Supported editions for this feature: Enterprise Plus; Education Standard and Education Plus. Compare your edition
Before you start setting up Google Workspace Client-side encryption (CSE), review the requirements, encryption key options, and setup overview.
CSE requirements
You need super administrator privileges for Google Workspace to manage CSE for your organization, including:
- Adding and managing key services
- Assigning key services to organizational units and groups
- Turning CSE on or off for users
User license requirements
- Users need a Google Workspace Enterprise Plus or Google Workspace for Education Plus license to use CSE to:
- Create or upload client-side encrypted content
- Host encrypted meetings
- Send or receive encrypted email
- Users can have any type of Google Workspace or Cloud Identity license to:
- View, edit, or download client-side encrypted content
- Join a CSE meeting
- Users with a consumer Google Account (such as Gmail users) can't access client-side encrypted content, send encrypted email, or participate in client-side encrypted meetings.
Browser requirements
To view or edit client-side encrypted content, users must use either the Google Chrome or Microsoft Edge (Chromium) browser.
You can let external users access client-side encrypted content. To access your users' encrypted Gmail messages, external users just need to use S/MIME. For other content, the requirements differ, depending on the method you use to provide external access. For details, see Provide external access to client-side encrypted content.
Understand encryption key options
- Use an external encryption key service that partners with Google. Your key service will guide you in setting up the service for Google Workspace. For details, go to Choose your key service for client-side encryption.
- Build your own key service using the Google Workspace CSE API.
Requires having the Assured Controls or Assured Controls Plus add-on.
CSE setup overview
Here's an overview of the steps you'll need to set up Google Workspace Client-side encryption. How you set up CSE depends on which type of encryption keys you want to use.
If you're using an external encryption key service
Follow these steps to set up encryption for Google Drive, Google Calendar, and Google Meet. You'll also follow these steps for Gmail, unless you want to only use hardware encryption keys for Gmail.
| Step | Description | How to complete this step |
|---|---|---|
| Step 1: Choose your external encryption key service |
Sign up with one of Google's encryption key service partners, or build your own service using the Google Workspace CSE API. You key service controls the top-level encryption keys that protect your data.
|
Choose your key service for client-side encryption |
| Step 2: Connect Google Workspace to your identity provider |
Connect to either a third-party IdP or Google identity, using either the Admin console or a .well-known file hosted on your server. Your IdP verifies users' identity before letting them encrypt content or access encrypted content. |
Connect to your identity provider for client-side encryption |
| Step 3: Set up your external key service | Work with your key service partner to set up the service for Google Workspace Client-side encryption. | Set up your key service for client-side encryption |
| Step 4: Add your key service information to the Admin console |
Add your external key service's URL to the Admin console to connect the service to Google Workspace. You can add multiple key services to assign different key services for specific organizational units or groups. |
Add and manage key services for client-side encryption |
| Step 5: Assign your key service to users | Assign your key service, or multiple services, to your organizational units and groups. You'll need to assign a key service as the default for your organization. | Assign client-side encryption to users |
| Step 5: (Gmail CSE only) Upload users' encryption keys |
Create a Google Cloud Platform (CGP) project and enable the Gmail API. Then give the API access to your entire organization, turn on CSE for Gmail users, and upload private and public encryption keys to Gmail. Note: This step requires experience using APIs and Python scripts. |
Gmail only: Upload encryption keys for client-side encryption |
| Step 6: Turn on CSE for users | Turn on CSE for any organizational units or groups in your organization with users who need to create client-side encrypted content. | Turn CSE on or off for users |
| Step 7: (Optional) Set up external access | For access encrypted Gmail content, external users just need S/MIME. Otherwise, you have 2 methods to provide external access, depending on the organization and the content. | Provide external access to client-side encrypted content |
| Step 8: (Optional) Import messages to Gmail as client-side encrypted email | If your organization has messages in another service or in another encryption format, then as an administrator, you can migrate those messages to Gmail as client-side encrypted messages in the S/MIME format. | Migrate messages to Gmail as client-side encrypted email |
If you're using hardware encryption keys for Gmail
Requires having the Assured Controls or Assured Controls Plus add-on.
Follow these steps if you want to set up hardware encryption keys for all or some of your Gmail users, instead of an external key service.
| Step | Description | How to complete this step |
|---|---|---|
| Step 1: Connect Google Workspace to your identity provider | Connect to either a third-party IdP or Google identity, using either the Admin console or a .well-known file hosted on your server. Your IdP verifies users' identity before letting them encrypt content or access encrypted content. | Connect to your identity provider for client-side encryption |
| Step 2: Set up your hardware encryption keys |
Install the Google Workspace Hardware Key application on users' Windows devices. Note: This step requires experience working with PowerShell scripts. |
Gmail only: Set up and manage hardware encryption keys |
| Step 3: Add hardware encryption information to the Admin console | Enter the port number at which Google Workspace will communicate with the smart card reader on users' Windows devices. | Gmail only: Set up and manage hardware encryption keys |
| Step 4: Assign hardware encryption to users | Assign hardware key encryption to your organizational units and groups. | Assign client-side encryption to users |
| Step 5: Upload users' public encryption keys |
Create a Google Cloud Platform (CGP) project and enable the Gmail API. Then give the API access to your entire organization, turn on CSE for Gmail users, and upload public encryption keys to Gmail. Note: This step requires experience using APIs and Python scripts. |
Gmail only: Upload encryption keys for client-side encryption |
| Step 6: (Optional) Import messages to Gmail as client-side encrypted email | If your organization has messages in another service or in another encryption format, then as an administrator, you can migrate those messages to Gmail as client-side encrypted messages in the S/MIME format. | Migrate messages to Gmail as client-side encrypted email |
