Supported editions for this feature: Enterprise Plus; Education Standard and Education Plus. Compare your edition
To get started with Google Workspace Client-side encryption (CSE), you first need to choose one or more external key services. You can choose a Google partner or build your own service.
Note: For Gmail CSE, you can use hardware encryption keys instead of a key service. Requires having the Assured Controls add-on. For details, go to Gmail only: Set up and manage hardware encryption keys.
Option 1: Sign up with a Google partner key service
Google's key service partners provide tools that meet Google’s specifications for both key management and access control capabilities. Your partner holds the key to decode encrypted files and other content, and Google can't access or decipher these files without this key. After you sign up with one of Google's partners, they'll guide you in setting up their service to work with Google Workspace.
You can choose from these partner services:
Option 2: Build your own key service
If your organization wants even more control over encryption keys, you can build a standalone service or embed it into your product using the Google Workspace Client-side Encryption API.
You can use multiple key services
If you want to use different key services for specific users—for example, users in different regions—you can set up multiple key services.
You can switch key services
At any time you can switch to a different key service and migrate encrypted content to the new service.
After you choose your external key service, you need to connect your identity provider to your Admin console.