Supported editions for this feature: Enterprise; Education Standard and Education Plus. Compare your edition
You can use your own encryption keys to encrypt your organization's data, in addition to using the default encryption that Google Workspace provides. With Google Workspace Client-side encryption (CSE), content encryption is handled in the client's browser before any data is transmitted or stored in Google's cloud-based storage. That way, Google servers can't access your encryption keys and decrypt your data. After you set up CSE, you can choose which users can create client-side encrypted content and share it internally or externally.
Why use CSE?
Google Workspace already uses the latest cryptographic standards to encrypt all data at rest and in transit between its facilities. With CSE, however, you have direct control of encryption keys and the identity provider used to access those keys. This additional control can help you strengthen the confidentiality of your sensitive or regulated data.
Your organization might need to use CSE for various reasons—for example:
- Privacy—Your organization works with extremely sensitive intellectual property.
- Regulatory compliance—Your organization operates in a highly regulated industry, like aerospace and defense, financial services, or government.
CSE availability
Google Workspace Client-side encryption is currently available for the following services:
- Google Drive for web browser, Drive for Desktop (non-Google file formats only), and Drive on Android and iOS (view-only for non-Google file formats).
- Google Meet for web browser only. CSE support for the Meet mobile app and meeting room hardware will be available in a later release.
- Google Calendar (beta) for web browser only. Note: Beta signups closed on November 11, 2022. General availability of CSE support for Calendar will be available in an upcoming release.
- New: Gmail (beta) for web browser only.
Sign up for the Gmail beta: Available for Google Workspace Enterprise Plus, Education Plus, and Education Standard editions. How to apply for the beta.
If you're a developer, the Google Workspace Client-side Encryption API (beta) lets you own the encryption keys used to further encrypt Google Workspace data. Apply for the beta
CSE will be available for other Google services in a later release.
Get started with CSE
Service | Data that's encrypted | Data that's not encrypted |
---|---|---|
Google Drive |
|
|
Google Meet |
|
Any data other than audio and video streams |
Google Calendar (beta) |
|
Any content other than the event description, attachments, and Meet data, such as:
|
Gmail |
|
|
Here's an overview of the steps you'll need to set up Google Workspace Client-side encryption.
Step 1: Set up your external encryption key service
You'll set up an encryption key service through one of Google's partner services, or build your own service using the Google CSE API. This service controls the top-level encryption keys that protect your data. When setting up your service, you'll add users to your key service's key access control list (KACL). For details, see Set up your key service for client-side encryption.
Step 2: Connect Google Workspace to your external key service
You'll connect Google Workspace to your external key service by adding the service's URL to the Admin console. You can add multiple key services if you want to assign different key services for specific organizational units or groups. And at any time, you can migrate encrypted content from one service to another. For details, see Add and manage key services for client-side encryption.
Step 3: Assign your key service to organizational units or groups
After you connect Google Workspace to external key service, you can assign it to your organizational units and groups. You'll need to assign one key service as the default for your entire organization. For details, see Assign a key service for client-side encryption.
Step 4: Connect Google Workspace to your identity provider
You'll need to connect to either a third-party IdP or Google identity, using either the Admin console or a .well-known file hosted on your server. Your IdP verifies the identity of users before allowing them to encrypt content or access encrypted content. For details, see Connect to your identity provider for client-side encryption.
Step 5: Turn on CSE for users
Turn on CSE for any organizational units or groups in your organization with users who need to create client-side encrypted content, such as Drive files.
CSE requirements
You need super administrator privileges for Google Workspace to manage CSE for your organization, including:
- Adding and managing key services
- Assigning key services to organizational units and groups
- Turning CSE on or off for users
License requirements
- Users need a Google Workspace Enterprise Plus or Google Workspace for Education Plus license to use CSE to:
- Create or upload client-side encrypted content
- Host encrypted meetings
- Send or receive encrypted email
- Users can have any type of Google Workspace or Cloud Identity license to:
- View, edit, or download client-side encrypted content
- Join a CSE meeting
- Users with a consumer Google Account (such as Gmail users) can't access client-side encrypted content, send encrypted email, or participate in client-side encrypted meetings.
Browser requirements
To view or edit client-side encrypted content, users must use either the Google Chrome or Microsoft Edge (Chromium) browser.
License requirements
-
External users must have a Google Workspace or Cloud Identity license to access files and other of types of data encrypted with CSE, such as encrypted Drive files.
