Client-side encryption FAQ

Supported editions for this feature: Enterprise Plus; Education Standard and Education Plus. Compare your edition

Here's where you can find answers to common questions about Google Workspace Client-side encryption (CSE).

Expand section  |  Collapse all

About encryption

Where can I find information about Google's default encryption?
For details about Google's default encryption, go to the Google Cloud site.
For additional details about standard encryption for Gmail, go to Encryption in transit in the Gmail Help Center.
How is CSE different from end-to-end (e2e) encryption?
With end-to-end encryption (e2e), encryption and decryption always occur on the source and destination devices (such as on mobile phones for instant messaging). Encryption keys are generated on the client, so as an administrator, you don't have control over the keys on the clients and who can use them. In addition, you don't have visibility into which content users have encrypted.
With client-side encryption (CSE), encryption and decryption also always occur on the source and destination devices, which in this case are the clients' browsers. However, with CSE, clients use encryption keys that are generated and stored in a cloud-based key management service, so you can control the keys and who has access to them. For example, you can revoke a user's access to keys, even if that user generated them. Also, with CSE, you can monitor users' encrypted files.

Understanding the CSE user experience

How do users encrypt data using CSE?

Users can choose an option in supported services to turn on CSE. For more information about how users can turn on CSE in web and mobile apps, go to Client-side encryption user experience overview.

Are there any limitations for users when using CSE?

Yes, some features in Google services aren't available when CSE is turned on. For more information, go to Client-side encryption user experience overview.

Setting up CSE

What are encryption keys and how do I get them?

An encryption key is used to transform data into an unreadable format so it appears random. This keeps the data private from anyone or anything not approved to read it. To read encrypted data, an individual or application needs a key to convert the data back into its original format.

To use encryption keys to add a layer of encryption to your organization's Google Workspace data, you need to use a key management service that partners with Google or create your own key service using Google's CSE API. Alternatively, for Gmail only, you can use hardware key encryption, in which a user's encryption key resides on a smart card.

Which partner key management services can I use with CSE?

Google has partnered with the several key management services for use with CSE. For a list of services, go to Set up your key service for client-side encryption.

Can I use Google as my key management service?
No, you'll need to use an external key management service to set up Google Workspace Client-side encryption. With CSE, you control your own encryption keys, and Google can't access them to decrypt your data.
Can I use multiple key services?
Yes, you can use more than one key service and choose which service to use for an organizational unit or group. Or, you can migrate encrypted content from one service to another.
Note: In the Admin console, you can set up a single key service for Gmail client-side encryption. Learn about other options for managing keys at Google Workspace Client-side Encryption API .
Can I use smart cards with CSE?
Yes, if your organization uses smart cards to access facilities and systems, you can set up hardware key encryption for Gmail CSE. Requires having the Assured Controls or Assured Controls Plus add-on.  Users can use their smart cards, which contain their private encryption key, to encrypt their email messages. For details, go to Gmail only: Set up and manage hardware key encryption for client-side encryption
Can I use both a key service and hardware encryption keys for Gmail?
Yes, you can set up both a key service and hardware encryption keys for Gmail CSE. Requires having the Assured Controls or Assured Controls Plus add-on. You also assign both the key service and hardware key encryption to the same users. However, a user can use only one type of encryption for Gmail, which depends on how you set up their private encryption key for Gmail. For details, go to Gmail only: Upload encryption keys for client-side encryption
Can I switch to a different key service?
Yes, you can switch to a different key service. If you do this, it's best practice to migrate content encrypted with your current key service to the new service. For details, go to If you want to switch to a new key service.
How do I limit which users or groups have access to my external key service?
You manage the key access control list (KACL) for encryption keys through your external key service. Your KACL needs to include all users who need to either encrypt or decrypt (view or edit) content. Contact your encryption provider for more information.
In addition, you need to turn on CSE for any users who need to encrypt data. For details,  go to Turn client-side encryption on or off for users.
Can I enforce the use of CSE for specific users?
For Gmail, Google Drive, and Google Calendar, you can specify that CSE is turned on by default for specific organizational units. Requires having the Assured Controls or Assured Controls Plus add-on.
If you specify that CSE is turned on by default, users still can still turn off CSE if needed. 
How do I set up CSE for shared drives?
You don't need to set up CSE specifically for shared drives. The external key service you set up in the Admin console works for files in both My Drive and shared drives.
What if I get an alert while setting up CSE?

If you have an issue with CSE setup, go to View alert details for more information.

Can I import and encrypt existing email with CSE?

Can I allow external users to access our organization's client-side encrypted content?

Working with client-side encrypted content

Can I reencrypt existing files with a different encryption key?
You can migrate client-side encrypted files to a new key service. For details, go to If you want to switch to a new key service.
Can I switch encryption for a file to Google's default encryption?
Yes, you can remove client-side encryption from a Google document, spreadsheet, or presentation. For details, go to Remove encryption from a document.
How do I decrypt exported Drive files and email?
To decrypt CSE files you export using the Data Export tool or Google Vault, you can use the decrypter, a command-line utility. For details, go to Decrypt exported client-side encrypted files.
Can I retain, search, and export encrypted files and email in Google Vault?
Yes, if your Google Workspace edition has Google Vault, you can retain, search for, and export client-side encrypted Drive files and Gmail email in Vault. 
You can search for client-side encrypted files by their metadata, such as title and owner. However, you can’t search their content, search by file type, preview the content, or download from the preview view.
For details, go to the Google Vault Help Center.
Do I need to restrict spell checking on client-side encrypted content?
  • For client-side encrypted body content in Google Docs and Slides, on-device machine learning models provide spell-check functionality, which preserves confidentiality of document data.
  • For Gmail and comments in Google Docs, the browser provides spell-check functionality.

    If your organization uses Google Chrome: Make sure CSE users don't use Chrome's Enhanced spell check—this option sends data to Google. Instead, CSE users can use Chrome's Basic spell check, which doesn't send data to Google. For more information, go to Turn Chrome spell check on or off. If you use managed Chrome browser, you can create a policy to disable spell check for CSE users, which turns off Enhanced spell check but not Basic spell check. For details, go to Set Chrome policies for users or browsers.

Scanning client-side encrypted files and email

Do Drive and Gmail automatically scan client-side encrypted content for security threats?
Client-side encrypted files and email aren't scanned for phishing and malware, because Google's servers don't have access to the content.
Can I run DLP scans for content in client-side encrypted files or email?
Data loss prevention (DLP) scans can't access client-side encrypted content in files or email. However, you can create DLP rules to:
  • Scan Drive files' unencrypted metadata like the file title and Drive labels—this can help to prevent leaks of sensitive data.
  • Scan Drive files to determine whether or not they're client-side encrypted, by choosing the rule condition File encryption status > IsClient-side encrypted or Not client-side encrypted.

For details on creating DLP rules for Drive, go to Create DLP for Drive rules and custom content detectors.

Switching to a Google Workspace edition that doesn't support CSE

What happens to encrypted content if users' licenses no longer have CSE?
If you switch users to a Google Workspace license that doesn't include CSE, they can still access and edit any client-side encrypted items, such as files and email. However, they can't create any new client-side encrypted items.
Can I remove encryption from content if we no longer want to use CSE?
If you want to stop using CSE and decrypt items such as files and email, you first need to export those items using the Data Export tool. Then use the decrypter utility to remove CSE.

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Main menu
16322994164215129020
true
Search Help Center
true
true
true
true
true
73010
false
false