Client-side encryption setup overview

Supported editions for this feature: Enterprise Plus; Education Standard and Education Plus. Compare your edition

Before you start setting up Google Workspace Client-side encryption (CSE), review the requirements, encryption key options, and setup overview.

CSE requirements

Expand section  |  Collapse all

Administrator privileges for CSE

You need super administrator privileges for Google Workspace to manage CSE for your organization, including:

  • Adding and managing key services
  • Assigning key services to organizational units and groups
  • Turning CSE on or off for users
Internal user requirements for CSE

User license requirements

  • Users need a Google Workspace Enterprise Plus or Google Workspace for Education Plus license to use CSE to:
    • Create or upload client-side encrypted content
    • Host encrypted meetings
    • Send or receive encrypted email
  • Users can have any type of Google Workspace or Cloud Identity license to:
    • View, edit, or download client-side encrypted content
    • Join a CSE meeting
  • Users with a consumer Google Account (such as Gmail users) can't access client-side encrypted content, send encrypted email, or participate in client-side encrypted meetings.

Browser requirements

To view or edit client-side encrypted content, users must use either the Google Chrome or Microsoft Edge (Chromium) browser.

External user requirements for CSE

You can let external users access client-side encrypted content. To access your users' encrypted Gmail messages, external users just need to use S/MIME. For other content, the requirements differ, depending on the method you use to provide external access. For details, see Provide external access to client-side encrypted content.

Understand encryption key options

Expand section  |  Collapse all

External key services
To use client-side encryption, your organization needs to use its own encryption keys. You have 2 options for creating your encryption keys:
Hardware keys for Gmail

Requires having the Assured Controls or Assured Controls Plus add-on.

If users in your organization use smart cards to access facilities and systems, you can set up hardware key encryption for Gmail CSE instead of a key service. Users can use their hardware key to sign and encrypt email. For details, got to Gmail only: Set up and manage hardware encryption keys. 

CSE setup overview

Here's an overview of the steps you'll need to set up Google Workspace Client-side encryption. How you set up CSE depends on which type of encryption keys you want to use.

If you're using an external encryption key service

Follow these steps to set up encryption for Google Drive, Google Calendar, and Google Meet. You'll also follow these steps for Gmail, unless you want to only use hardware encryption keys for Gmail.

Step Description How to complete this step
Step 1: Choose your external encryption key service
Sign up with one of Google's encryption key service partners, or build your own service using the Google Workspace CSE API. You key service controls the top-level encryption keys that protect your data.
Choose your key service for client-side encryption
​Step 2: Connect Google Workspace to your identity provider​

Connect to either a third-party IdP or Google identity, using either the Admin console or a .well-known file hosted on your server. Your IdP verifies users' identity before letting them encrypt content or access encrypted content.

Connect to your identity provider for client-side encryption
Step 3: Set up your external key service Work with your key service partner to set up the service for Google Workspace Client-side encryption. Set up your key service for client-side encryption
Step 4: Add  your key service information to the Admin console

Add your external key service's URL to the Admin console to connect the service to Google Workspace. You can add multiple key services to assign different key services for specific organizational units or groups. 

Add and manage key services for client-side encryption
Step 5: Assign your key service to users Assign your key service, or multiple services, to your organizational units and groups. You'll need to assign a key service as the default for your organization. Assign client-side encryption to users
Step 5: (Gmail CSE only) Upload users' encryption keys

Create a Google Cloud Platform (CGP) project and enable the Gmail API. Then give the API access to your entire organization, turn on CSE for Gmail users, and upload private and public encryption keys to Gmail.

Note: This step requires experience using APIs and Python scripts.

Gmail only: Upload encryption keys for client-side encryption
Step 6: Turn on CSE for users Turn on CSE for any organizational units or groups in your organization with users who need to create client-side encrypted content. Turn CSE on or off for users
Step 7: (Optional) Set up external access For access encrypted Gmail content, external users just need S/MIME. Otherwise, you have 2 methods to provide external access, depending on the organization and the content. Provide external access to client-side encrypted content
Step 8: (Optional) Import messages to Gmail as client-side encrypted email If your organization has messages in another service or in another encryption format, then as an administrator, you can migrate those messages to Gmail as client-side encrypted messages in the S/MIME format.  Migrate messages to Gmail as client-side encrypted email

If you're using hardware encryption keys for Gmail

Requires having the Assured Controls or Assured Controls Plus add-on.

Follow these steps if you want to set up hardware encryption keys for all or some of your Gmail users, instead of an external key service.

Step Description How to complete this step
​Step 1: Connect Google Workspace to your identity provider​ Connect to either a third-party IdP or Google identity, using either the Admin console or a .well-known file hosted on your server. Your IdP verifies users' identity before letting them encrypt content or access encrypted content. Connect to your identity provider for client-side encryption
Step 2: Set up your hardware encryption keys

Install the Google Workspace Hardware Key application on users' Windows devices. 

Note: This step requires experience working with PowerShell scripts.

Gmail only: Set up and manage hardware encryption keys
Step 3: Add hardware encryption information to the Admin console Enter the port number at which Google Workspace will communicate with the smart card reader on users' Windows devices. Gmail only: Set up and manage hardware encryption keys
Step 4: Assign hardware encryption to users Assign hardware key encryption to your organizational units and groups.  Assign client-side encryption to users
Step 5: Upload users' public encryption keys

Create a Google Cloud Platform (CGP) project and enable the Gmail API. Then give the API access to your entire organization, turn on CSE for Gmail users, and upload public encryption keys to Gmail.

Note: This step requires experience using APIs and Python scripts.

Gmail only: Upload encryption keys for client-side encryption
Step 6: (Optional) Import messages to Gmail as client-side encrypted email If your organization has messages in another service or in another encryption format, then as an administrator, you can migrate those messages to Gmail as client-side encrypted messages in the S/MIME format.  Migrate messages to Gmail as client-side encrypted email

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Google apps
Main menu
2576596572836635239
true
Search Help Center
true
true
true
true
true
73010
false
false