-
External users, using S/MIME, can send and receive encrypted messages. A Google Workspace or Cloud Identity license is not required.
- Users with a consumer Google Account or a visitor account can't access files encrypted with CSE.
Set up requirements
- External organizations that your users will collaborate with must also set up CSE, either in the Admin console or with a .well-known file.
- Your external encryption service must add to their allowlist the third-party IdP service that's used by the external organization's users you want your users to share CSE files with. You can usually find the IdP service in their publicly well-known file, if they set up one. Otherwise, contact the external organization's Google Workspace admin for their IdP details.
Other requirements
CSE user experience
After you set up client-side encryption for your organization, users for whom you turn on CSE can use it with the following services.
Users can create client-side encrypted documents using Google Docs editors (such as documents and spreadsheets) or encrypt files they upload to Drive, such as PDFs. Only users with whom an encrypted file is shared with can view it.
Some features aren't available with client-side encrypted files—for example:
- Spelling and grammar check in Google Docs Editors.
- Editing by multiple collaborators at the same time (however, any number of users can view an encrypted document at the same time)
- Full-text search and file preview
- Commenting
- Encrypt or decrypt files offline
Drive for desktop
Drive for Desktop shows synced encrypted files as shortcuts on Windows and symbolic links on Mac. If a user clicks a shortcut or link to an encrypted Docs, Sheets, or Slides file, a new browser window opens.
Users can also:
- Encrypt and upload a local file
- Read and edit some types of encrypted files, such as PDF and Microsoft Office files
Avoid storing decrypted sensitive information in Drive: Inform your Drive for desktop users that if they use the Download and decrypt option in Drive, they should avoid storing the decrypted files in local folders that sync with Drive.
Drive on Android and iOS
Users can preview or download client-side encrypted files in Drive with their mobile device, including Microsoft Office (iOS only) and PDF files. Google Docs, Sheets, and Slides aren't yet supported.
Note: To view or preview client-side encrypted files, users need a compatible reader on their device.
Avoid storing decrypted sensitive information in Drive: Inform your mobile Drive users that if they use the Download and decrypt option in Drive, they should avoid storing the decrypted files in locations on their device that sync with Drive.
For details about CSE features and limitations for Drive
See the following resources:
Users can choose to host client-side encrypted meetings when scheduling the meeting in Google Calendar or when starting an instant (unscheduled) meeting.
Some features aren't available with client-side encrypted meetings—for example:
- Recordings
- Live streams
- Phone for audio
- Chats
- Polls
- Jamboard
- Meeting room hardware (coming in a later release)
- Mobile Meet apps (coming in a later release)
- Invite participants outside your organization (coming in a later release)
To join a client-side encrypted online meeting, users must be invited or added during the meeting. Knocking isn't available for CSE meetings.
For details about CSE features and limitations for Meet
In Google Calendar, users can choose to create events with client-side encrypted descriptions. If you've turned on CSE for Drive and Meet for users, they can attach client-side encrypted documents to the event and add client-side encrypted online meetings. If CSE is off for Drive and Meet, users can't add attachments or online meetings to client-side encrypted events.
Note:
- Users can encrypt only regular events—other event types, such as focus time or appointment slots, don't support CSE.
- To view client-side encrypted event descriptions, users must use Google Calendar.
Some features aren't available with client-side encrypted calendar events—for example:
- Search for event descriptions
- Encrypt or decrypt events offline
- Mobile Calendar apps (coming in a later release)
For details about CSE features and limitations for Calendar
See Learn about Calendar Client-side encryption
Gmail (beta)
In Gmail web, users can choose to send and receive encrypted emails.
Note: Client-side encryption will be available for the Gmail mobile app (Android and iOS) in an upcoming release.
Some features aren't available with client-side encryption emails—for example:
- Confidential mode
- Multi-send mode
- Smart Compose, translation, and summaries
- Signatures
- DLP and malware scans
- Delegated admins for mailboxes
- Access to plain-text content by a third-party add-on
- Searches on the body of a message (Users can search by recipient and subject line)
- Emoji
Learn more and sign up for Gmail CSE beta
General questions
Setting up CSE
Google has partnered with the several key management services for use with CSE. For a list of services, see Set up your key service for client-side encryption.
Working with client-side encrypted files
Scanning client-side encrypted files
Using CSE with Drive for desktop
Avoid storing decrypted sensitive information in Drive: Inform your Drive for desktop users that if they use the Download and decrypt option in Drive, they should avoid storing the decrypted files in local folders that sync with Drive.