Stay organized with collectionsSave and categorize content based on your preferences.
This guide describes how encryption and decryption works using the Google Workspace Client-side Encryption API.
You must allowlist any Identity Provider (IdP) services used by users
sharing encrypted files. You can usually find the required IdP details in their
publicly-available .well-known file; otherwise, contact the organization's
Google Workspace administrator for their IdP details.
Encrypt data
When a Google Workspace user requests to save or store client-side encrypted
(CSE) data, Google Workspace sends awraprequest to your Key Access Control List Service (KACLS) endpoint URL for encryption.
In addition to optional security checks, such as perimeter and JWT claim-based checks,
your KACLS must perform the following steps:
Check that authorization and authentication tokens are for the same user by
doing a case-insensitive match on the email claims.
When the authentication token contains the optionalgoogle_emailclaim,
it must be compared against the email claim in the authorization token
using a case-insensitive approach. Don't use the email claim within the
authentication token for this comparison.
In scenarios where the authentication token lacks the optionalgoogle_emailclaim, the email claim within the authentication token
should be compared with the email claim in the authorization token,
using a case-insensitive method.
In scenarios where Google issues an authorization token for an email not
associated with a Google Account, theemail_typeclaim must be present.
This forms a crucial part of the Guest Access feature, providing valuable
information for KACLS to enforce additional security measures on external
users.
Some examples of how a KACLS can use this information include:
To impose additional logging requirements.
To restrict the authentication token issuer to a dedicated Guest IdP.
To require additional claims on the authentication token.
If a customer has not configured Guest Access, then all requests
whereemail_typeis set togoogle-visitororcustomer-idpcan be
rejected. Requests with anemail_typeofgoogleor with an unsetemail_typeshould continue to be accepted.
When the authentication token contains the optionaldelegated_toclaim,
it must also contain theresource_nameclaim, and these two claims must
be compared against thedelegated_toandresource_nameclaims in the
authorization token. Thedelegated_toclaims should be compared using a
case-insensitive approach, and theresource_namein the tokens should
match theresource_nameof the operation.
Check that theroleclaim in the authorization token iswriterorupgrader.
Check that thekacls_urlclaim in the authorization token matches the
current KACLS URL. This check allows detection of potential
man-in-the-middle servers configured by insiders or rogue domain
administrators.
Perform a perimeter check using both authentication and authorization
claims.
Encrypt the following parts using an authenticated encryption algorithm:
Data Encryption Key (DEK)
Theresource_nameandperimeter_idvalues from the authorization token
Any additional sensitive data
Log the operation, including the user originating it, theresource_nameand
the reason passed in the request.
Return an opaque binary object to be stored by Google Workspace alongside
the encrypted object and sent as-is in any subsequent key unwrapping
operation. Or, serve astructured error reply.
The binary object should contain the only copy of the encrypted DEK,
implementation specific data can be stored in it.
Decrypt data
When a Google Workspace user requests to open client-side encrypted (CSE) data,
Google Workspace sends anunwraprequest
to your KACLS endpoint URL for decryption. In addition to optional security
checks, such as perimeter and JWT claim-based checks, your KACLS must perform
the following steps:
Check that authorization and authentication tokens are for the same user by
doing a case-insensitive match on the email claims.
When the authentication token contains the optionalgoogle_emailclaim,
it must be compared against the email claim in the authorization token
using a case-insensitive approach. Don't use the email claim within the
authentication token for this comparison.
In scenarios where the authentication token lacks the optionalgoogle_emailclaim, the email claim within the authentication token
should be compared with the email claim in the authorization token,
using a case-insensitive method.
In scenarios where Google issues an authorization token for an email not
associated with a Google Account, theemail_typeclaim must be present.
This forms a crucial part of the Guest Access feature, providing valuable
information for KACLS to enforce additional security measures on external
users.
Some examples of how a KACLS can use this information include:
To impose additional logging requirements.
To restrict the authentication token issuer to a dedicated Guest IdP.
To require additional claims on the authentication token.
If a customer has not configured Guest Access, then all requests
whereemail_typeis set togoogle-visitororcustomer-idpcan be
rejected. Requests with anemail_typeofgoogleor with an unsetemail_typeshould continue to be accepted.
When the authentication token contains the optionaldelegated_toclaim,
it must also contain theresource_nameclaim, and these two claims must
be compared against thedelegated_toandresource_nameclaims in the
authorization token. Thedelegated_toclaims should be compared using a
case-insensitive approach, and theresource_namein the tokens should
match theresource_nameof the operation.
