About client-side encryption

Supported editions for this feature: Enterprise Plus; Education Standard and Education Plus.  Compare your edition

You can use your own encryption keys to encrypt your organization's data—like files and emails—in addition to using the default encryption that Google Workspace provides. With Google Workspace Client-side encryption (CSE), content encryption is handled in the client's browser before any data is transmitted or stored in Google's cloud-based storage. That way, Google servers can't access your encryption keys and decrypt your data. After you set up CSE, you can choose which users can create client-side encrypted content and share or send it internally or externally. 

On this page

Why use CSE?

Google Workspace already uses the latest cryptographic standards to encrypt all data at rest and in transit between its facilities for all services. In addition, Gmail uses TLS (Transport Layer Security) for communication with other email service providers. With CSE, however, you have direct control of encryption keys and the identity provider used to access those keys. This additional control can help you strengthen the confidentiality of your sensitive or regulated data. Your organization might need to use CSE for various reasons—for example:

  • Privacy—Your organization works with extremely sensitive intellectual property.
  • Regulatory compliance—Your organization operates in a highly regulated industry, like aerospace and defense, financial services, or government.

Supported services and data types

Expand section  |  Collapse all

Which services CSE supports

Google Workspace Client-side encryption is currently available for the following services:

  • Google Drive for web browser, Drive for Desktop (non-Google file formats only), and Drive on Android and iOS mobile apps (view-only for non-Google file formats).
  • Gmail for web browser and on Android and iOS mobile apps.
  • Google Calendar for web browser and on Android and iOS mobile apps.
  • Google Meet for web browser and on Android and iOS mobile apps. Meeting room hardware will be available in a later release.
Which data CSE encrypts
Service Data that's client-side encrypted Data that's not client-side encrypted
Google Drive
  • Files created with Google Docs Editors (documents, spreadsheets, presentations)
  • Uploaded files, like PDFs and Microsoft Office files
  • File title
  • File metadata, such as owner, creator, and last-modified time
  • Drive labels (also called Drive metadata)
  • Linked content that’s outside of Docs or Drive (for example, a YouTube video linked from a Google document)
  • User preferences, such as Docs header styles

Gmail
  • Email body, including inline images
  • Attached files

    Note: Attaching client-side encrypted Drive files isn't yet supported

Email header, including Subject:, timestamps, and recipients lists
Google Calendar
  • Event description
  • Attached Drive files (if CSE for Drive is turned on)
  • Meet audio and video streams (if CSE for Meet is turned on)

Any content other than the event description, attachments, and Meet data, such as:

  • Event title
  • Event starting and ending times
  • Attendees list
  • Booked rooms
  • Join by phone numbers
  • Link for Meet
Google Meet
  • Audio streams
  • Video streams (including screen sharing)
  • Chat messages
 Any data other than audio and video streams and chat messages

About your encryption keys

Key services

To use client-side encryption, your organization needs to use its own encryption keys. To create your keys, you can use an external encryption key service that partners with Google—they'll guide you in setting up the service for Google Workspace. For details, see Set up your key service for client-side encryption.
Alternatively, you can build your own key service using the Google Workspace CSE API.

Hardware keys for Gmail

Requires having the Assured Controls add-on.

If users in your organization use smart cards to access facilities and systems, you can set up hardware key encryption for Gmail CSE instead of a key service. Users can use their hardware key to sign and encrypt email. For details, see Gmail only: Set up and manage hardware encryption keys. 

CSE setup overview

Expand section  |  Collapse all

Here's an overview of the steps you'll need to set up Google Workspace Client-side encryption.

