To use Google Workspace Client-side encryption (CSE), you first need to set up one or more external key services. You can use one of Google's partners, listed below. Or, you can build your own key service using the Google Client-side Encryption API.
When you set up a key service, you'll also create your access control list (ACL)—that is, the users, groups, or domains that you want to have view and edit access to encrypted files.
About Google's key service partners
Google's key service partners provide tools that meet Google’s specifications for both key management and access control capabilities. Your partner holds the key to decode encrypted files, and Google can't access or decipher these files without this key.
You can choose from these partner services:
Set up your external key service with a partner
- Sign up with one of Google's partner encryption key services.
- Follow the key service's instructions to set up your encryption keys and key ACL.
Your key service will give you a URL to access their service. You'll add this URL to your Admin console to connect Google Workspace to your external key service.
After you set up your external key service, you need to connect Google Workspace to the service.