Add and manage key services for client-side encryption

Have your key service URL handy

Make sure you have the URL for your external key service, and check that the URL is accessible from the internet. For details, go to Set up your key service for client-side encryption.

If you're adding your first key service

A message appears to remind you to assign a default key service for your top-level organizational unit. You can do this at any time to ensure encryption is available for all users who need to encrypt or decrypt content. For details, see Assign the default key service for your organization.

If you're adding a second key service

You’ll need to make the current service the backup service. The backup encrypts the same content as the second key service, and is needed if you want to migrate encrypted content to the second service. For details, see About the backup key service below.

If you already have at least 2 key services and are adding another

You’ll need to either remove the backup service from the current primary service, and then choose a backup for the new service, or add the new service without backup. For details, see Add a new key service when another service has a backup below.

Consider a naming convention for multiple key services

Establish a naming convention so you can easily identify the key services and for which services and users you’ll apply them. For example, you might want to the name to indicate the region, organizational unit, and key service:

• NORTHAM-R&D-Key-service1
• EUROPE-HR-Key-service2

If you add more than one key service to your Admin console, one key service must be the backup for another service.

If you want to migrate encrypted content to a new key service—that is, re-encrypt content encrypted by your current service—you need to make the current key service the backup to your new service. Because the backup key service encrypts the same content as its primary service, it ensures content remains accessible if there’s a problem during content migration. For details about migration, see Migrate encrypted content to a new key service.

Important: You can have only one key service at a time using a backup key service.

If you add a new key service and make your current service the backup using the Admin console, only the backup service encrypts emails, not the new key service. To switch key services for Gmail, you need to use the Gmail API to upload new certificates and the private keys' metadata wrapped by the new service. For details about switching to a different key service for Gmail, see To switch to another key service for Gmail CSE.

You must be signed in as a super administrator for this task.

1. Sign in to your Google Admin console.

   Sign in using an account with super administrator privileges (does not end in @gmail.com).

2. In the Admin console, go to Menu  SecurityAccess and data controlClient-side encryption.
3. Under External key service, do one of the following:
   • If this is the first key service you're adding, click Add external key service.
   • If you're adding an additional key service, click Add.
4. Enter a name for your key service.

   This name appears in some messages to users if Google Workspace can't access your external key service, so they'll know the problem is with the encryption service and not the Google service they're using.

5. Enter the URL that your key service provided to you.
6. If you added a second key service, click Select backup key, and select an available backup key service. This allows you to migrate encrypted content to the new key service.

   For details about migrating content to a new key service, see Assign key services for client-side encryption.

7. If you already have at least 2 key services, and you added another, choose whether to add the new key service without backup. For details about your options, see Add a new key service when another service has a backup below.

   Or, to close the Add external key service dialog without choosing an option, click Cancel.

8. To make sure Google Workspace can communicate with the external key service, click Test connection.
9. If the connection is successful, in the lower-right corner of the page, click Add or Add service.

If this is the first key service you added:

• A message appears to remind you to assign a default key service for your top-level organizational unit. You can do this at any time to ensure encryption is available for all users need to encrypt or decrypt content. For details, see Assign the default key service for your organization.
• Make sure you connect Google Workspace to your identity provider (IdP) for client-side encryption.

If you’ve already added at least 2 key services to the Admin console, one service is the backup for another. If you add another key service, you can’t choose a backup service for it because only one key service at a time can have a backup. Therefore, when adding the new key service, you need to choose an option, depending on how you want to use the key service.

To switch from using an existing key service to the new one 

When adding a new key service, choose the option Remove backup from key service, and then click Remove backup.

Now you can add the new key service and choose a backup service. After that, you can migrate encrypted content to the new key service. For details, see Migrate encrypted content to a new key service.

Recommendation: Choose this option only if the current key service doesn’t have any issues with encrypting content. Also, if the backup key service is being used to migrate content to your current primary service, make sure migration is complete—once you remove the backup, migration will stop immediately. For details, see Migrate encrypted content to a new key service.

To use the new key service without migrating encrypted data 

When adding a new key service, choose the option Add key service without backup, then click Add service.

Recommendation: Choose this option only if you want to use this key service for an organizational unit or group that doesn't already has content encrypted by another key service. If content is already encrypted, you'll need to keep the existing key service to ensure the encrypted content is accessible.

You must be signed in as a super administrator for this task.

1. Sign in to your Google Admin console.

   Sign in using an account with super administrator privileges (does not end in @gmail.com).

2. In the Admin console, go to Menu  SecurityAccess and data controlClient-side encryption.
3. Under External key service, click the name of the key service you want to change.
4. Edit the key service's name.
5. Click Continue.

You must be signed in as a super administrator for this task.

If your users are having trouble accessing content encrypted by a key service, ask the key service for a new encryption URL. Then replace the previous URL with the new one in the Admin console to allow users to recover their content.

If users can't encrypt new content with a key service, you can try assigning a different key service to organizations or groups that are having trouble.

To change a key service's URL:

1. Sign in to your Google Admin console.

   Sign in using an account with super administrator privileges (does not end in @gmail.com).

2. In the Admin console, go to Menu  SecurityAccess and data controlClient-side encryption.
3. Under External key service, click the name of the key service for which you want to change the URL.
4. Click Having issues?Add a new URL.
5. To make sure Google Workspace can communicate with the external key service, click Test connection.
6. If the connection is successful, in the lower-right corner of the page, click Continue.

You can disable a key service if it has a backup key service assigned to it. For example, you might want to disable a key service and use its backup if users are having issues with either accessing encrypted content or encrypting new content. Because the key service you want to disable has a backup, client-side encrypted content will still be accessible.

To disable a key service and use its backup instead:

1. Sign in to your Google Admin console.

   Sign in using an account with super administrator privileges (does not end in @gmail.com).

2. In the Admin console, go to Menu  SecurityAccess and data controlClient-side encryption.
3. Under External key service, click the name of the key service for which you want to remove the backup.
4. Click Disable & use backup.
5. Check the boxes under By disabling, I understand the following.
6. Click Disable & use backup.

There might be a problem with the key that’s being used to decrypt content. Contact your key service to request a new URL. For details about changing the URL for a key service, see Change a key service’s URL above.

Or, if the key service has a backup service, try using the backup instead For details, see Disable a key service that has backup above.