Client-side encryption user experience overview

After you set up Google Workspace Client-side encryption (CSE) for your organization, users for whom you turn on CSE can encrypt content in the following services. If users turn on client-side encryption in a Google service, such as Drive or Gmail, the can use the service as they normally do. However, some features aren't available.  

Google Drive

Users can create client-side encrypted documents using Google Docs editors (such as documents and spreadsheets) or encrypt files they upload to Drive, such as PDFs. Only users with whom an encrypted file is shared with can view it.

How users can create and upload encrypted files

From Drive or a Docs editor, users can choose the option to create a new encrypted document, spreadsheet, or presentation. From Drive, they can also choose the option to encrypt and upload a file.

Drive for desktop experience

Drive for Desktop shows synced encrypted files as shortcuts on Windows and symbolic links on Mac. If a user clicks a shortcut or link to an encrypted Docs, Sheets, or Slides file, a new browser window opens.

Users can also:

• Encrypt and upload a local file or folder 
• Read and edit some types of encrypted files, such as PDF and Microsoft Office files

Important: If a user downloads and decrypts a CSE file in a local folder that syncs with Drive, the file will be stored in clear text in Drive.

Drive on Android and iOS experience

Users can preview or download client-side encrypted files in Drive with their mobile device, including Microsoft Office (iOS only) and PDF files. Google Docs, Sheets, and Slides aren't yet supported.

Note: To view or preview client-side encrypted files, users need a compatible reader on their device.

Get details about CSE features and the limitations for Drive

Some Drive features aren't available with client-side encrypted files. To learn more about CSE features and limitations for Drive, go to the following resources:

• Get started with encrypted files in Drive, Docs, Sheets & Slides 
• Collaborate on encrypted files in Docs, Sheets & Slides
• Download a file

Gmail

Users can send and receive client-side encrypted emails within or outside your organization.

How users can send encrypted emails

To send a client-side encrypted email within your organization, a user needs to turn on the additional encryption option in the message window.

To send a client-side encrypted email outside your organization, a user needs to send a message to the recipient with their digital signature, without CSE turned on. The recipient then needs to reply to the message with their digital signature. Then the sender can choose to add CSE to emails sent to the external recipient.

How users can read encrypted emails

When a user receives a client-side encrypted message, they'll see "Encrypted message" below the sender's name. To read the message, the user might be prompted to sign in to their identity provider (IdP). Once the user is signed in to the IdP, the message is automatically automatically decrypted in their Gmail browser window.

Get details about CSE features and the limitations for Gmail

Note that:

• Some Gmail features aren't available with with client-side encrypted email.
• Email delegation (shared inboxes) isn't available with Gmail CSE.
• CSE blocks some file types when attached to encrypted emails.

To learn more about CSE features and limitations for Gmail, go to Learn about Gmail Client-side encryption.

Google Calendar

Users can create events with client-side encrypted descriptions. If you've turned on CSE for Google Drive and Google Meet for users, they can attach client-side encrypted documents to the event and add client-side encrypted online meetings. 

Note:

• Users can encrypt only regular events—other event types, such as focus time or appointment slots, don't support CSE.
• To view client-side encrypted event descriptions, users must use Google Calendar. 

How users can create and view encrypted events

To create a client-side encrypted event, users need to choose the option to turn on encryption in the event window. They might be prompted to sign in to your identity provider (IdP).

To view a client-side encrypted event, users just need to open the client-side encrypted event on Calendar. They might be prompted to sign in to your identity provider (IdP).

Get details about CSE features and the limitations for Calendar

Some Calendar features that aren't available with client-side encrypted events. To learn more about the features and limitations of CSE for Calendar, go to Learn about Client-side encryption in Calendar.

Google Meet

Users can host client-side encrypted meetings when scheduling the meeting in Google Calendar or when starting an instant (unscheduled) meeting. 

How users can schedule and join encrypted meetings

To schedule a client-side encrypted meeting in Calendar, users need to choose the option to turn on encryption in the event window. They might be prompted to sign in to your identity provider (IdP).

When starting an instant client-side encrypted meeting, users need to choose the option to add encryption from the security options.

How users can join encrypted meetings

Because of authentication requirements, all participants must be invited to client-side encrypted meetings. To join an encrypted meeting, an internal or external user needs to open the event in Google Calendar. If they're prompted to verify their identity, they need to sign in to their identity provider and enter their credentials.

Get details about CSE features and the limitations for Meet

Some Meet features aren't available with client-side encrypted meetings. To learn more about the features and limitations of CSE for Meet, go to Learn about Meet Client-side encryption (CSE).