Connect to your key service for client-side encryption

Supported editions for this feature: Enterprise; Education Standard and Education Plus.  Compare your edition

After you set up your external key service, you need to add it to your Admin console to connect Google Workspace to the service. If needed, you can add multiple key services, for example, to transition to a new key service or assign different key services to different users.

Note: Once you connect Google Workspace to your key service, some apps' features aren't available. For details,  see "CSE user experience" in About client-side encryption.

Connect Google Workspace to your external key service

You must be signed in as a super administrator for this task.

Before you begin: Make sure you have the URL for your external key service, and check that the URL is accessible from the internet. For details, go to Set up your key service for client-side encryption.

  1. Sign in to your Google Admin console.

    Sign in using an account with super administrator privileges (does not end in @gmail.com).

  2. In the Admin console, go to Menu ""and then"" Securityand thenAccess and data controland thenClient-side encryption.
  3. Under External key service, do one of the following:
    • If this is the first key service you're adding, click Add external key service.
    • If you're adding an additional key service, click Add.
  4. Enter a name for your key service.

    This name appears in some messages to users if Google Workspace can't access your external key service, so they'll know the problem is with the encryption service and not Drive.

  5. Enter the URL that your key service provided to you.
  6. To make sure Google Workspace can communicate with the external key service, click Test connection.
  7. If the connection is successful, in the lower-right corner of the page, click Add or Add service.

If this is the first key service you added: A message appears to remind you to assign a default key service for your top-level organizational unit. You can do this at any time to ensure encryption is available for all users who have CSE turned on. For details, see Create client-side encryption policies.

Change a key service's name

You must be signed in as a super administrator for this task.

  1. Sign in to your Google Admin console.

    Sign in using an account with super administrator privileges (does not end in @gmail.com).

  2. In the Admin console, go to Menu ""and then"" Securityand thenAccess and data controland thenClient-side encryption.
  3. Under External key service, click the name of the key service you want to change.
  4. Edit the key service's name.
  5. Click Continue.

Change a key service's URL

You must be signed in as a super administrator for this task.

If your users are having trouble accessing content encrypted by a key service, ask the key service for a new encryption URL. Then replace the previous URL with the new one in the Admin console to allow users to recover their content.

If users can't encrypt new content with a key service, you can try assigning a different key service to organizations or groups that are having trouble.

If you replace a URL with one from a different key service: All files already encrypted with your previous key service can't be decrypted, and users can't access their content. 

To change a key service's URL:

  1. Sign in to your Google Admin console.

    Sign in using an account with super administrator privileges (does not end in @gmail.com).

  2. In the Admin console, go to Menu ""and then"" Securityand thenAccess and data controland thenClient-side encryption.
  3. Under External key service, click the name of the key service for which you want to change the URL.
  4. Click Having issues?and thenAdd a new URL.
  5. To make sure Google Workspace can communicate with the external key service, click Test connection.
  6. If the connection is successful, in the lower-right corner of the page, click Continue.

Next steps...

Before your users can use CSE with Google services, you need to connect Google Workspace to your identity provider (IdP) for client-side encryption.

Was this helpful?
How can we improve it?

Need more help?

Sign in for additional support options to quickly solve your issue

Search
Clear search
Close search
Google apps
Main menu
Search Help Center
true
73010
false
false