Google Workspace CSE

this guide provides information about integrating {{ch}} and google workspace client side encryption ( {{cse}} ) for additional information about {{ch}} , see the {{ch}} administrator guide about google workspace cse the google workspace admin help website explains that you can use your encryption keys to encrypt your organization's data as a supplement to the default encryption that google workspace provides with google workspace cse, the client browser handles content encryption before any data is transmitted or stored in the google drive cloud based storage that way, google servers can't access your encryption keys and, therefore, can't decrypt your data to use cse, you must connect google workspace to an external encryption key service (such as {{ch}} ) and an identity provider ( {{idp}} ), which authenticates users before they can encrypt or access client side encrypted content how google cse works google cse uses the following e ncryption process user created document the browser generates content dek generation the browser requests a unique data encryption key ( {{dek}} ) for each document from the key access control list service ( {{kacls}} ) identity verification idp authenticates the user key wrapping kacls wraps the dek with the key encryption key ( {{kek}} ) the kek ensures that the underlying keys remain secure even if stored in a less secure environment content encryption the browser encrypts content with the dek storage stores the encrypted content + the wrapped dek in google google servers never access unwrapped deks or unencrypted content the separation of duties principle ensures that google handles encrypted data while your organization controls the keys through {{ch}} for more details, see documentation on encrypting and decrypting files at developers google com/workspace/cse/guides/encrypt and decrypt data what is {{ch}} ? {{ch}} is the most flexible and versatile cryptographic platform in the industry, combining every cryptographic function within our extensive solution suite you can operate {{ch}} within a simple web dashboard to deploy virtual cryptographic modules, fulfilling most use cases the {{ch}} roles in cse {{ch}} performs the following roles in the key management life cycle in cse generate keys algorithm aes 256 rotate keys default period 30 days rotation type automatic backward compatibility maintained store keys location {{ch}} hsm backup encrypted offsite personal keys in {{ch}} personal keys in {{ch}} encrypt data for google cse the first time you create an encrypted document or encrypt and upload a file to google drive, {{ch}} generates a new personal key for you {{ch}} users can view their personal keys by going to the users menu for the deployed google cse service, selecting their user, and selecting keys only one personal key can be active at a time for cse users after a key rotates, it remains stored in {{ch}} , and you can use it to decrypt all documents previously encrypted with that key every document encrypted after you rotate a key is encrypted by using the new active key