Create client-side encryption policies

Supported editions for this feature: Enterprise; Education Plus.  Compare your edition

You need to turn on Google Workspace Client-side encryption (CSE) for all users who need to do any of the following:

  • Create or upload encrypted files to Google Drive
  • Host encrypted meetings with Google Meet (beta)

Note: You don't need to turn on CSE for users who only need to view or edit encrypted files or attend meetings. However, external users need to use an identity provider (IdP) allowlisted by your domain. For details, see "External user requirements" in About client-side encryption.

To turn on CSE for users, you need to turn on CSE for the organizational units or configuration groups the users belong to.

At any time, you can disable CSE for users by turning CSE off for the organizational units or configuration groups they belong to. If you disable CSE for users, any existing client-side encrypted content remains encrypted and accessible.

Before you begin

Make sure you've completed these steps:

  1. Set up your external key service.
  2. Connected Google Workspace to your key service.
  3. Connected Google Workspace to your identity provider (IdP).

Make sure you've created the organizational units and configuration groups you want to turn on CSE for:

Make sure you understand the limitations of using CSE with supported services

For more information about features that aren't available to users when they choose to use CSE, see About client-side encryption.

You'll need to select your default external key service

To ensure CSE services work properly across your organization, you'll need to make your external key service the default service for your entire organization. For example, if CSE is turned on for a group, but they're using a shared drive in an organizational unit for which CSE is turned off, the default key service is used. 

Set the default key service for your organization

  1. Sign in to your Google Admin console.

    Sign in using an account with super administrator privileges (does not end in @gmail.com).

  2. Go to Security and thenClient-side encryption.
  3. Click the Google service for which you want to set the default key service.
  4. In the left panel, select the top-level parent organization.
  5. Under Default external key service, choose your key service.
  6. Click Save.

Turn CSE on or off for users

  1. Sign in to your Google Admin console.

    Sign in using an account with super administrator privileges (does not end in @gmail.com).

  2. Go to Security and thenClient-side encryption.
  3. Click the Google service for which you want to turn CSE on or off for users.
  4. In the left panel, select an organizational unit or group for which you want to turn CSE on or off.
  5. Under User access, select On or Off.
  6. In the pop-up message, confirm your selection.
  7. Click Override to keep your setting if the CSE setting for the parent organizational unit is changed.
  8. If Overridden is already set for the organizational unit, choose an option:
    • Inherit—Reverts to the same CSE setting as its parent.
    • Save—Saves your new CSE setting (even if the parent setting changes).

It can take up to 24 hours for a new setting to take effect, although it usually happens much faster.

Was this helpful?
How can we improve it?

Need more help?

Sign in for additional support options to quickly solve your issue

Search
Clear search
Close search
Google apps
Main menu
Search Help Center
true
73010
false