About client-side encryption (beta)

Supported editions for this feature: Enterprise; Education Plus.  Compare your edition

You can use your own encryption keys to encrypt your organization's data, instead of using the encryption that Google Workspace provides. With Google Workspace Client-side encryption (CSE), file encryption is handled in the client's browser before it's stored in Drive's cloud-based storage. That way, Google servers can't access your encryption keys and, therefore, can't decrypt your data. To use CSE, you'll need to connect Google Workspace to an external encryption key service and an identity provider (IdP). 

Why use CSE?

Google Workspace already uses the latest cryptographic standards to encrypt all data at rest and in transit between its facilities. With CSE, however, you have direct control of encryption keys and the identity provider used to access those keys to further strengthen the security of your data.

Your organization might need to use CSE for various reasons—for example:

  • Privacy—Your organization works with extremely sensitive intellectual property.
  • Regulatory compliance—Your organization operates in a highly regulated industry, like aerospace and defense, financial services, or government.

Availability of CSE

Google Workspace Client-side encryption is currently available only for Google Drive data, including files created with Google Docs Editors (documents, spreadsheets, presentations) and uploaded files, like PDFs. CSE will be available for other Google services in a later release.

Sign up for the CSE beta

Administrators for Google Workspace Enterprise Plus or Education Plus can apply for the CSE beta program

Getting started with CSE

Basic setup steps for CSE

Here are the basic steps to set up Google Workspace Client-side encryption.

Step 1: Set up your external encryption key service

First, you'll set up an encryption key service through one of Google's partner services, or build your own service using the Google CSE API. This service controls the top-level encryption keys that protect your data. Learn more

Step 2: Connect Google Workspace to your external key service

Next, you'll specify the location of your external key service in the Google Admin console, so Google Workspace can connect to it. Learn more

Step 3: Connect Google Workspace to your identity provider

For this step, you'll need to connect to either a third-party IdP or Google identity, using either the Admin console or a .well-known file hosted on your server. Your IdP verifies the identity of users before allowing them to encrypt files or access encrypted files. Learn more

Step 4: Enable CSE for users

You can enable CSE for any organizational units or groups in your organization. Note, however, that you need to enable CSE only for users that you want to create client-side encrypted documents, spreadsheets, and presentations or upload client-side encrypted files to Drive. You don't need to enable CSE for users who only view and edit files shared with them. Learn more

CSE user experience

After you set up client-side encryption for your organization, users for whom you enable CSE can choose to create encrypted documents using Google Docs editors (such as documents and spreadsheets) or encrypt files they upload to Drive, such as PDFs.

Note that some features aren't available with encrypted files. For example:

  • If an encrypted file is created with Google Docs Editors, spelling and grammar checking features won't work. Also, only 1 collaborator can edit an encrypted document at a time; however, any number of users can view an encrypted document at the same time.
  • If a file is encrypted and uploaded to Drive, full-text search and file preview features won't work.

For more information about the user experience and limitations of CSE, see:

Possible data loss if you disable or destroy your keys

Warning: If you disable or destroy an encryption key used to encrypt files in Drive, apps can't decrypt those files, so users can't view, edit, download, or use them in any way. Before using CSE, make sure you discuss with your external key service how to keep your keys safe, including backup and restore options. Also, make sure you plan any changes to your key service carefully to avoid disrupting users' services.

Requirements for CSE

Administrator requirements

 To set up Google Workspace Client-side encryption for your organization, you need to be a Super Admin for Google Workspace.

User requirements

  • To use CSE to create or upload files, users need a Google Workspace Enterprise Plus, Google Workspace for Education Plus, or Enterprise Essentials license. To view, edit, or download an existing file encrypted with CSE, users can have any type of Google Workspace or Cloud Identity license. Only users with a consumer Google Account (such as Gmail users) can't access CSE files.
  • To view or edit encrypted files, users must use either the Google Chrome or Microsoft Edge browser.

