Turn client-side encryption on or off

Supported editions for this feature: Enterprise; Education Standard and Education Plus.  Compare your edition

You can turn on Google Workspace Client-side encryption (CSE) for users who need to create encrypted content with these services:

  • Google Drive—Turn on CSE only for users who need to create client-side encrypted documents, spreadsheets, and presentations or upload client-side encrypted files to Drive. You don't need to turn on CSE for users who only view and edit files shared with them.
  • Google Meet—Turn on CSE only for users who need to host client-side encrypted online meetings. You don't need to turn on CSE for other meeting participants.
  • Google Calendar (beta)—Turn on CSE only for users who need to create client-side encrypted calendar events. You also need to turn on CSE for Drive and Meet for these users if you want them to attach client-side encrypted documents and host client-side encrypted meetings. You don't need to turn on CSE for event invitees.

For users who need to only view or edit encrypted content, make sure:

Before you begin

Expand section  |  Collapse all

Make sure you've completed these steps
  1. Set up your external key service.
  2. Added your key service to your Admin console.
  3. Assigned your key service to your top-level organizational unit.

    If you're using multiple key services, make sure they're assigned to the appropriate organizational units or configuration groups.

  4. Connect Google Workspace to your identity provider (IdP).
Understand the limitations of using CSE with supported services
For more information about features that aren't available to users when they choose to use CSE, see About client-side encryption.
If needed, add users to organizational units and groups

Make sure you've placed users into the organizational units or groups for which you want to turn on CSE.

Turn CSE on or off for users

To turn on CSE for users, you need to turn on CSE for the organizational units or configuration groups the users belong to. Once you turn on CSE, users can choose whether to encrypt content.

To prevent users from encrypting content, you can turn off CSE for the organizational units or configuration groups they belong to. If you turn off CSE for users, any existing client-side encrypted content remains encrypted and accessible.

You must be signed in as a super administrator for this task.

  1. Sign in to your Google Admin console.

    Sign in using an account with super administrator privileges (does not end in @gmail.com).

  2. In the Admin console, go to Menu ""and then"" Securityand thenAccess and data controland thenClient-side encryption.
  3. Under Apps, click the name of the Google service for which you want to turn CSE on or off for users.

    Alternatively, under External key service, click Assign. Then, under Encryption by app, select the app for which you want to turn on CSE.

  4. In the left panel, select an organizational unit or group for which you want to turn CSE on or off.
  5. Under User access, select On or Off.
  6. In the pop-up message, confirm your selection.
  7. (Optional) To have users encrypt content with this service by default, with the option to turn off encryption, select Enable client-side encryption by default.

    Note: This setting is not available for all services.

  8. Click Override to keep your setting if the CSE settings for the parent organizational unit are changed.
  9. If Overridden is already set for the organizational unit, choose an option:
    • Inherit—Reverts to the same CSE setting as its parent.
    • Save—Saves your new CSE setting (even if the parent setting changes).

Changes can take up to 24 hours but typically happen more quickly. Learn more

Was this helpful?
How can we improve it?

Need more help?

Sign in for additional support options to quickly solve your issue

Search
Clear search
Close search
Google apps
Main menu
Search Help Center
false
false
true
73010
false
false