Choose your key service for client-side encryption

Supported editions for this feature: Enterprise Plus; Education Standard and Education Plus. Compare your edition

To get started with Google Workspace Client-side encryption (CSE), you first need to choose one or more external key services. You can choose a Google partner or build your own service.

Note: For Gmail CSE, you can use hardware encryption keys instead of a key service. Requires having the Assured Controls or Assured Controls Plus add-on. For details, go to Gmail only: Set up and manage hardware encryption keys. 

Option 1: Sign up with a Google partner key service

Google's key service partners provide tools that meet Google’s specifications for both key management and access control capabilities. Your partner holds the key to decode encrypted files and other content, and Google can't access or decipher these files without this key. After you sign up with one of Google's partners, they'll guide you in setting up their service to work with Google Workspace.

You can choose from these partner services:

Option 2: Build your own key service

If your organization wants even more control over encryption keys, you can build a standalone service or embed it into your product using the  Google Workspace Client-side Encryption API. 

You can use multiple key services

If you want to use different key services for specific users—for example, users in different regions—you can set up multiple key services. 

You can switch key services

At any time you can switch to a different key service and migrate encrypted content to the new service.

Next step

After you choose your external key service, you need to connect your identity provider to your Admin console.

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Google apps
Main menu
15819356376538164777
true
Search Help Center
true
true
true
true
true
73010
false
false