Supported editions for this feature: Frontline Plus; Enterprise Plus; Education Standard and Education Plus. Compare your edition
Google Workspace already uses the latest cryptographic standards to encrypt all data at rest and in transit between its facilities for all services. In addition, Gmail uses TLS (Transport Layer Security) for communication with other email service providers. Google Workspace Client-side encryption (CSE), however, gives you another layer of encryption that only your organization controls.
How CSE protects your data
With CSE:
- Your organization uses its own encryption keys, which encrypt data in the client's browser before any data is transmitted or stored in Google's cloud-based storage. You can manage your keys using a third-party key management service or by building your own service using the Google Workspace Client-side encryption API .
- Your organization also controls the identity providerused to access your encryption keys.
- Google servers and third parties can't access your encryption keysand decrypt your data, which can help your organization meet additional security or compliance requirements.
- You can create policiesto allow specific users to create client-side encrypted content and share or send it internally or externally.
- Users can encrypt data with CSE simply by choosing an option in the app—there's no need for them to set up encryption, use extensions, or manage any encryption keys.
Which organizations can benefit from CSE
CSE is especially beneficial for organizations that have any of the following needs:
- Confidentiality for organizations working with sensitive intellectual property
- Compliance support for organizations in highly-regulated industries that have ITAR, CJIS, TISAX, IRS 1075, or EAR requirements
- Data sovereignty for organizations needing demonstrative data control using encryption keys that can be held at a specific site, within a nation’s borders, or any other defined boundary
- Export control for public sector organizations that need to ensure data is encrypted and the keys are inaccessible outside their country’s borders
For example, CSE is especially useful for these industries:
- Large organizations that need to comply with European regulations
- Aerospace and defense contractors
- Criminal justice and law enforcement agencies
- Federal, state, and local agencies and organizations that work with them
Supported services, applications, and data types
- Web browser
- Drive for Desktop (non-Google file formats only)
- Android mobile app
- iOS mobile app
Note:For mobile apps, client-side encrypted content is view-only and available for non-Google file formats only.
- Files created with Google Docs Editors (documents, spreadsheets, presentations)
- Uploaded files, like PDFs and Microsoft Office files
- File title
- File metadata, such as owner, creator, and last-modified time
- Drive labels (also called Drive metadata)
- Linked content that’s outside of Docs or Drive (for example, a YouTube video linked from a Google document)
- User preferences, such as Docs header styles
Gmail
- Web browser
- Android mobile app
- iOS mobile app
- Email body, including inline images
- Attached files
Note:Attaching client-side encrypted Drive files isn't yet supported
Email header, including Subject:, timestamps, and recipients lists
- Web browser
- Android mobile app
- iOS mobile app
- Event description
- Attached Drive files (if CSE for Drive is turned on)
- Meet audio and video streams (if CSE for Meet is turned on)
Any content other than the event description, attachments, and Meet data, such as:
- Event title
- Event starting and ending times
- Attendees list
- Booked rooms
- Join by phone numbers
- Link for Meet
- Web browser
- Drive for Desktop
- Android mobile app
- iOS mobile app
Note: Meeting room hardware will be available in a later release.
- Audio streams
- Video streams (including screen sharing)
- Chat messages
