Supported editions for this feature: Enterprise; Education Standard and Education Plus; Enterprise Essentials Plus. Compare your edition
You can use your own encryption keys to encrypt your organization's data—like files and emails—in addition to using the default encryption that Google Workspace provides. With Google Workspace Client-side encryption (CSE), content encryption is handled in the client's browser before any data is transmitted or stored in Google's cloud-based storage. That way, Google servers can't access your encryption keys and decrypt your data. After you set up CSE, you can choose which users can create client-side encrypted content and share or send it internally or externally.
On this page
- Why use CSE?
- CSE support for services, applications, and data
- CSE setup overview
- CSE requirements
- CSE user experience
- CSE logs and reports
- CSE FAQ
Why use CSE?
Google Workspace already uses the latest cryptographic standards to encrypt all data at rest and in transit between its facilities for all services. In addition, Gmail uses TLS (Transport Layer Security) for communication with other email service providers. With CSE, however, you have direct control of encryption keys and the identity provider used to access those keys. This additional control can help you strengthen the confidentiality of your sensitive or regulated data. Your organization might need to use CSE for various reasons—for example:
- Privacy—Your organization works with extremely sensitive intellectual property.
- Regulatory compliance—Your organization operates in a highly regulated industry, like aerospace and defense, financial services, or government.
Supported services and data types
Google Workspace Client-side encryption is currently available for the following services:
- Google Drive for web browser, Drive for Desktop (non-Google file formats only), and Drive on Android and iOS mobile apps (view-only for non-Google file formats).
- Gmail for web browser only. CSE support for Gmail Android and iOS mobile apps will be available in an upcoming release.
- Google Calendar for web browser, and Calendar on Android and iOS mobile apps beta. If you previously signed up for the Calendar beta, you're automatically enrolled in the mobile apps beta. Otherwise, you can sign up for the beta using this form.
- Google Meet for web browser only. Meet on Android and iOS mobile apps and meeting room hardware will be available in a later release.
Service | Data that's client-side encrypted | Data that's not client-side encrypted |
---|---|---|
Google Drive |
|
|
Gmail |
|
Email header, including subject, timestamps, and recipients lists |
Google Calendar |
|
Any content other than the event description, attachments, and Meet data, such as:
|
Google Meet |
|
Any data other than audio and video streams and chat messages |
CSE setup overview
Here's an overview of the steps you'll need to set up Google Workspace Client-side encryption.
CSE requirements
You need super administrator privileges for Google Workspace to manage CSE for your organization, including:
- Adding and managing key services
- Assigning key services to organizational units and groups
- Turning CSE on or off for users
License requirements
- Users need a Google Workspace Enterprise Plus or Google Workspace for Education Plus license to use CSE to:
- Create or upload client-side encrypted content
- Host encrypted meetings
- Send or receive encrypted email
- Users can have any type of Google Workspace or Cloud Identity license to:
- View, edit, or download client-side encrypted content
- Join a CSE meeting
- Users with a consumer Google Account (such as Gmail users) can't access client-side encrypted content, send encrypted email, or participate in client-side encrypted meetings.
Browser requirements
To view or edit client-side encrypted content, users must use either the Google Chrome or Microsoft Edge (Chromium) browser.
License requirements
-
External users must have a Google Workspace or Cloud Identity license to access files and other of types of data encrypted with CSE, such as encrypted Drive files.
-
External users, using S/MIME, can send and receive encrypted messages. A Google Workspace or Cloud Identity license is not required.
- Users with a consumer Google Account or a visitor account can't access files encrypted with CSE.
Setup requirements
- External organizations that your users will collaborate with must also set up CSE, either in the Admin console or with a .well-known file.
- Your external encryption service must add to their allowlist the third-party IdP service that's used by the external organization's users you want your users to share CSE files with. You can usually find the IdP service in their publicly well-known file, if they set up one. Otherwise, contact the external organization's Google Workspace admin for their IdP details.