Step 1: Set up your external encryption key service or hardware keys
You'll set up an encryption key service through one of Google's partner services, or build your own service using the Google Workspace CSE API. This service controls the top-level encryption keys that protect your data. When setting up your service, you'll add users to your key service's key access control list (KACL). For details, see Set up your key service for client-side encryption.
For Gmail CSE, you can set up hardware key encryption instead of a key service. Requires having the Assured Controls add-on.
You'll need to install the Google Workspace Hardware Key application on users' Windows devices. For details, see Gmail only: Set up and manage hardware encryption keys.
Step 2: Add information about your key service or hardware encryption to the Admin console
You'll connect Google Workspace to your external key service by adding the service's URL to the Admin console. You can add multiple key services if you want to assign different key services for specific organizational units or groups. And at any time, you can migrate encrypted content from one service to another. For details, see Add and manage key services for client-side encryption.
If you're setting up hardware key encryption for Gmail CSE, you'll enter the port number at which Google Workspace will communicate with the smart card reader on users' Windows devices. For details, see Gmail only: Set up and manage hardware encryption keys.
Step 3: Assign your key service or hardware encryption to users
After you connect Google Workspace to an external key service, or set up hardware key encryption for Gmail, you can assign it to your organizational units and groups. If you're using one or more key services, you'll need to assign one key service as the default for your entire organization. For details, see Assign client-side encryption to users.
Step 4: Connect Google Workspace to your identity provider
You'll need to connect to either a third-party IdP or Google identity, using either the Admin console or a .well-known file hosted on your server. Your IdP verifies the identity of users before allowing them to encrypt content or access encrypted content. For details, see Connect to your identity provider for client-side encryption.
Step 5: (Gmail CSE only) Enable the Gmail API
You'll create a Google Cloud Platform (CGP) project and enable the Gmail API. Then you'll give the API access to your entire organization and upload encryption keys to Gmail. For details, see Gmail only: Upload encryption keys for client-side encryption.
Step 6: Turn on CSE for users
Turn on CSE for any organizational units or groups in your organization with users who need to create client-side encrypted content, such as Drive files or emails. For details, see Turn CSE on or off for users.
Step 7: (Gmail CSE only) Upload users' S/MIME certificates
For each user who will use CSE for Gmail, you'll use the Gmail API to upload an S/MIME (Secure/Multipurpose internet Mail Extensions) certificate and, if you're using an external key service, the private key metadata encrypted by your key service. For details, see Set up Gmail CSE for users.

CSE requirements

Expand section  |  Collapse all

Administrator privileges for CSE

You need super administrator privileges for Google Workspace to manage CSE for your organization, including:

  • Adding and managing key services
  • Assigning key services to organizational units and groups
  • Turning CSE on or off for users
Internal user requirements for CSE

License requirements

  • Users need a Google Workspace Enterprise Plus or Google Workspace for Education Plus license to use CSE to:
    • Create or upload client-side encrypted content
    • Host encrypted meetings
    • Send or receive encrypted email
  • Users can have any type of Google Workspace or Cloud Identity license to:
    • View, edit, or download client-side encrypted content
    • Join a CSE meeting
  • Users with a consumer Google Account (such as Gmail users) can't access client-side encrypted content, send encrypted email, or participate in client-side encrypted meetings.

Browser requirements

To view or edit client-side encrypted content, users must use either the Google Chrome or Microsoft Edge (Chromium) browser.

Hardware key encryption requirements

Requires having the Assured Controls add-on.

In addition to the browser requirements above, users must use devices running Microsoft Windows 10 or later to use hardware key encryption.

External user requirements for CSE

To let your users share client-side encrypted content outside your organization:

  • External users must meet licensing requirements
  • External users' organizations must meet CSE setup requirements
  • External users must share some identity information

License requirements for external users

  • External users must have a Google Workspace or Cloud Identity license to access files and other of types of data encrypted with CSE, such as encrypted Drive files.

  • External users, using S/MIME, can send and receive encrypted messages. A Google Workspace or Cloud Identity license is not required.

  • Users with a consumer Google Account or a visitor account can't access files encrypted with CSE.

Setup requirements for external users' organizations

  • External organizations that your users will collaborate with must also set up CSE, either in the Admin console or with a .well-known file.
  • Your external encryption service must add to their allowlist the third-party IdP service that's used by the external organization's users you want your users to share CSE files with. You can usually find the IdP service in their publicly well-known file, if they set up one. Otherwise, contact the external organization's Google Workspace admin for their IdP details.

Authentication requirements

Make sure you inform the external organization's admin that their users need to provide their authentication token to your key service to view or edit encrypted content that your organization owns. The authentication process requires a user to share their IP address and other identity information. For details, see Authentication tokens in the Client-side encryption API Reference guide.

CSE user experience

After you set up client-side encryption for your organization, users for whom you turn on CSE can use it with the following services.

Expand section  |  Collapse all

Google Drive

Users can create client-side encrypted documents using Google Docs editors (such as documents and spreadsheets) or encrypt files they upload to Drive, such as PDFs. Only users with whom an encrypted file is shared with can view it.

Drive for desktop experience

Drive for Desktop shows synced encrypted files as shortcuts on Windows and symbolic links on Mac. If a user clicks a shortcut or link to an encrypted Docs, Sheets, or Slides file, a new browser window opens.

