After you've added one or more external key services to your Admin console for Google Workspace Client-side encryption (CSE), you need to assign them to organizational units or configuration groups. Assigning a key service lets users you've added to your external service's key access control list (KACL) encrypt and decrypt content.
If you've set up hardware key encryption for Gmail CSE, you need to assign it to organizational units or configuration groups. Requires having the Assured Controls or Assured Controls Plus add-on.
For users who need to encrypt content, you'll also need to turn on CSE. For details, go to Turn client-side encryption on or off.
Before you begin
Assign encryption with a key service
Assign the default key service for your organization
You must be signed in as a super administrator for this task.
-
Sign in to your Google Admin console.
Sign in using an account with super administrator privileges (does not end in @gmail.com).
- In the Admin console, go to Menu DataComplianceClient-side encryption.
- Under Encryption with external key service, click Assign.
- In the left panel, select either All users in this account or the top-level organizational unit.
- Click Key service, and select your key service in the drop-down list.
- Click Save.
Assign a different key service for specific users
If you've added multiple key services to your Admin console, you can select a different key service than the current service assigned to an organizational unit or group.
Important: If content is already encrypted with the current key service, it's best to migrate encrypted content to the new service to ensure existing client-side encrypted content remains accessible. For details, go to Migrate encrypted content to a new key service later on this page.
You must be signed in as a super administrator for this task.
-
Sign in to your Google Admin console.
Sign in using an account with super administrator privileges (does not end in @gmail.com).
- In the Admin console, go to Menu DataComplianceClient-side encryption.
- Under Encryption with external key service, click Assign.
- In the left panel, select an organizational unit or group for which you want to use a different key service.
- Click Key service, and select the new key service in the drop-down list.
- Click Override to keep your setting if the CSE settings for the parent organizational unit are changed.
- If Overridden is already set for the organizational unit, choose an option:
- Inherit—Reverts to the same CSE setting as its parent.
- Save—Saves your new CSE setting (even if the parent setting changes).
Changes can take up to 24 hours but typically happen more quickly. Learn more
Migrate encrypted content to a new key service
If you no longer want to use your existing key service to encrypt content for an organizational unit or group, you can add a new service, select the backup service, and migrate the encrypted content to the new service.
Which services are supported
Currently, you can migrate encrypted content for the following services:
- Google Drive and Docs
- Google Calendar
To switch to another key service for Gmail CSE: You need to use the Gmail API to upload a new S/MIME certificate with keys wrapped by the new key service for each user. For details, go to Gmail only: Upload encryption keys for client-side encryption.
Google doesn't decrypt content
During migration, Google never decrypts content. The new service unwraps the encryption layer from the previous service and replaces it with a new encryption layer.
There's no impact to users
During migration, users can continue to encrypt or view encrypted content without interruption.
Migration status isn't available
Status of progress and notification of any problems aren’t available.
Test migration on a small number of users first
It's best practice to try migration on a small number of users first, before running a full migration on all users' content. Assign the new key to only one organizational unit or group and turn on migration for those users to determine if there are any migration issues.
After the test migration, try encrypting new content with the new key service, and check if you can still access and edit previously encrypted content.
Reduce migration time
To minimize the number of new items encrypted with the current key service, start full migration during off-peak periods.
- If you’re currently using only one key service: Add the new key service and choose the current service as backup. For details, go to Add an external key service.
- If any key service you’re currently using already has a backup service: Remove the backup from the key service. For details, go to Remove the backup from a key service. Then add the new key service and select the current services as backup.
Important: If you’re currently migrating content from the backup you need to remove, wait until migration is complete. Once you remove the backup, any migration stops immediately. For details, go to Step 4: Check if migration is complete later on this page.
After you select the new key service for an organizational unit or group, you can turn on migration, if there are any services with previously encrypted content that can be migrated.
Migration time varies depending on how much content was encrypted with the current key service and the new key service's processing speed. It can take from a few hours to several days to go to progress on content migration.
You must be signed in as a super administrator for this task.
-
Sign in to your Google Admin console.
Sign in using an account with super administrator privileges (does not end in @gmail.com).
- In the Admin console, go to Menu DataComplianceClient-side encryption.
- Under Encryption with external key service, click Assign.
- In the left panel, select select the organizational unit or group for which you want to migration content to a new key service.
- Under Migration, click On.
Note: This option is available only if there are services with previously encrypted content listed under Migration.
- In the confirmation message, check the box to indicate you understand that migration can’t be reversed once it starts. Then click Save.
The migration process starts.
You must be signed in as a super administrator for this task.
-
Sign in to your Google Admin console.
Sign in using an account with super administrator privileges (does not end in @gmail.com).
- In the Admin console, go to Menu DataComplianceClient-side encryption.
- Under Encryption with external key service, click Assign.
- In the left panel, select select the organizational unit or group for which you want to migrated encrypted content to a new key service.
- Under Migration, check the number of items encrypted with the previous service (now the backup service).
If there aren’t any encrypted items, migration is complete.
If content migration is complete, and you no longer want to use the backup service, you can remove it from the new key service. For details, go to Remove the backup from a key service.
Assign encryption with hardware keys (Gmail only)
If you set up hardware key encryption for all or some users in your organization to encrypt Gmail, you need to assign it to those users.
If you're also using an encryption key service for Gmail: You can assign hardware key encryption to the same users as the key service; however, those users will encrypt Gmail using either the key service or a hardware key, depending on how you set up their encryption keys for Gmail. For details, go to Gmail only: Set up the Gmail API for client-side encryption.
You must be signed in as a super administrator for this task.
-
Sign in to your Google Admin console.
Sign in using an account with super administrator privileges (does not end in @gmail.com).
- In the Admin console, go to Menu DataComplianceClient-side encryption.
- Under Encryption with hardware keys, click Assign.
- In the left panel, select an organizational unit or group for which you want to use a different key service.
- Click Hardware key encryption, and check the box.
- If you selected a child organizational unit, click Override to keep your setting if the CSE settings for the parent organizational unit are changed.
- If Overridden is already set for the organizational unit, choose an option:
- Inherit—Reverts to the same CSE setting as its parent.
- Save—Saves your new CSE setting (even if the parent setting changes).
Changes can take up to 24 hours but typically happen more quickly. Learn more