Duet AI is now Gemini for Google Workspace. Learn more

Set up your external key service for client-side encryption

After you connect Google Workspace to your identity provider (IdP), you're ready to set up the external key service you chose. This article provides information about using a partner key service. If you're building your own key service, refer to the documentation for the  Google Workspace Client-side Encryption API.

Work with your partner key service

Follow the key service's instructions to set up your encryption keys and key access control list (KACL). Your key service will give you a URL to access their service. You'll add this URL to your Admin console to connect Google Workspace to your external key service.

Key service Get started
FlowCrypt Instructions
Fortanix Instructions
FutureX Instructions
Stormshield Overview
Thales Instructions

About adding users to your key service

Work with your key service to add internal and external users who need to use CSE. 

Internal users

When you set up a key service, you'll also create your key access control list (KACL)—that is, the internal users, groups, or domains that you want to encrypt content or have view and edit access to encrypted content.

External users

If your users need to share encrypted content with external organizations, your key service needs to add the external organization's identity provider (IdP) to their allowlist. For more information, go to Client-side encryption setup overview.

Keep your encryption keys safe

Warning: If you disable or destroy an encryption key used to encrypt content (such as files or emails), Google Workspace apps can't decrypt that content. Without this key, users can't view, edit, download, or use that content in any way. Before using CSE, make sure you discuss with your external key service how to keep your keys safe, including backup and restore options. Also, make sure you plan any changes to your key service carefully to avoid disrupting users' services.

Next step

After you set up your external key service, you need to add the key service to your Admin console.

Was this helpful?

How can we improve it?
Clear search
Close search
Google apps
Main menu