Gmail only: Set up and manage hardware key encryption

Supported editions for this feature: Enterprise Plus; Education Standard and Education Plus.  Compare your edition

Requires having the Assured Controls add-on.

If your organization uses smart cards—such as Personal Identification Verification (PIV) cards—to access facilities and systems, you can use hardware key encryption instead of an encryption key service for Gmail client-side encryption (CSE).

With hardware key encryption, a user's private key resides on their smart card. Users need to insert their smart card into a reader attached to their Windows device to sign and decrypt email messages in Gmail. To encrypt messages, they use their public key.

Setup overview

To set up hardware key encryption, you need to complete these steps:

  1. Install the Google Workspace Hardware Key application on the Windows device for each user who needs to encrypt email. This app starts as a service that runs on a specific port and interfaces with a user's smart card to handle encryption and decryption.
  2. Turn on hardware key encryption in the Admin console, by entering the port number at which Google Workspace will communicate with the Hardware Key app on users' Windows devices.

After you complete these steps, you can assign hardware key encryption to users and turn on CSE for Gmail.

Setup requirements

Users' devices must:

  • Be running Microsoft Windows 10 or later
  • Have a smart card reader attached to their device
  • Have a smart card wit their private encryption key

Step 1: Install the Google Workspace Hardware Key application

You can use the Google Workspace Hardware Key app to set up hardware key encryption for Gmail client-side encryption. This allows users to use their private keys on their smart cards, such as PIV cards, to sign and encrypt email.

Your organization needs the Assured Controls add-on to access the Hardware Key app and the installation instructions. To add Assured Controls to your organization's account, contact your technical account manager.

Step 2: Turn on hardware key encryption

After you've installed the Google Workspace Hardware Key application on users' Windows devices, you can turn on hardware key encryption in the Admin console.

Before you begin: Make sure you have the port number you selected when installing the Hardware Key app.

To turn on encryption with hardware keys:

You must be signed in as a super administrator for this task.

  1. Sign in to your Google Admin console.

    Sign in using an account with super administrator privileges (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Securityand thenAccess and data controland thenClient-side encryption.
  3. Under Encryption with hardware keys, click Add port number.
  4. Enter the port number you selected when installing the Hardware Key app.
  5. Click Save.

Next steps

After you've installed the Google Workspace Hardware key application and turned on hardware key encryption in the Admin console, you need to:

Manage hardware key encryption

Change the port number for hardware key encryption

If the port number at which Google Workspace communicates with the smart card reader on users' Windows devices changes, you need to update it in the Admin console to ensure users can continue to use Gmail CSE.

To update the port number for hardware key encryption:

You must be signed in as a super administrator for this task.

  1. Sign in to your Google Admin console.

    Sign in using an account with super administrator privileges (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Securityand thenAccess and data controland thenClient-side encryption.
  3. Under Encryption with hardware keys,  click Edit.
  4. Enter the new port number.
  5. Click Save.

If a user needs a new smart card

  • If the user's new smart card contains the same encryption key as the previous card, they can simply use the new card.
  • If the user's new smart card contains a new encryption key, you'll need to upload new public key certificates to Gmail using the Gmail API. For details, go to Gmail only: Upload encryption keys for client-side encryption.

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Google apps
Main menu