Assign client-side encryption to users

After you've added one or more external key services to your Admin console for Google Workspace Client-side encryption (CSE), you need to assign them to organizational units or configuration groups. Assigning a key service lets users you've added to your external service's key access control list (KACL) encrypt and decrypt content.

If you've set up hardware key encryption for Gmail CSE, you need to assign it to organizational units or configuration groups. Requires having the Assured Controls or Assured Controls Plus add-on.

For users who need to encrypt content, you'll also need to turn on CSE. For details, go to Turn client-side encryption on or off.

Before you begin

Expand section  |  Collapse all

Assign encryption with a key service

Assign the default key service for your organization

You must be signed in as a super administrator for this task.

  1. Sign in with a super administrator account to the Google Admin console.

    If you aren’t using a super administrator account, you can’t complete these steps.

  2. Go to Menu and then Data > Compliance > Client-side encryption.
  3. Under Encryption with external key service, click Assign.
  4. In the left panel, select either All users in this account or the top-level organizational unit.
  5. Click Key service, and select your key service in the drop-down list.
  6. Click Save.

Assign a different key service for specific users

If you've added multiple key services to your Admin console, you can select a different key service than the current service assigned to an organizational unit or group.

Important: If content is already encrypted with the current key service, it's best to migrate encrypted content to the new service to ensure existing client-side encrypted content remains accessible. For details, go to Migrate encrypted content to a new key service later on this page.

You must be signed in as a super administrator for this task.

  1. Sign in with a super administrator account to the Google Admin console.

    If you aren’t using a super administrator account, you can’t complete these steps.

  2. Go to Menu and then Data > Compliance > Client-side encryption.
  3. Under Encryption with external key service, click Assign.
  4. In the left panel, select an organizational unit or group for which you want to use a different key service.
  5. Click Key service, and select the new key service in the drop-down list.
  6. Click Override to keep your setting if the CSE settings for the parent organizational unit are changed.
  7. If Overridden is already set for the organizational unit, choose an option:
    • Inherit—Reverts to the same CSE setting as its parent.
    • Save—Saves your new CSE setting (even if the parent setting changes).

Changes can take up to 24 hours but typically happen more quickly. Learn more

Migrate encrypted content to a new key service

If you no longer want to use your existing key service to encrypt content for an organizational unit or group, you can add a new service, select the backup service, and migrate the encrypted content to the new service.

Expand section  |  Collapse all

Assign encryption with hardware keys (Gmail only)

If you set up hardware key encryption for all or some users in your organization to encrypt Gmail, you need to assign it to those users.

If you're also using an encryption key service for Gmail: You can assign hardware key encryption to the same users as the key service; however, those users will encrypt Gmail using either the key service or a hardware key, depending on how you set up their encryption keys for Gmail. For details, go to Gmail only: Set up the Gmail API for client-side encryption.

You must be signed in as a super administrator for this task.

  1. Sign in with a super administrator account to the Google Admin console.

    If you aren’t using a super administrator account, you can’t complete these steps.

  2. Go to Menu and then Data > Compliance > Client-side encryption.
  3. Under Encryption with hardware keys, click Assign.
  4. In the left panel, select an organizational unit or group for which you want to use a different key service.
  5. Click Hardware key encryption, and check the box.
  6. If you selected a child organizational unit, click Override to keep your setting if the CSE settings for the parent organizational unit are changed.
  7. If Overridden is already set for the organizational unit, choose an option:
    • Inherit—Reverts to the same CSE setting as its parent.
    • Save—Saves your new CSE setting (even if the parent setting changes).

Changes can take up to 24 hours but typically happen more quickly. Learn more

Was this helpful?

How can we improve it?

Need more help?

Try these next steps:

Post to the help community Get answers from community members
Contact us Tell us more and we’ll help you get there
true
Start your free 14-day trial today

Professional email, online storage, shared calendars, video meetings and more. Start your free Google Workspace trial today.

16100189181557739276
true
Search Help Center
true
true
true
true
true
73010
Search
Clear search
Close search
Main menu
false
false
false
false