About client-side encryption

Supported editions for this feature: Enterprise; Education Standard and Education Plus.  Compare your edition

You can use your own encryption keys to encrypt your organization's data, in addition to using the default encryption that Google Workspace provides. With Google Workspace Client-side encryption (CSE), content encryption is handled in the client's browser before any data is transmitted or stored in Google's cloud-based storage. That way, Google servers can't access your encryption keys and decrypt your data. After you set up CSE, you can choose which users can create client-side encrypted content and share it internally or externally. 

Why use CSE?

Google Workspace already uses the latest cryptographic standards to encrypt all data at rest and in transit between its facilities. With CSE, however, you have direct control of encryption keys and the identity provider used to access those keys. This additional control can help you strengthen the confidentiality of your sensitive or regulated data. 

Your organization might need to use CSE for various reasons—for example:

  • Privacy—Your organization works with extremely sensitive intellectual property.
  • Regulatory compliance—Your organization operates in a highly regulated industry, like aerospace and defense, financial services, or government.

CSE availability

 Google Workspace Client-side encryption is currently available for the following services:

  • Google Drive for web browser, Drive for Desktop (non-Google file formats only), and Drive on Android and iOS (view-only for non-Google file formats).
  • Google Meet for web browser only. CSE support for the Meet mobile app and meeting room hardware will be available in a later release.
  • Google Calendar (beta) for web browser only. Note: Beta signups closed on November 11, 2022. General availability of CSE support for Calendar will be available in an upcoming release.
  • New: Gmail (beta) for web browser only. 

Sign up for the Gmail beta: Available for Google Workspace Enterprise Plus, Education Plus, and Education Standard editions. How to apply for the beta.

If you're a developer, the Google Workspace Client-side Encryption API (beta) lets you own the encryption keys used to further encrypt Google Workspace data. Apply for the beta  

CSE will be available for other Google services in a later release.

Get started with CSE

Expand section  |  Collapse all

Which data is encrypted with CSE
Service Data that's encrypted Data that's not encrypted
Google Drive
  • Files created with Google Docs Editors (documents, spreadsheets, presentations)
  • Uploaded files, like PDFs and Microsoft Office files
  • File title
  • File metadata, such as owner, creator, and last-modified time
  • Drive labels (also called Drive metadata)
  • Linked content that’s outside of Docs or Drive (for example, a YouTube video linked from a Google document)
  • User preferences, such as Docs header styles
Google Meet
  • Audio streams
  • Video streams (including screen sharing)
 Any data other than audio and video streams
Google Calendar (beta)
  • Event description
  • Attached Drive files (if CSE for Drive is turned on)
  • Meet audio and video streams (if CSE for Meet is turned on)

Any content other than the event description, attachments, and Meet data, such as:

  • Event title
  • Event starting and ending times
  • Attendees list
  • Booked rooms
  • Join by phone numbers
  • Link for Meet

Gmail 
(beta)
  • Email body and attachments, including inline images.
  • The header of the email, including subject, timestamps, and recipients lists. 
Overview of CSE setup

Here's an overview of the steps you'll need to set up Google Workspace Client-side encryption.

Step 1: Set up your external encryption key service

You'll set up an encryption key service through one of Google's partner services, or build your own service using the Google CSE API. This service controls the top-level encryption keys that protect your data. When setting up your service, you'll add users to your key service's key access control list (KACL). For details, see Set up your key service for client-side encryption.

Step 2: Connect Google Workspace to your external key service

You'll connect Google Workspace to your external key service by adding the service's URL to the Admin console. You can add multiple key services if you want to assign different key services for specific organizational units or groups. And at any time, you can migrate encrypted content from one service to another. For details, see Add and manage key services for client-side encryption.

Step 3: Assign your key service to organizational units or groups

After you connect Google Workspace to external key service, you can assign it to your organizational units and groups. You'll need to assign one key service as the default for your entire organization. For details, see Assign a key service for client-side encryption.

Step 4: Connect Google Workspace to your identity provider

You'll need to connect to either a third-party IdP or Google identity, using either the Admin console or a .well-known file hosted on your server. Your IdP verifies the identity of users before allowing them to encrypt content or access encrypted content. For details, see Connect to your identity provider for client-side encryption.

Step 5: Turn on CSE for users

Turn on CSE for any organizational units or groups in your organization with users who need to create client-side encrypted content, such as Drive files.

See Turn CSE on or off for users.

CSE requirements

Expand section  |  Collapse all

Which administrator privileges you need for CSE

You need super administrator privileges for Google Workspace to manage CSE for your organization, including:

  • Adding and managing key services
  • Assigning key services to organizational units and groups
  • Turning CSE on or off for users
Internal user requirements for CSE

License requirements

  • Users need a Google Workspace Enterprise Plus or Google Workspace for Education Plus license to use CSE to:
    • Create or upload client-side encrypted content
    • Host encrypted meetings
    • Send or receive encrypted email
  • Users can have any type of Google Workspace or Cloud Identity license to:
    • View, edit, or download client-side encrypted content
    • Join a CSE meeting
  • Users with a consumer Google Account (such as Gmail users) can't access client-side encrypted content, send encrypted email, or participate in client-side encrypted meetings.

