Create client-side encryption policies (beta)

Supported editions for this feature: Enterprise; Education Plus.  Compare your edition

 
You need to enable Google Workspace Client-side encryption (CSE) for all users who need to create or upload encrypted files to Drive. You don't need to enable CSE for users who only need to view or edit encrypted files. However, users who only view or edit encrypted files still need to use an identity provider (IdP) to access files.
 
To enable CSE for users, you need to turn on CSE for the organizational units or configuration groups the users belong to.
 
At any time, you can disable CSE for users by turning CSE off for the organizational units or configuration groups they belong to. If you disable CSE for users, any existing client-side encrypted content remains encrypted and accessible.
 
Before you begin

Make sure you've completed the following steps:

  1. Set up your external key service.
  2. Connected Google Workspace to your key service.
  3. Connected Google Workspace to your identity provider (IdP).

Make sure you've created the organizational units and configuration groups you want to enable CSE for:

You'll need to select your default external key service

To ensure shared drives work properly, you'll need to make your external key service the default service for your entire organization. For example, if a group is enabled for CSE, but they're using a shared drive in an organizational unit for which CSE is disabled, the default key service is used. 

Set the default key service for your organization

  1. Sign in to your Google Admin console.

    Sign in using an account with super administrator privileges (does not end in @gmail.com).

  2. Go to Security and thenClient-side encryption.
  3. Click Drive and Docs.
  4. In the left panel, select the top-level parent organization.
  5. Under Default external key service, choose your key service.
  6. Click Save.

Enable or disable CSE for users

  1. Sign in to your Google Admin console.

    Sign in using an account with super administrator privileges (does not end in @gmail.com).

  2. Go to Security and thenClient-side encryption.
  3. Click Drive and Docs.
  4. In the left panel, select an organizational unit or group for which you want to enable CSE.
  5. Under User access, select On or Off.
  6. In the pop-up message, confirm your selection.
  7. Click Override to keep your setting if the CSE setting for the parent organizational unit is changed.
  8. If Overridden is already set for the organizational unit, choose an option:
    • Inherit—Reverts to the same CSE setting as its parent.
    • Save—Saves your new CSE setting (even if the parent setting changes).

It can take up to 24 hours for a new setting to take effect, although it usually happens much faster.

Was this helpful?
How can we improve it?

Need more help?

Sign in for additional support options to quickly solve your issue

Search
Clear search
Close search
Google apps
Main menu
Search Help Center
true
73010
false