Set up your key service for client-side encryption (beta)

Supported editions for this feature: Enterprise; Education Plus.  Compare your edition

To use Google Workspace Client-side encryption (CSE), you first need to set up an external key service. You can use one of Google's partners, listed below, or build your own key service using the Google CSE API.

Google's key service partners provide tools that meet Google’s specifications and provide both key management and access control capabilities. Your partner holds the key to decode encrypted files, and Google can't access or decipher these files without this key.

When you set up your key service, you'll also create your access control list (ACL)—that is, the users, groups, or domains that you want to have view and edit access to encrypted files.

Set up your external key service with a partner

  1. Sign up with one of Google's partner encryption key services: FlowCrypt, Fortanix FutureX, StormshieldThales, or Virtru
  2. Follow the key service's instructions to set up your encryption keys and key ACL.  

Your key service will give you a URL to access their service. You'll use this URL to connect Google Workspace to your external key service.

Warning: If you disable or destroy an encryption key used to encrypt files in Drive, apps can't decrypt those files, so users can't view, edit, download, or use them in any way. Before using CSE, make sure you discuss with your external key service how to keep your keys safe, including backup and restore options. Also, make sure you plan any changes to your key service carefully to avoid disrupting users' services.

Next steps...

After you set up your external key service, you need to connect Google Workspace to the service.

Was this helpful?
How can we improve it?

Need more help?

Sign in for additional support options to quickly solve your issue

Clear search
Close search
Google apps
Main menu
Search Help Center