CSE files with. You can usually find the IdP service in their publicly available .well-known file, if they set up one. Otherwise, contact the external organization's Google Workspace admin for their IdP details.
You can view the following CSE logs and reports for Drive. Logs and reports aren't yet available for Meet.
Audit log
View the history of changes to your organization's CSE settings.
Go to ReportsAudit log
Admin.
Encrypted files upload/download report
Get a report on the number of encrypted files that are uploaded and downloaded over time.
Go to SecurityDashboard
Client-side encryption.
Encrypted files investigation report
Use the security investigation tool to get a report on Drive activity for encrypted files.
- Go to Security
Investigation tool.
- Click Data source
Drive log events.
- Click Add condition
Add condition
Encrypted.
- Set the condition to True.
- Click Search.
Client-side encryption FAQ
Expand section | Collapse all & go to top
General questions
Setting up CSE
Working with CSE files
Google Drive:
- All file content, such as the body of a document
- Embedded content, like images in a Google Docs file
Google Meet (beta):
Media stream (video and audio data) transmitted between meeting participants and Google
Google Drive:
- File title
- File metadata, such as owner, creator, and last-modified time
- Drive labels (also called Drive metadata)
- Linked content that’s outside of Docs or Drive (for example, a YouTube video linked from a Google document)
- User preferences, such as Docs header styles
Google Meet (beta):
Any data other than the media stream (audio and video).
Scanning CSE files
Using CSE with Drive for desktop
Avoid storing decrypted sensitive information in Drive: Inform your Drive for desktop users that if they use the Download and decrypt option in Drive, they should avoid storing the decrypted files in local folders that sync with Drive.