Learn about client-side encryption in Calendar

Calendar uses strong cryptographic standards to encrypt all data at rest and in transit between its facilities. With client-side encryption (CSE), your organization has control of encryption keys and the identity provider (IdP) used to access those keys to further strengthen the security of your events data.

When you add CSE to an event:

  • The description and Meet conference are client-side encrypted.
  • You can only add encrypted attachments.
  • Other fields, like the title or location, have only regular encryption.

Your organization might need to use CSE to help with:

  • Privacy: Your organization works with extremely sensitive intellectual property.
  • Regulatory compliance: Your organization operates in a highly regulated industry, like aerospace and defense, financial services, or government.

You can use CSE with these Google Workspace editions:

  • Education Plus
  • Education Standard
  • Workspace Enterprise Plus

Important: To use CSE, your administrator must connect Google Workspace to an external identity provider and encryption key service (IdP+KACL). Learn more about your administrator.

Learn about encryption

Encryption is the process of encoding information to protect your data. Only users who have Workspace Client-side encryption enabled by their administrator and have verified their identity can create events and view encrypted content.

Encrypted events can be decrypted by attendees or users in the organization if they have access to the encryption keys. Contact your administrator to learn more.

Tip: Your domain administrator has control over which groups and individuals can use encryption.

Access & encrypt events

  • You can only encrypt regular events.
    • Other events, such as focus time or appointment slots, don't support CSE.
  • To view client-side encrypted event descriptions, you must use Calendar.
  • Guests outside your organization must have the decryption keys to access encrypted contents.
  • For a new owner to decrypt an encrypted event description, the domain administrator must grant the new owner permission.

Some features aren't available with client-side encrypted events in Calendar, such as:

  • Search for event descriptions
  • Encrypt or decrypt events offline

Create an encrypted event

Important: You can only add CSE when you create an event. 

  1. On your computer, go to Google Calendar.
  2. At the top left, click Create.
  3. At the top right of the event window, click Turn on encryption .
    • You may get a pop-up to authenticate with your IdP. Make sure pop-ups are allowed in your browser.
    • Tip: Always turn on CSE before you enter event details. When you turn on CSE, your event descriptions, unencrypted attachments, and Meet conference settings are reset.
  4. Add event details like titles, guests, descriptions, and attachments.
    • If you add a meeting room to your encrypted event you must join the encrypted video call from your own device, not a meeting room device.
    • You can only add encrypted attachments to an encrypted event.
  5. Click Save.

View an encrypted event as a guest

  1. On your computer, go to Google Calendar.
  2. Open the event.
    • If you get a prompt to verify your identity:
      1. Click Sign in.
      2. Verify your identity with the IdP.

Find out if a calendar event is encrypted

In an event invitation, when CSE is on, you can find a shield icon next to:
  • “Join with Google Meet” button in a Google Calendar invite
  • Event description
  • Each attachment

Related resources

Clear search
Close search
Google apps
Main menu