Assign a key service for client-side encryption

After you've added one or more external key services to your Admin console for Google Workspace Client-side encryption (CSE), you need to assign them to organizational units or configuration groups. This is needed so users you've added to your external service's key access control list (KACL) to encrypt and decrypt content.

For users who need to encrypt content, you'll also need to turn on CSE. For details, see Turn client-side encryption on or off.

Before you begin

Expand section  |  Collapse all

Make sure you assign a default key service
To ensure CSE services work properly across your organization, you'll need to make an external key service the default service for your entire organization. For example, if CSE is turned on for a group, but they're using a shared drive in an organizational unit for which CSE is turned off, the default key service is used. 
When you add your first key service to the Admin console, you'll be prompted to assign a default service. If you haven't assigned the default yet, make sure you do that before turning on CSE for users.
If you want to use multiple key services for different users
You can assign a different key service than the default service for an organizational unit or group. For example, you might want to use different key services for different locations for your organization.
Important: If content is already encrypted with the current key service, it's best to migrate encrypted content to the new service. See "If you want to switch to a new key service" below.
If you want to switch to a new key service
If you’ve previously assigned a key service for an organizational unit or group you can switch to a different service. If any content is already encrypted by the current key service, it's best practice to migrate the content to the new service. For details, see "Migrate encrypted content to a new key service" below.
If you switch to a new key service but don’t migrate content: Any existing encrypted content will remain encrypted only by the current service, not by the new service you added. This means you’ll need to continue using the current service to keep previously encrypted content accessible.

Assign the default key service for your organization

You must be signed in as a super administrator for this task.

  1. Sign in to your Google Admin console.

    Sign in using an account with super administrator privileges (does not end in @gmail.com).

  2. In the Admin console, go to Menu ""and then"" Securityand thenAccess and data controland thenClient-side encryption.
  3. Under External key service, click Assign.
  4. In the left panel, select either All users in this account or the top-level organizational unit.
  5. Click Assign an external key service, and select your key service.
  6. Click Save.

Assign a different key service for specific users

If you've added multiple key services to your Admin console, you can select a different key service than the current service assigned to an organizational unit or group.

Important: If content is already encrypted with the current key service, it's best to migrate encrypted content to the new service to ensure existing client-side encrypted content remains accessible. For details, see "Migrate encrypted content to a new key service" below.

You must be signed in as a super administrator for this task.

  1. Sign in to your Google Admin console.

    Sign in using an account with super administrator privileges (does not end in @gmail.com).

  2. In the Admin console, go to Menu ""and then"" Securityand thenAccess and data controland thenClient-side encryption.
  3. Under External key service, click Assign.
  4. In the left panel, select an organizational unit or group for which you want to use a different key service.
  5. Under Key service assignment, click your current key service, and select the new key service.
  6. Click Override to keep your setting if the CSE settings for the parent organizational unit are changed.
  7. If Overridden is already set for the organizational unit, choose an option:
    • Inherit—Reverts to the same CSE setting as its parent.
    • Save—Saves your new CSE setting (even if the parent setting changes).

Changes can take up to 24 hours but typically happen more quickly. Learn more

Migrate encrypted content to a new key service

If you no longer want to use your existing key service to encrypt content for an organizational unit or group, you can add a new service, select the backup service, and migrate the encrypted content to the new service.

Expand section  |  Collapse all

Before you start migration

Which services are supported

Currently, you can migrate encrypted content for the following services:

  • Google Drive and Docs
  • Google Calendar

Google doesn't decrypt content

During migration, Google never decrypts content. The new service unwraps the encryption layer from the previous service and replaces it with a new encryption layer.

There's no impact to users

During migration, users can continue to encrypt or view encrypted content without interruption. 

Migration status isn't available

Status of progress and notification of any problems aren’t available.

Test migration on a small number of users first

It's best practice to try migration on a small number of users first, before running a full migration on all users' content. Assign the new key to only one organizational unit or group and turn on migration for those users to determine if there are any migration issues.

After the test migration, try encrypting new content with the new key service, and check if you can still access and edit previously encrypted content.

Reduce migration time

To minimize the number of new items encrypted with the current key service, start full migration during off-peak periods.

Step 1: Add the new key service to the Admin console
Step 2: Replace the current key service with the new key service
After you add the new key service, assign the new key service to organizational units or groups. For details, see Assign a key service for client-side encryption above.
Step 3: Turn on migration

After you select the new key service for an organizational unit or group, you can turn on migration, if there are any services with previously encrypted content that can be migrated.

Migration time varies depending on how much content was encrypted with the current key service and the new key service's processing speed. It can take from a few hours to several days to see progress on content migration. 

You must be signed in as a super administrator for this task.

  1. Sign in to your Google Admin console.

    Sign in using an account with super administrator privileges (does not end in @gmail.com).

  2. In the Admin console, go to Menu ""and then"" Securityand thenAccess and data controland thenClient-side encryption.
  3. Under External key service, click Assign.
  4. In the left panel, select select the organizational unit or group for which you want to migration content to a new key service.
  5. Under Migration, click On.

    Note: This option is available only if there are services with previously migrated content listed under Migration.

  6. In the confirmation message, check the box to indicate you understand that migration can’t be reversed once it starts. Then click Save.

The migration process starts.

Step 4: Check if migration is complete

You must be signed in as a super administrator for this task.

  1. Sign in to your Google Admin console.

    Sign in using an account with super administrator privileges (does not end in @gmail.com).

  2. In the Admin console, go to Menu ""and then"" Securityand thenAccess and data controland thenClient-side encryption.
  3. Under External key service, click Assign.
  4. In the left panel, select select the organizational unit or group for which you want to migrated encrypted content to a new key service.
  5. Under Migration, check the number of items encrypted with the previous service (now the backup service).

    If there aren’t any encrypted items, migration is complete.

Step 5: (Optional) Remove backup key service

If content migration is complete, and you no longer want to use the backup service, you can remove it from the new key service. For details, see Remove the backup from a key service.

Was this helpful?
How can we improve it?

Need more help?

Sign in for additional support options to quickly solve your issue

Search
Clear search
Close search
Google apps
Main menu
Search Help Center
true
true
true
true
73010
false
false