External recipient requirements

  • During the beta, external recipients must have a Google Workspace license to access your content encrypted with CSE. Recipients with a consumer Google Account or a visitor account can't access files encrypted with CSE.
  • External organizations must also set up CSE, either in the Admin console or with a .well-known file.
  • Your external encryption service must allowlist the third-party IdP service that's used by the external domain or the individuals you want to share CSE files with. You can usually find the IdP service in their publicly available .well-known file, if they set up one. Otherwise, contact the external organization's Google Workspace admin for their IdP details.

View logs and reports for CSE

You can view the following logs and reports:

Audit log

View the history of changes to your organization's CSE settings.

Go to Reportsand thenAudit logand thenAdmin.

Encrypted files upload/download report

Get a report on the number of encrypted files that are uploaded and downloaded over time.

Go to Securityand thenDashboardand thenClient-side encryption.

Encrypted files investigation report

Use the security investigation tool to get a report on Drive activity for encrypted files.

  1. Go to Securityand thenInvestigation tool.
  2. Click Data source and thenDrive log events.
  3. Click Add condition and thenAdd condition and thenEncrypted.
  4. Set the condition to True.
  5. Click Search.

Client-side encryption FAQ

Where can I find information about Google's default encryption?

For details about Google's default encryption, go to the Google Cloud site.

Which partner key management services can I use with CSE?

Google has partnered with the following key management services for use with CSE:

Can I use Google as my key management service?

No, you'll need to use an external key management service to set up Google Workspace Client-side encryption. With CSE, you control your own encryption keys, and Google can't access them to decrypt your data.

What data is encrypted with CSE?

  • All file content, such as the body of a document
  • Embedded content, like images in a Google doc

What data is not encrypted with CSE?

  • File title
  • File metadata, such as owner, creator, and last-modified time
  • Drive labels (also called Drive metadata)
  • Linked content that’s outside of Docs or Drive (for example, a YouTube video linked from a Google document)
  • User preferences, such as Docs header styles

How is CSE different from end-to-end (e2e) encryption?

With end-to-end encryption (e2e), encryption and decryption always occur on the source and destination devices (such as on mobile phones for instant messaging). Encryption keys are generated on the client, so as an administrator, you don't have control over the keys on the clients and who can use them. In addition, you don't have visibility into which documents users have encrypted.
With client-side encryption (CSE), encryption and decryption also always occur on the source and destination devices, which in this case are the clients' browsers. However, with CSE, clients use encryption keys that are generated and stored in a cloud-based key management service, so you can control the keys and who has access to them. For example, you can revoke a user's access to keys, even if that user generated them. Also, with CSE, you can monitor users' encrypted files.

Can I re-encrypt existing files with a different encryption key?

This feature will be available in a later release.

Can I switch encryption for a file to Google's default encryption?

This feature will be available in a later release.

Can I retain, search, and export encrypted files in Google Vault?

Yes, if your Google Workspace edition has Google Vault, you can retain, search for, and export CSE files in Vault. You can search for client-side encrypted files by their metadata, such as title and owner. However, you can’t search their content, search by file type, preview the content, or download from the preview view.  For details, see Working with client-side encrypted files in Vault.

How do I decrypt exported files?

To decrypt CSE files you export using the Data Export tool or Google Vault, you can use the decrypter, a command-line utility. For details, see Decrypt exported client-side encrypted files.

How do I set up CSE for shared drives?

You don't need to set up CSE specifically for shared drives. The external key service you set up in the Admin console works for files in both My Drive and shared drives.

How do I limit which users or groups have access to my external key service?

You manage the access control list (ACL) for encryption keys through your external key service. Contact your encryption provider for more information.
Was this helpful?
How can we improve it?

Need more help?

Sign in for additional support options to quickly solve your issue

Search
Clear search
Close search
Google apps
Main menu
Search Help Center
true
73010
false