Users can also:

  • Encrypt and upload a local file 
  • Read and edit some types of encrypted files, such as PDF and Microsoft Office files

Important: If a user downloads and decrypts a CSE file in a local folder that syncs with Drive, the file will be stored in clear text in Drive.

Avoid storing decrypted sensitive information in Drive: Inform your Drive for desktop users that if they use the Download and decrypt option in Drive, they should avoid storing the decrypted files in local folders that sync with Drive.

Drive on Android and iOS experience

Users can preview or download client-side encrypted files in Drive with their mobile device, including Microsoft Office (iOS only) and PDF files. Google Docs, Sheets, and Slides aren't yet supported.

Note: To view or preview client-side encrypted files, users need a compatible reader on their device.

Avoid storing decrypted sensitive information in Drive: Inform your mobile Drive users that if they use the Download and decrypt option in Drive, they should avoid storing the decrypted files in locations on their device that sync with Drive.

Some features aren't available

Here are some of the Drive features that aren't available with client-side encrypted files. For the complete list of feature limitations, refer to Get started with encrypted files in Drive, Docs, Sheets & Slides .

  • Spelling and grammar check in Google Docs Editors
  • Editing by multiple collaborators at the same time (however, any number of users can view an encrypted document at the same time)
  • Full-text search and file preview
  • Commenting
  • Encrypting or decrypting files offline

For details about CSE features and the limitations for Drive

See the following resources:

Gmail

Users can send and receive client-side encrypted emails within or outside your organization.

Some features aren't available

Here are some of the Gmail features that aren't available with client-side encrypted files. For the complete list of feature limitations, refer to Learn about Gmail Client-side encryption.

  • Confidential mode
  • Sending to groups as recipients
  • Searching the message body (users can still search by recipient and subject line)
  • Signatures
  • Print

In addition, email delegation (shared inboxes) isn't available with Gmail CSE.

For details about CSE features and the limitations for Gmail

See Learn about Gmail Client-side encryption.

Google Calendar

Users can create events with client-side encrypted descriptions. If you've turned on CSE for Google Drive and Google Meet for users, they can attach client-side encrypted documents to the event and add client-side encrypted online meetings. If CSE is off for Drive and Meet, users can't add attachments or online meetings to client-side encrypted events. 

Note:

  • Users can encrypt only regular events—other event types, such as focus time or appointment slots, don't support CSE.
  • To view client-side encrypted event descriptions, users must use Google Calendar. 

Some features aren't available

Here are some of the Calendar features that aren't available with client-side encrypted files. For the complete list of feature limitations, refer to Learn about Client-side encryption in Calendar.

  • Searching for event descriptions
  • Encrypting or decrypting events offline

For details about CSE features and the limitations for Calendar

See Learn about Client-side encryption in Calendar.

Google Meet

Users can host client-side encrypted meetings when scheduling the meeting in Google Calendar or when starting an instant (unscheduled) meeting. Because of authentication requirements, all participants must be invited to client-side encrypted meetings.

Some features aren't available

Here are some of the Meet features that aren't available with client-side encrypted meetings. For the complete list of feature limitations, refer to Learn about Meet Client-side encryption (CSE).

  • Recordings
  • Live streams
  • Phone for audio
  • Polls
  • Jamboard
  • "Knocking," which lets uninvited participants join a meeting
  • Meeting room hardware (coming in a later release)
  • Invitations to participants outside your organization (coming in a later release)

For details about CSE features and the limitations for Meet

See Learn about Meet Client-side encryption (CSE).

CSE logs and reports

You can audit logs for administrator activity and reports on user activity for client-side encrypted files. For details, see View logs and reports for client-side encryption.

CSE FAQ

Expand section  |  Collapse all

About encryption

Where can I find information about Google's default encryption?
For details about Google's default encryption, go to the Google Cloud site.
For additional details about standard encryption for Gmail, see Encryption in transit in the Gmail Help Center.
How is CSE different from end-to-end (e2e) encryption?
With end-to-end encryption (e2e), encryption and decryption always occur on the source and destination devices (such as on mobile phones for instant messaging). Encryption keys are generated on the client, so as an administrator, you don't have control over the keys on the clients and who can use them. In addition, you don't have visibility into which content users have encrypted.
With client-side encryption (CSE), encryption and decryption also always occur on the source and destination devices, which in this case are the clients' browsers. However, with CSE, clients use encryption keys that are generated and stored in a cloud-based key management service, so you can control the keys and who has access to them. For example, you can revoke a user's access to keys, even if that user generated them. Also, with CSE, you can monitor users' encrypted files.