Other requirements
CSE user experience
After you set up client-side encryption for your organization, users for whom you turn on CSE can use it with the following services.
Users can create client-side encrypted documents using Google Docs editors (such as documents and spreadsheets) or encrypt files they upload to Drive, such as PDFs. Only users with whom an encrypted file is shared with can view it.
Drive for desktop experience
Drive for Desktop shows synced encrypted files as shortcuts on Windows and symbolic links on Mac. If a user clicks a shortcut or link to an encrypted Docs, Sheets, or Slides file, a new browser window opens.
Users can also:
- Encrypt and upload a local file
- Read and edit some types of encrypted files, such as PDF and Microsoft Office files
Important: If a user downloads and decrypts a CSE file in a local folder that syncs with Drive, the file will be stored in clear text in Drive.
Avoid storing decrypted sensitive information in Drive: Inform your Drive for desktop users that if they use the Download and decrypt option in Drive, they should avoid storing the decrypted files in local folders that sync with Drive.
Drive on Android and iOS experience
Users can preview or download client-side encrypted files in Drive with their mobile device, including Microsoft Office (iOS only) and PDF files. Google Docs, Sheets, and Slides aren't yet supported.
Note: To view or preview client-side encrypted files, users need a compatible reader on their device.
Avoid storing decrypted sensitive information in Drive: Inform your mobile Drive users that if they use the Download and decrypt option in Drive, they should avoid storing the decrypted files in locations on their device that sync with Drive.
Some features aren't available
Here are some of the Drive features that aren't available with client-side encrypted files. For the complete list of feature limitations, refer to Get started with encrypted files in Drive, Docs, Sheets & Slides .
- Spelling and grammar check in Google Docs Editors
- Editing by multiple collaborators at the same time (however, any number of users can view an encrypted document at the same time)
- Full-text search and file preview
- Commenting
- Encrypting or decrypting files offline
For details about CSE features and the limitations for Drive
See the following resources:
Users can send and receive client-side encrypted emails within or outside your organization.
Some features aren't available
Here are some of the Gmail features that aren't available with client-side encrypted files. For the complete list of feature limitations, refer to Learn about Gmail Client-side encryption.
- Confidential mode
- Sending to groups as recipients
- Searching the message body (users can still search by recipient and subject line)
- Signatures
- Using Gmail mobile apps
In addition, email delegation (shared inboxes) isn't available with Gmail CSE.
For details about CSE features and the limitations for Gmail
Users can create events with client-side encrypted descriptions. If you've turned on CSE for Drive and Meet for users, they can attach client-side encrypted documents to the event and add client-side encrypted online meetings. If CSE is off for Drive and Meet, users can't add attachments or online meetings to client-side encrypted events.
Note:
- Users can encrypt only regular events—other event types, such as focus time or appointment slots, don't support CSE.
- To view client-side encrypted event descriptions, users must use Google Calendar.
Some features aren't available
Here are some of the Calendar features that aren't available with client-side encrypted files. For the complete list of feature limitations, refer to Learn about Client-side encryption in Calendar.
- Searching for event descriptions
- Encrypting or decrypting events offline
For details about CSE features and the limitations for Calendar
Users can host client-side encrypted meetings when scheduling the meeting in Google Calendar or when starting an instant (unscheduled) meeting.
Some features aren't available
Here are some of the Meet features that aren't available with client-side encrypted files. For the complete list of feature limitations, refer to Learn about Meet Client-side encryption (CSE).
- Recordings
- Live streams
- Phone for audio
- Polls
- Jamboard
- Meeting room hardware (coming in a later release)
- Invitations to participants outside your organization (coming in a later release)
- Using Meet mobile apps
For details about CSE features and the limitations for Meet
CSE logs and reports
You can audit logs for administrator activity and reports on user activity for client-side encrypted files. For details, see View logs and reports for client-side encryption.
CSE FAQ
About encryption
Setting up CSE
Google has partnered with the several key management services for use with CSE. For a list of services, see Set up your key service for client-side encryption.