Supported editions for this feature: Enterprise Plus; Education Standard and Education Plus. Compare your edition
To use Google Workspace Client-side encryption (CSE), you first need to set up one or more external key services. You can do either of the following:
- Use one of Google's key service partners—They'll guide you in setting up their service to work with Google Workspace. See the list of partners below.
- Build your own key service—Create a standalone service or embed it into your product using the Google Workspace Client-side Encryption API.
If you want to use different key services for specific users, you can set up multiple key services. You can also switch to a different key service at any time and migrate encrypted content to the new service.
Note: For Gmail CSE, you can use hardware encryption keys instead of a key service. Requires having the Assured Controls add-on. For details, see Gmail only: Set up and manage hardware encryption keys.
Adding users to your key service
Work with your key service to add internal and external users who need to use CSE.
When you set up a key service, you'll also create your key access control list (KACL)—that is, the internal users, groups, or domains that you want to encrypt content or have view and edit access to encrypted content.
If your users need to share encrypted content with external organizations, your key service needs to add their identity provider (IdP) to their allowlist. For more information, see About client-side encryption.
About Google's key service partners
Google's key service partners provide tools that meet Google’s specifications for both key management and access control capabilities. Your partner holds the key to decode encrypted files and other content, and Google can't access or decipher these files without this key.
You can choose from these partner services:
Set up your external key service with a partner
- Sign up with one of Google's partner encryption key services.
- Follow the key service's instructions to set up your encryption keys and KACL.
Your key service will give you a URL to access their service. You'll add this URL to your Admin console to connect Google Workspace to your external key service.
After you set up your external key service, you need to add the service to your Admin console.