Check that theroleclaim in the authorization token isreaderorwriter.
Check that thekacls_urlclaim in the authorization token matches the
current KACLS URL. This allows detection of potential man-in-the-middle
servers configured by insiders or rogue domain administrators.
Decrypt the following parts using an authenticated encryption algorithm:
Data Encryption Key (DEK)
Theresource_nameandperimeter_idvalues from the authorization token
Any additional sensitive data
Check that theresource_namein the authorization token and decrypted blob
match.
Perform a perimeter check using both authentication and authorization claims.
Log the operation, including the user originating it, theresource_nameand
the reason passed in the request.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Missing the information I need","missingTheInformationINeed","thumb-down"],["Too complicated / too many steps","tooComplicatedTooManySteps","thumb-down"],["Out of date","outOfDate","thumb-down"],["Samples / code issue","samplesCodeIssue","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-28 UTC."],[[["\u003cp\u003eThis guide outlines the process of encrypting and decrypting data using the Google Workspace Client-side Encryption API, leveraging a Key Access and Control List Service (KACLS).\u003c/p\u003e\n"],["\u003cp\u003eDuring encryption, the KACLS validates the user, encrypts the data encryption key (DEK) and other sensitive data, logs the operation, and returns an opaque binary object containing the encrypted DEK to Google Workspace for storage.\u003c/p\u003e\n"],["\u003cp\u003eFor decryption, the KACLS validates the user, decrypts the DEK and associated data, verifies the resource name, performs a perimeter check, logs the operation, and returns the unwrapped DEK to Google Workspace.\u003c/p\u003e\n"],["\u003cp\u003eBefore sharing encrypted files, ensure to allowlist any Identity Provider (IdP) services used by the intended recipients, which typically involves obtaining IdP details from their publicly available .well-known file or contacting their Google Workspace administrator.\u003c/p\u003e\n"]]],["When users encrypt data, the KACLS must validate user authentication and authorization tokens, ensuring matching email claims and specific role and URL claims. It encrypts the Data Encryption Key (DEK), `resource_name`, `perimeter_id`, and other sensitive data, logs the operation, and returns an encrypted object. For decryption, the process mirrors encryption, validating tokens, decrypting the data, verifying `resource_name`, performing perimeter checks, logging, and returning the DEK. Guest access requires extra checks. Identity provider services must be allowlisted.\n"],null,["# Encrypt & decrypt data\n\nThis guide describes how encryption and decryption works using the Google Workspace Client-side Encryption API.\n\nYou must allowlist any Identity Provider (IdP) services used by users\nsharing encrypted files. You can usually find the required IdP details in their\npublicly-available .well-known file; otherwise, contact the organization's\nGoogle Workspace administrator for their IdP details.\n\nEncrypt data\n------------\n\nWhen a Google Workspace user requests to save or store client-side encrypted\n(CSE) data, Google Workspace sends a [`wrap`](/workspace/cse/reference/wrap)\nrequest to your Key Access Control List Service (KACLS) endpoint URL for encryption.\nIn addition to optional security checks, such as perimeter and JWT claim-based checks,\nyour KACLS must perform the following steps:\n\n1. Validate the requesting user.\n\n - Validate both the [authentication token](/workspace/cse/reference/authentication-tokens) and [authorization token](/workspace/cse/reference/authorization-tokens).\n - Check that authorization and authentication tokens are for the same user by doing a case-insensitive match on the email claims.\n - When the authentication token contains the optional `google_email` claim, it must be compared against the email claim in the authorization token using a case-insensitive approach. Don't use the email claim within the authentication token for this comparison.\n - In scenarios where the authentication token lacks the optional `google_email` claim, the email claim within the authentication token should be compared with the email claim in the authorization token, using a case-insensitive method.\n - In scenarios where Google issues an authorization token for an email not associated with a Google Account, the `email_type` claim must be present. This forms a crucial part of the Guest Access feature, providing valuable information for KACLS to enforce additional security measures on external users.\n - Some examples of how a KACLS can use this information include:\n - To impose additional logging requirements.\n - To restrict the authentication token issuer to a dedicated Guest IdP.\n - To require additional claims on the authentication token.\n - If a customer has not configured Guest Access, then all requests where `email_type` is set to `google-visitor` or `customer-idp` can be rejected. Requests with an `email_type` of `google` or with an unset `email_type` should continue to be accepted.