Protect your organization's data with client-side encryption

Supported editions for this feature: Enterprise Plus; Education Standard and Education Plus. Compare your edition

Google Workspace already uses the latest cryptographic standards to encrypt all data at rest and in transit between its facilities for all services. In addition, Gmail uses TLS (Transport Layer Security) for communication with other email service providers. Google Workspace Client-side encryption (CSE), however, gives you another layer of encryption that only your organization controls.

How CSE protects your data

With CSE:

  • Your organization uses its own encryption keys, which encrypt data the client's browser before any data is transmitted or stored in Google's cloud-based storage. You can manage your keys using a third-party key management service or by building your own service using the Google Workspace CSE API.
  • Your organization also controls the identity provider used to access your encryption keys.
  • Google servers and third parties can't access your encryption keys and decrypt your data, which can help your organization meet additional security or compliance requirements.
  • You can create policies to allow specific users to create client-side encrypted content and share or send it internally or externally.
  • Users can encrypt data with CSE simply by choosing an option in the app—there's no need for them to set up encryption, use extensions, or manage any encryption keys.

Which organizations can benefit from CSE

CSE is especially beneficial for organizations that have any of the following needs:

  • Confidentiality for organizations working with sensitive intellectual property
  • Compliance support for organizations in highly-regulated industries that have ITAR, CJIS, TISAX, IRS 1075, or EAR requirements
  • Data sovereignty for organizations needing demonstrative data control using encryption keys that can be held at a specific site, within a nation’s borders, or any other defined boundary
  • Export control for public sector organizations that need to ensure data is encrypted and the keys are inaccessible outside their country’s borders

For example, CSE is especially useful for these industries:

  • Large organizations that need to comply with European regulations
  • Aerospace and defense contractors
  • Criminal justice and law enforcement agencies
  • Federal, state, and local agencies and organizations that work with them

Supported services, applications, and data types

Service Apps Data that's client-side encrypted Data that's not client-side encrypted
Google Drive and Google Docs Editors
  • Web browser
  • Drive for Desktop (non-Google file formats only)
  • Android mobile  app
  • iOS mobile app

Note: For mobile apps, client-side encrypted content is view-only and available for non-Google file formats only.

  • Files created with Google Docs Editors (documents, spreadsheets, presentations)
  • Uploaded files, like PDFs and Microsoft Office files
  • File title
  • File metadata, such as owner, creator, and last-modified time
  • Drive labels (also called Drive metadata)
  • Linked content that’s outside of Docs or Drive (for example, a YouTube video linked from a Google document)
  • User preferences, such as Docs header styles

Gmail

  • Web browser
  • Android mobile  app
  • iOS mobile app
  • Email body, including inline images
  • Attached files

    Note: Attaching client-side encrypted Drive files isn't yet supported

Email header, including Subject:, timestamps, and recipients lists

Google Calendar
  • Web browser
  • Android mobile  app
  • iOS mobile app
  • Event description
  • Attached Drive files (if CSE for Drive is turned on)
  • Meet audio and video streams (if CSE for Meet is turned on)

Any content other than the event description, attachments, and Meet data, such as:

  • Event title
  • Event starting and ending times
  • Attendees list
  • Booked rooms
  • Join by phone numbers
  • Link for Meet
Google Meet
  • Web browser
  • Drive for Desktop
  • Android mobile  app
  • iOS mobile app

Note:  Meeting room hardware will be available in a later release.

  • Audio streams
  • Video streams (including screen sharing)
  • Chat messages
Any data other than audio and video streams and chat messages

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Main menu
730731785169168562
true
Search Help Center
true
true
true
true
true
73010
false
false