Supported editions for this feature: Frontline Plus; Enterprise Plus; Education Standard and Education Plus. Compare your edition
Before you start setting up Google Workspace Client-side encryption (CSE), review the requirements, encryption key options, and setup overview.
CSE requirements
You need super administrator privileges for Google Workspace to manage CSE for your organization, including:
- Adding and managing key services
- Assigning key services to organizational units and groups
- Turning CSE on or off for users
User license requirements
- Users need a Google Workspace Frontline Plus, Google Workspace Enterprise Plus, Google Workspace Education Standard, or Google Workspace for Education Plus license to use CSE to:
- Create or upload client-side encrypted content
- Host encrypted meetings
- Send or receive encrypted email
- Users can have any type of Google Workspace or Cloud Identity license to:
- View, edit, or download client-side encrypted content
- Join a CSE meeting from a computer, a mobile device, or a Google Meet hardware device
- Users with a consumer Google Account (such as Gmail users) can't access client-side encrypted content, send encrypted email, or participate in client-side encrypted meetings.
Browser requirements
To view or edit client-side encrypted content, users must use either the Google Chrome or Microsoft Edge (Chromium) browser.
You can let external users access client-side encrypted content. To access your users' encrypted Gmail messages, external users just need to use S/MIME. For other content, the requirements differ, depending on the method you use to provide external access. For details, see Provide external access to client-side encrypted content .
Understand encryption key options
- Use an external encryption key service that partners with Google. Your key service will guide you in setting up the service for Google Workspace. For details, go to Choose your key service for client-side encryption .
- Build your own key service using the Google Workspace CSE API .
Requires having the Assured Controls or Assured Controls Plus add-on .
CSE setup overview
Here's an overview of the steps you'll need to set up Google Workspace Client-side encryption. How you set up CSE depends on which type of encryption keys you want to use.
If you're using an external encryption key service
Follow these steps to set up encryption for Google Drive, Google Calendar, and Google Meet. You'll also follow these steps for Gmail, unless you want to onlyuse hardware encryption keys for Gmail.
| Step | Description | How to complete this step |
|---|---|---|
|
Step 1: Choose your external encryption key service
|
Sign up with one of Google's encryption key service partners, or build your own service using the Google Workspace CSE API
. You key service controls the top-level encryption keys that protect your data.
|
Choose your key service for client-side encryption |
|
Step 2: Connect Google Workspace
to your identity provider
|
Connect to either a third-party IdP or Google identity, using either the Admin console or a .well-known file hosted on your server. Your IdP verifies users' identity before letting them encrypt content or access encrypted content. |
Connect to your identity provider for client-side encryption |
|
Step 3: Set up your external key service
|
Work with your key service partner to set up the service for Google Workspace Client-side encryption. Note: When using CSE with Meet hardware, the KACLS server used for key management must support the delegate call which is used for authorizing a room to join a meeting on behalf of an authenticated user. For details, check with your KACLS vendor. |
|
|
Step 4: Add your key service information to the Admin console
|
Add your external key service's URL to the Admin console to connect the service to Google Workspace. You can add multiple key services to assign different key services for specific organizational units or groups. |
Add and manage key services for client-side encryption |
|
Step 5: Assign your key service to users
|
Assign your key service, or multiple services, to your organizational units and groups. You'll need to assign a key service as the default for your organization. | Assign client-side encryption to users |
|
Step 6: (Gmail CSE only) Upload users' encryption keys
|
Important:If you have the Assured Controls add-on
, and you're notusing hardware key encryption, you can skip this step and use the Send to anyone (beta)option instead.
Create a Google Cloud Platform (GCP) project and enable the Gmail API. Then give the API access to your entire organization, turn on CSE for Gmail users, and upload private and public encryption keys to Gmail. Note:This step requires experience using APIs and Python scripts. |
Gmail only: Configure S/MIME certificates for client-side encryption |
|
Step 7: Turn on CSE for users
|
Turn on CSE for any organizational units or groups in your organization with users who need to create client-side encrypted content. You can turn on CSE for all supported services or just specific ones (Gmail, Meet, Drive, and Calendar). Gmail CSE:If you have the Assured Controls add-on , and you're notusing hardware key encryption for Gmail, you can select the Send to anyone (beta)option during this step to automatically enable email encryption, without the need to configure S/MIME certificates. |
Turn CSE on or off for users |
|
Step 8: (Optional) Set up external access
|
You can provide external access to client-side encrypted content by configuring a guest identity provider (IdP) for organizations that aren't using Google Workspace CSE. | Provide external access to client-side encrypted content |
|
Step 9: (Optional) Import messages to Gmail as client-side encrypted email
|
If your organization has messages in another service or in another encryption format, then as an administrator, you can migrate those messages to Gmail as client-side encrypted messages in the S/MIME format. | Migrate messages to Gmail as client-side encrypted email |
If you're using hardware encryption keys for Gmail
Requires having the Assured Controls or Assured Controls Plus add-on .
Follow these steps if you want to set up hardware encryption keys for all or some of your Gmail users, instead of an external key service.
| Step | Description | How to complete this step |
|---|---|---|
|
Step 1: Connect Google Workspace
to your identity provider
|
Connect to either a third-party IdP or Google identity, using either the Admin console or a .well-known file hosted on your server. Your IdP verifies users' identity before letting them encrypt content or access encrypted content. | Connect to your identity provider for client-side encryption |
|
Step 2: Set up your hardware encryption keys
|
Install the Google Workspace Hardware Key application on users' Windows devices. Note:This step requires experience working with PowerShell scripts. |
Gmail only: Set up and manage hardware encryption keys |
|
Step 3: Add hardware encryption information to the Admin console
|
Enter the port number at which Google Workspace will communicate with the smart card reader on users' Windows devices. | Gmail only: Set up and manage hardware encryption keys |
|
Step 4: Assign hardware encryption to users
|
Assign hardware key encryption to your organizational units and groups. | Assign client-side encryption to users |
|
Step 5: Upload users' public encryption keys
|
Create a Google Cloud Platform (CGP) project and enable the Gmail API. Then give the API access to your entire organization, turn on CSE for Gmail users, and upload public encryption keys to Gmail. Note:This step requires experience using APIs and Python scripts. |
Gmail only: Configure S/MIME certificates for client-side encryption |
|
Step 6: (Optional) Import messages to Gmail as client-side encrypted email
|
If your organization has messages in another service or in another encryption format, then as an administrator, you can migrate those messages to Gmail as client-side encrypted messages in the S/MIME format. | Migrate messages to Gmail as client-side encrypted email |
CSE for Meet hardware
By default, Meet encrypts all call media, both in transit and at rest. Only meeting participants and Google’s data center services can decrypt this information.
CSE offers another layer of privacy by encrypting call media directly within each participant’s browser, using keys accessible only to them. Only the participant is able to decrypt meeting information that has been encrypted by their browser using their keys.
To let users take advantage of CSE, admins must connect Workspace to an external identity provider and encryption key service (IdP+key service). For details about setting up an IdP+key service, go to CSE setup overview on this page.
Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.