\n - When the authentication token contains the optional `delegated_to` claim, it must also contain the `resource_name` claim, and these two claims must be compared against the `delegated_to` and `resource_name` claims in the authorization token. The `delegated_to` claims should be compared using a case-insensitive approach, and the `resource_name` in the tokens should match the `resource_name` of the operation.\n - Check that the `role` claim in the authorization token is `writer` or `upgrader`.\n - Check that the `kacls_url` claim in the authorization token matches the current KACLS URL. This check allows detection of potential man-in-the-middle servers configured by insiders or rogue domain administrators.\n - Perform a perimeter check using both authentication and authorization claims.\n2. Encrypt the following parts using an authenticated encryption algorithm:\n\n - Data Encryption Key (DEK)\n - The `resource_name` and `perimeter_id` values from the authorization token\n - Any additional sensitive data\n3. Log the operation, including the user originating it, the `resource_name` and\n the reason passed in the request.\n\n4. Return an opaque binary object to be stored by Google Workspace alongside\n the encrypted object and sent as-is in any subsequent key unwrapping\n operation. Or, serve a [structured error reply](/workspace/cse/reference/structured-errors).\n\n - The binary object should contain the only copy of the encrypted DEK, implementation specific data can be stored in it.\n\n| **Note:** Do not store the DEK in your KACLS system. Instead, encrypt it and return it in the `wrapped_key` object to prevent discrepancies for the lifetime of the file. Google doesn't send deletion requests to the KACLS when objects are deleted.\n\nDecrypt data\n------------\n\nWhen a Google Workspace user requests to open client-side encrypted (CSE) data,\nGoogle Workspace sends an [`unwrap`](/workspace/cse/reference/unwrap) request\nto your KACLS endpoint URL for decryption. In addition to optional security\nchecks, such as perimeter and JWT claim-based checks, your KACLS must perform\nthe following steps:\n\n1. Validate the requesting user.\n\n - Validate both the [authentication token](/workspace/cse/reference/authentication-tokens) and [authorization token](/workspace/cse/reference/authorization-tokens).\n - Check that authorization and authentication tokens are for the same user by doing a case-insensitive match on the email claims.\n - When the authentication token contains the optional `google_email` claim, it must be compared against the email claim in the authorization token using a case-insensitive approach. Don't use the email claim within the authentication token for this comparison.\n - In scenarios where the authentication token lacks the optional `google_email` claim, the email claim within the authentication token should be compared with the email claim in the authorization token, using a case-insensitive method.\n - In scenarios where Google issues an authorization token for an email not associated with a Google Account, the `email_type` claim must be present. This forms a crucial part of the Guest Access feature, providing valuable information for KACLS to enforce additional security measures on external users.\n - Some examples of how a KACLS can use this information include:\n - To impose additional logging requirements.\n - To restrict the authentication token issuer to a dedicated Guest IdP.\n - To require additional claims on the authentication token.\n - If a customer has not configured Guest Access, then all requests where `email_type` is set to `google-visitor` or `customer-idp` can be rejected. Requests with an `email_type` of `google` or with an unset `email_type` should continue to be accepted.\n - When the authentication token contains the optional `delegated_to` claim, it must also contain the `resource_name` claim, and these two claims must be compared against the `delegated_to` and `resource_name` claims in the authorization token. The `delegated_to` claims should be compared using a case-insensitive approach, and the `resource_name` in the tokens should match the `resource_name` of the operation.\n - Check that the `role` claim in the authorization token is `reader` or `writer`.\n - Check that the `kacls_url` claim in the authorization token matches the current KACLS URL. This allows detection of potential man-in-the-middle servers configured by insiders or rogue domain administrators.\n2. Decrypt the following parts using an authenticated encryption algorithm:\n\n - Data Encryption Key (DEK)\n - The `resource_name` and `perimeter_id` values from the authorization token\n - Any additional sensitive data\n3. Check that the `resource_name` in the authorization token and decrypted blob\n match.\n\n4. Perform a perimeter check using both authentication and authorization claims.\n\n5. Log the operation, including the user originating it, the `resource_name` and\n the reason passed in the request.\n\n6. Return the unwrapped DEK or a [structured error reply](/workspace/cse/reference/structured-errors).\n\n| **Note:** To decrypt [Google Takeout](https://support.google.com/a/answer/100458) requests, see [`takeout_unwrap`](/workspace/cse/reference/takeout_unwrap)."]]
