After you connect Google Workspace to your identity provider (IdP), you're ready to set up the external key service you chose. This article provides information about using a partner key service. If you're building your own key service, refer to the documentation for the Google Workspace Client-side Encryption API.
Work with your partner key service
Follow the key service's instructions to set up your encryption keys and key access control list (KACL). Your key service will give you a URL to access their service. You'll add this URL to your Admin console to connect Google Workspace to your external key service.
| Key service | Get started |
|---|---|
| FlowCrypt | Instructions |
| Fortanix | Instructions |
| FutureX | Instructions |
| Stormshield | Overview |
| Thales | Instructions |
About adding users to your key service
Work with your key service to add internal and external users who need to use CSE.
Internal users
When you set up a key service, you'll also create your key access control list (KACL)—that is, the internal users, groups, or domains that you want to encrypt content or have view and edit access to encrypted content.
External users
If your users need to share encrypted content with external organizations, your key service needs to add the external organization's identity provider (IdP) to their allowlist. For more information, go to Client-side encryption setup overview.
Keep your encryption keys safe
Next step
After you set up your external key service, you need to add the key service to your Admin console.