Add and manage key services for client-side encryption

If you add more than one key service to your Admin console, one key service must be the backup for another service.

If you want to migrate encrypted content to a new key service—that is, re-encrypt content encrypted by your current service—you need to make the current key service the backup to your new service. Because the backup key service encrypts the same content as its primary service, it ensures content remains accessible if there’s a problem during content migration. For details about migration, go to Migrate encrypted content to a new key service.

Important: You can have only one key service at a time using a backup key service.

If you add a new key service and make your current service the backup using the Admin console, only the backup service encrypts email, not the new key service. To switch key services for Gmail, you need to use the Gmail API to upload new certificates and the private keys' metadata wrapped by the new service. For details about switching to a different key service for Gmail, go to To switch to another key service for Gmail CSE.

You must be signed in as a super administrator for this task.

1. Sign in with a super administrator account to the Google Admin console.

   If you aren’t using a super administrator account, you can’t complete these steps.

2. Go to Menu  Data > Compliance > Client-side encryption.
3. Under Encryption with external key service, do one of the following:
   • If this is the first key service you're adding, click Add external key service.
   • If you're adding an additional key service, click Add.
4. Enter the following information from the key service you signed up with (or built using the CSE API):

   Name—Enter any name you like. This name appears in some messages to users if Google Workspace can't access your external key service, so they'll know the problem is with the encryption service and not the Google service they're using.

   URL—Your key service provides this URL to you. Before entering this URL, check that it's accessible from the internet.

5. If you added a second key service, click Select backup key, and select an available backup key service. This allows you to migrate encrypted content to the new key service.

   For details about migrating content to a new key service, go to Assign key services for client-side encryption.

6. If you already have at least 2 key services, and you added another, choose whether to add the new key service without backup. For details about your options, go to Add a new key service when another service has a backup below.

   Or, to close the Add external key service dialog without choosing an option, click Cancel.

7. To make sure Google Workspace can communicate with the external key service, click Test connection.
8. If the connection is successful, in the lower-right corner of the page, click Add or Add service.

If this is the first key service you added:

• A message appears to remind you to assign a default key service for your top-level organizational unit. You can do this at any time to ensure encryption is available for all users need to encrypt or decrypt content. For details, go to Assign the default key service for your organization.
• Make sure you connect Google Workspace to your identity provider (IdP) for client-side encryption.

If you’ve already added at least 2 key services to the Admin console, one service is the backup for another. If you add another key service, you can’t choose a backup service for it because only one key service at a time can have a backup. Therefore, when adding the new key service, you need to choose an option, depending on how you want to use the key service.

To switch from using an existing key service to the new one 

When adding a new key service, choose the option Remove backup from key service, and then click Remove backup.

Now you can add the new key service and choose a backup service. After that, you can migrate encrypted content to the new key service. For details, go to Migrate encrypted content to a new key service.

Recommendation: Choose this option only if the current key service doesn’t have any issues with encrypting content. Also, if the backup key service is being used to migrate content to your current primary service, make sure migration is complete—once you remove the backup, migration will stop immediately. For details, go to Migrate encrypted content to a new key service.

To use the new key service without migrating encrypted data 

When adding a new key service, choose the option Add key service without backup, then click Add service.

Recommendation: Choose this option only if you want to use this key service for an organizational unit or group that doesn't already has content encrypted by another key service. If content is already encrypted, you'll need to keep the existing key service to ensure the encrypted content is accessible.

You must be signed in as a super administrator for this task.

1. Sign in with a super administrator account to the Google Admin console.

   If you aren’t using a super administrator account, you can’t complete these steps.

2. Go to Menu  Data > Compliance > Client-side encryption.
3. Under External key service, click the name of the key service you want to change.
4. Edit the key service's name.
5. Click Continue.

You must be signed in as a super administrator for this task.

If your users are having trouble accessing content encrypted by a key service, ask the key service for a new encryption URL. Then replace the previous URL with the new one in the Admin console to allow users to recover their content.

If users can't encrypt new content with a key service, you can try assigning a different key service to organizations or groups that are having trouble.

To change a key service's URL:

1. Sign in with a super administrator account to the Google Admin console.

   If you aren’t using a super administrator account, you can’t complete these steps.

2. Go to Menu  Data > Compliance > Client-side encryption.
3. Under External key service, click the name of the key service for which you want to change the URL.
4. Click Having issues?Add a new URL.
5. To make sure Google Workspace can communicate with the external key service, click Test connection.
6. If the connection is successful, in the lower-right corner of the page, click Continue.

You can disable a key service if it has a backup key service assigned to it. For example, you might want to disable a key service and use its backup if users are having issues with either accessing encrypted content or encrypting new content. Because the key service you want to disable has a backup, client-side encrypted content will still be accessible.

To disable a key service and use its backup instead:

1. Sign in with a super administrator account to the Google Admin console.

   If you aren’t using a super administrator account, you can’t complete these steps.

2. Go to Menu  Data > Compliance > Client-side encryption.
3. Under External key service, click the name of the key service for which you want to remove the backup.
4. Click Disable & use backup.
5. Check the boxes under By disabling, I understand the following.
6. Click Disable & use backup.

There might be a problem with the key that’s being used to decrypt content. Contact your key service to request a new URL. For details about changing the URL for a key service, go to Change a key service’s URL above.

Or, if the key service has a backup service, try using the backup instead For details, go to Disable a key service that has backup above.