Browser requirements

To view or edit client-side encrypted content, users must use either the Google Chrome or Microsoft Edge (Chromium) browser.

External user requirements for CSE

License requirements

  • External users must have a Google Workspace or Cloud Identity license to access files and other of types of data encrypted with CSE, such as encrypted Drive files.

  • External users, using S/MIME, can send and receive encrypted messages. A Google Workspace or Cloud Identity license is not required.

  • Users with a consumer Google Account or a visitor account can't access files encrypted with CSE.

Set up requirements

  • External organizations that your users will collaborate with must also set up CSE, either in the Admin console or with a .well-known file.
  • Your external encryption service must add to their allowlist the third-party IdP service that's used by the external organization's users you want your users to share CSE files with. You can usually find the IdP service in their publicly well-known file, if they set up one. Otherwise, contact the external organization's Google Workspace admin for their IdP details.

Other requirements

External users need to share identity information: Make sure you inform the external organization's admin that their users need to provide their authentication token to your key service to view or edit encrypted content owned by your organization. The authentication process requires a user to share their IP address and other information. For details, see Authentication tokens in the Client-side encryption API Reference guide.

CSE user experience

After you set up client-side encryption for your organization, users for whom you turn on CSE can use it with the following services.

Expand section  |  Collapse all

Google Drive

Users can create client-side encrypted documents using Google Docs editors (such as documents and spreadsheets) or encrypt files they upload to Drive, such as PDFs. Only users with whom an encrypted file is shared with can view it.

Some features aren't available with client-side encrypted files—for example:

  • Spelling and grammar check in Google Docs Editors.
  • Editing by multiple collaborators at the same time (however, any number of users can view an encrypted document at the same time)
  • Full-text search and file preview
  • Commenting
  • Encrypt or decrypt files offline

Drive for desktop

Drive for Desktop shows synced encrypted files as shortcuts on Windows and symbolic links on Mac. If a user clicks a shortcut or link to an encrypted Docs, Sheets, or Slides file, a new browser window opens.

Users can also:

  • Encrypt and upload a local file 
  • Read and edit some types of encrypted files, such as PDF and Microsoft Office files

Avoid storing decrypted sensitive information in Drive: Inform your Drive for desktop users that if they use the Download and decrypt option in Drive, they should avoid storing the decrypted files in local folders that sync with Drive.

Drive on Android and iOS

Users can preview or download client-side encrypted files in Drive with their mobile device, including Microsoft Office (iOS only) and PDF files. Google Docs, Sheets, and Slides aren't yet supported.

Note: To view or preview client-side encrypted files, users need a compatible reader on their device.

Avoid storing decrypted sensitive information in Drive: Inform your mobile Drive users that if they use the Download and decrypt option in Drive, they should avoid storing the decrypted files in locations on their device that sync with Drive.

For details about CSE features and limitations for Drive

See the following resources:

Google Meet

Users can choose to host client-side encrypted meetings when scheduling the meeting in Google Calendar or when starting an instant (unscheduled) meeting. 

Some features aren't available with client-side encrypted meetings—for example:

  • Recordings
  • Live streams
  • Phone for audio
  • Chats
  • Polls
  • Jamboard
  • Meeting room hardware (coming in a later release)
  • Mobile Meet apps (coming in a later release)
  • Invite participants outside your organization (coming in a later release)

To join a client-side encrypted online meeting, users must be invited or added during the meeting. Knocking isn't available for CSE meetings.

For details about CSE features and limitations for Meet

See Learn about Meet Client-side encryption (CSE).

Google Calendar (beta)

In Google Calendar, users can choose to create events with client-side encrypted descriptions. If you've turned on CSE for Drive and Meet for users, they can attach client-side encrypted documents to the event and add client-side encrypted online meetings. If CSE is off for Drive and Meet, users can't add attachments or online meetings to client-side encrypted events. 

Note:

  • Users can encrypt only regular events—other event types, such as focus time or appointment slots, don't support CSE.
  • To view client-side encrypted event descriptions, users must use Google Calendar. 

Some features aren't available with client-side encrypted calendar events—for example:

  • Search for event descriptions
  • Encrypt or decrypt events offline
  • Mobile Calendar apps (coming in a later release)

For details about CSE features and limitations for Calendar

See Learn about Calendar Client-side encryption

Gmail (beta)

In Gmail web, users can choose to send and receive encrypted emails. 

Note: Client-side encryption will be available for the Gmail mobile app (Android and iOS) in an upcoming release. 