Setting up CSE

Which partner key management services can I use with CSE?

Google has partnered with the several key management services for use with CSE. For a list of services, see Set up your key service for client-side encryption.

Can I use Google as my key management service?
No, you'll need to use an external key management service to set up Google Workspace Client-side encryption. With CSE, you control your own encryption keys, and Google can't access them to decrypt your data.
Can I use multiple key services?
Yes, you can use more than one key service and choose which service to use for an organizational unit or group. Or, you can migrate encrypted content from one service to another.
Note: In the Admin console, you can set up a single key service for Gmail client-side encryption. Learn about other options for managing keys at Google Workspace Client-side Encryption API .
Can I use both a key service and hardware keys for Gmail?
Yes, you can set up both a key service and hardware key encryption for Gmail CSE. Requires having the Assured Controls add-on. You also assign both the key service and hardware key encryption to the same users. However, a user can use only one type of encryption for Gmail, which depends on how you set up their private encryption key for Gmail. For details, see Gmail only: Upload encryption keys for client-side encryption
Can I switch to a different key service?
Yes, you can switch to a different key service. If you do this, it's best practice to migrate content encrypted with your current key service to the new service. For details, see If you want to switch to a new key service.
How do I limit which users or groups have access to my external key service?
You manage the key access control list (KACL) for encryption keys through your external key service. Your KACL needs to include all users who need to either encrypt or decrypt (view or edit) content. Contact your encryption provider for more information.
In addition, you need to turn on CSE for any users who need to encrypt data. For details,  see Turn client-side encryption on or off for users.
Can I enforce the use of CSE for specific users?
For Gmail, Google Drive, and Google Calendar, you can specify that CSE is turned on by default for specific organizational units. Requires having the Assured Controls add-on.
If you specify that CSE is turned on by default, users still can still turn off CSE if needed. 
How do I set up CSE for shared drives?
You don't need to set up CSE specifically for shared drives. The external key service you set up in the Admin console works for files in both My Drive and shared drives.
What if I get an alert while setting up CSE?

If you have an issue with CSE setup, go to View alert details for more information.

Working with client-side encrypted content

Can I reencrypt existing files with a different encryption key?
You can migrate client-side encrypted files to a new key service. For details, see If you want to switch to a new key service.
Can I switch encryption for a file to Google's default encryption?
This feature will be available in a later release.
How do I decrypt exported Drive files and emails?
To decrypt CSE files you export using the Data Export tool or Google Vault, you can use the decrypter, a command-line utility. For details, see Decrypt exported client-side encrypted files.
Can I retain, search, and export encrypted files and emails in Google Vault?
Yes, if your Google Workspace edition has Google Vault, you can retain, search for, and export client-side encrypted Drive files and Gmail emails in Vault. 
You can search for client-side encrypted files by their metadata, such as title and owner. However, you can’t search their content, search by file type, preview the content, or download from the preview view.
For details, see the Google Vault Help Center.

Scanning client-side encrypted files and email

Do Drive and Gmail automatically scan client-side encrypted content for security threats?
Client-side encrypted files and emails aren't scanned for phishing and malware, because Google's servers don't have access to the content.
Can I run DLP scans for content in client-side encrypted files or emails?
Data loss prevention (DLP) scans can't access client-side encrypted content in files or emails. However, because DLP scans can access a file's unencrypted metadata like the file title and Drive labels, they can still help to prevent leaks of sensitive data.

Switching to a Google Workspace edition that doesn't support CSE

What happens to encrypted content if users' licenses no longer have CSE?
If you switch users to a Google Workspace license that doesn't include CSE, they can still access and edit any client-side encrypted items, such as files and emails. However, they can't create any new client-side encrypted items.
Can I remove encryption from content if we no longer want to use CSE?
If you want to stop using CSE and decrypt items such as files and emails, you first need to export those items using the Data Export tool. Then use the decrypter utility to remove CSE.

Was this helpful?

How can we improve it?

Need more help?

Try these next steps:

Post to the help community Get answers from community members
Contact us Tell us more and we’ll help you get there
true
Start your free 14-day trial today

Professional email, online storage, shared calendars, video meetings and more. Start your free Google Workspace trial today.

Search
Clear search
Close search
Google apps
Main menu
2443207475094116594
true
Search Help Center
true
true
true
true
true
73010
false
false