As an administrator, you can let external users access your content encrypted with Google Workspace Client-side encryption (CSE). There are 2 methods for providing external access:
- Set up access for external organizations that also use CSE. With this method, you can give an external organization access to encrypted content if they meet the user and CSE requirements.
- Configure a guest identity provider (IdP) to allow access for any external users With this method, your users can provide access to your client-side encrypted content to both Google and non-Google accounts. External organizations don't need to set up CSE, and their users don't need a Google Workspace or Cloud Identity license.
The guest IdP configuration is currently available for Google Meet, Drive, Docs, Sheets, and Slides web applications only. The guest IdP configuration for mobile applications of these services will be available in an upcoming release.
About access to encrypted email: Your users can exchange client-side encrypted email messages with external users, if the external users use S/MIME. No other setup is needed, and external users don't need a Google Workspace or Cloud Identity license. For details about sending and receiving client-side encrypted email messages, go to Learn about Gmail Client-side encryption.
Set up external access for external organizations that use CSE
If an external organization and your organization meet the following requirements, you can give the external access to your organization's client-side encrypted content for Drive & Docs, Calendar, and Meet.
Configure a guest IdP for any external users
To give external organizations access to your client-side encrypted content, you can configure a guest IdP to authenticate external users, using the same IdP you use or a different one. With a guest IdP, your users can share encrypted content with others at external organizations, whether or not those organizations also use CSE.
Note: If you already set up external access for organizations that also use CSE (as described earlier on this page), that setup is ignored once you configure a guest IdP.
