Supported editions for this feature: Enterprise Plus; Education Standard and Education Plus. Compare your edition
Google Workspace already uses the latest cryptographic standards to encrypt all data at rest and in transit between its facilities for all services. In addition, Gmail uses TLS (Transport Layer Security) for communication with other email service providers. Google Workspace Client-side encryption (CSE), however, gives you another layer of encryption that only your organization controls.
How CSE protects your data
With CSE:
- Your organization uses its own encryption keys, which encrypt data in the client's browser before any data is transmitted or stored in Google's cloud-based storage. You can manage your keys using a third-party key management service or by building your own service using the Google Workspace Client-side encryption API.
- Your organization also controls the identity provider used to access your encryption keys.
- Google servers and third parties can't access your encryption keys and decrypt your data, which can help your organization meet additional security or compliance requirements.
- You can create policies to allow specific users to create client-side encrypted content and share or send it internally or externally.
- Users can encrypt data with CSE simply by choosing an option in the app—there's no need for them to set up encryption, use extensions, or manage any encryption keys.
Which organizations can benefit from CSE
CSE is especially beneficial for organizations that have any of the following needs:
- Confidentiality for organizations working with sensitive intellectual property
- Compliance support for organizations in highly-regulated industries that have ITAR, CJIS, TISAX, IRS 1075, or EAR requirements
- Data sovereignty for organizations needing demonstrative data control using encryption keys that can be held at a specific site, within a nation’s borders, or any other defined boundary
- Export control for public sector organizations that need to ensure data is encrypted and the keys are inaccessible outside their country’s borders
For example, CSE is especially useful for these industries:
- Large organizations that need to comply with European regulations
- Aerospace and defense contractors
- Criminal justice and law enforcement agencies
- Federal, state, and local agencies and organizations that work with them
Supported services, applications, and data types
Service | Apps | Data that's client-side encrypted | Data that's not client-side encrypted |
---|---|---|---|
Google Drive and Google Docs Editors |
Note: For mobile apps, client-side encrypted content is view-only and available for non-Google file formats only. |
|
|
Gmail |
|
|
Email header, including Subject:, timestamps, and recipients lists |
Google Calendar |
|
|
Any content other than the event description, attachments, and Meet data, such as:
|
Google Meet |
Note: Meeting room hardware will be available in a later release. |
|
Any data other than audio and video streams and chat messages |