Supported editions for this feature: Enterprise Plus; Education Standard and Education Plus. Compare your edition
Requires having the Assured Controls add-on.
If your organization uses smart cards—such as Personal Identification Verification (PIV) cards—to access facilities and systems, you can use hardware key encryption instead of an encryption key service for Gmail client-side encryption (CSE).
With hardware key encryption, a user's private key resides on their smart card. Users need to insert their smart card into a reader attached to their Windows device to sign and decrypt email messages in Gmail. To encrypt messages, they use their public key.
Setup overview
To set up hardware key encryption, you need to complete these steps:
- Install the Google Workspace Hardware Key application on the Windows device for each user who needs to encrypt email. This app starts as a service that runs on a specific port and interfaces with a user's smart card to handle encryption and decryption.
- Turn on hardware key encryption in the Admin console, by entering the port number at which Google Workspace will communicate with the Hardware Key app on users' Windows devices.
After you complete these steps, you can assign hardware key encryption to users and turn on CSE for Gmail.
Setup requirements
Users' devices must:
- Be running Microsoft Windows 10 or later
- Have a smart card reader attached to their device
- Have a smart card wit their private encryption key
Step 1: Install the Google Workspace Hardware Key application
You can use the Google Workspace Hardware Key app to set up hardware key encryption for Gmail client-side encryption. This allows users to use their private keys on their smart cards, such as PIV cards, to sign and encrypt email.
Step 2: Turn on hardware key encryption
After you've installed the Google Workspace Hardware Key application on users' Windows devices, you can turn on hardware key encryption in the Admin console.
Before you begin: Make sure you have the port number you selected when installing the Hardware Key app.
To turn on encryption with hardware keys:
You must be signed in as a super administrator for this task.
-
Sign in to your Google Admin console.
Sign in using an account with super administrator privileges (does not end in @gmail.com).
- In the Admin console, go to Menu
Security
Access and data control
- Under Encryption with hardware keys, click Add port number.
- Enter the port number you selected when installing the Hardware Key app.
-
Click Save.
Next steps
After you've installed the Google Workspace Hardware key application and turned on hardware key encryption in the Admin console, you need to:
- Assign hardware key encryption to users. For details, go to Assign client-side encryption to users.
- Connect to your identity provider (IdP). For details, go to Connect to identity provider for client-side encryption.
- Enable the Gmail API and upload users' encryption certificates to Gmail. For details, go to Gmail only: Upload encryption keys for client-side encryption.
Manage hardware key encryption
Change the port number for hardware key encryption
If the port number at which Google Workspace communicates with the smart card reader on users' Windows devices changes, you need to update it in the Admin console to ensure users can continue to use Gmail CSE.
To update the port number for hardware key encryption:
You must be signed in as a super administrator for this task.
-
Sign in to your Google Admin console.
Sign in using an account with super administrator privileges (does not end in @gmail.com).
- In the Admin console, go to Menu
- Under Encryption with hardware keys, click Edit.
- Enter the new port number.
-
Click Save.
If a user needs a new smart card
- If the user's new smart card contains the same encryption key as the previous card, they can simply use the new card.
- If the user's new smart card contains a new encryption key, you'll need to upload new public key certificates to Gmail using the Gmail API. For details, go to Gmail only: Upload encryption keys for client-side encryption.