Some features aren't available with client-side encryption emails—for example:

  • Confidential mode
  • Multi-send mode
  • Smart Compose, translation, and summaries
  • Signatures
  • DLP and malware scans
  • Delegated admins for mailboxes
  • Access to plain-text content by a third-party add-on
  • Searches on the body of a message (Users can search by recipient and subject line)
  • Emoji

Learn more and sign up for Gmail CSE beta

General questions

Where can I find information about Google's default encryption?
For details about Google's default encryption, go to the Google Cloud site.
How is CSE different from end-to-end (e2e) encryption?
With end-to-end encryption (e2e), encryption and decryption always occur on the source and destination devices (such as on mobile phones for instant messaging). Encryption keys are generated on the client, so as an administrator, you don't have control over the keys on the clients and who can use them. In addition, you don't have visibility into which content users have encrypted.
With client-side encryption (CSE), encryption and decryption also always occur on the source and destination devices, which in this case are the clients' browsers. However, with CSE, clients use encryption keys that are generated and stored in a cloud-based key management service, so you can control the keys and who has access to them. For example, you can revoke a user's access to keys, even if that user generated them. Also, with CSE, you can monitor users' encrypted files.

Setting up CSE

Which partner key management services can I use with CSE?

Google has partnered with the several key management services for use with CSE. For a list of services, see Set up your key service for client-side encryption.

Can I use Google as my key management service?
No, you'll need to use an external key management service to set up Google Workspace Client-side encryption. With CSE, you control your own encryption keys, and Google can't access them to decrypt your data.
Can I use multiple key services?
Yes, you can use more than one key service and choose which service to use for an organizational unit or group. Or, you can migrate encrypted content from one service to another.
Note: In the Admin console, you can set up a single key service for Gmail client-side encryption. Learn about other options for managing keys at Client-side Encryption API .
Can I switch to a different key service?
Yes, you can switch to a different key service. If you do this, it's best practice to migrate content encrypted with your current key service to the new service. For details, see Add and manage key services for client-side encryption.
How do I limit which users or groups have access to my external key service?
You manage the key access control list (KACL) for encryption keys through your external key service. Your KACL needs to include all users who need to either encrypt or decrypt (view or edit) content. Contact your encryption provider for more information.
In addition, you need to turn on CSE for any users who need to encrypt data. For details,  see Turn client-side encryption on or off for users.
How do I set up CSE for shared drives?
You don't need to set up CSE specifically for shared drives. The external key service you set up in the Admin console works for files in both My Drive and shared drives.

Working with client-side encrypted files

Can I re-encrypt existing files with a different encryption key?
You can migrate client-side encrypted files to a new key service. For details, see Assign a key service for client-side encryption.
Can I switch encryption for a file to Google's default encryption?
This feature will be available in a later release.
How do I decrypt exported Drive files?
To decrypt CSE files you export using the Data Export tool or Google Vault, you can use the decrypter, a command-line utility. For details, see Decrypt exported client-side encrypted files.
Can I retain, search, and export encrypted files in Google Vault?
Yes, if your Google Workspace edition has Google Vault, you can retain, search for, and export Drive CSE files in Vault. 
You can search for client-side encrypted files by their metadata, such as title and owner. However, you can’t search their content, search by file type, preview the content, or download from the preview view.
For details, see the Google Vault help center.
Google Vault support for Gmail CSE will be available in an upcoming release. 

Scanning client-side encrypted files

Do Drive and Gmail automatically scan CSE files for security threats?
CSE files and emails aren't scanned for phishing and malware, because Google's servers don't have access to the content.
Can I run DLP scans for content in CSE files or email?
Data loss prevention (DLP) scans can't access client-side encrypted content in files or emails. However, because DLP scans can access a file's metadata like the file title and Drive labels, which isn't encrypted, they can still help to prevent leaks of sensitive data.

Using CSE with Drive for desktop

Does Drive for desktop sync client-side encrypted files?
Drive for desktop shows synced encrypted files as shortcuts on Windows and symbolic links on Mac.
Does Drive for desktop re-encrypt downloaded client-side encrypted files if they're synced back to Drive?
No, a CSE file that's downloaded and decrypted in a local folder that syncs with Drive will be stored in clear text in Drive.

Avoid storing decrypted sensitive information in Drive: Inform your Drive for desktop users that if they use the Download and decrypt option in Drive, they should avoid storing the decrypted files in local folders that sync with Drive.

Was this helpful?
How can we improve it?

Need more help?

Sign in for additional support options to quickly solve your issue

true
' data-mime-type=
Start your free 14-day trial today

Professional email, online storage, shared calendars, video meetings and more. Start your free Google Workspace trial today.

Search
Clear search
Close search
Google apps
Main menu
Search Help Center
true
true
true
true
73010
false
false