Google Workspace CSE
This document provides information about integrating and Google Workspace Client-side Encryption (CSE). For additional information about , see the Administrator Guide.
From the Google Workspace Admin Help website, you can use your own encryption keys to encrypt your organization data and use the default encryption that Google Workspace provides. With Google Workspace CSE, the client browser handles content encryption before any data is transmitted or stored in the Google Drive cloud-based storage. That way, Google servers can't access your encryption keys and, therefore, can't decrypt your data. To use CSE, you must connect Google Workspace to an external encryption key service and an identity provider (IdP).
CryptoHub is the most flexible and versatile cryptographic platform in the industry. It combines every cryptographic function within our extensive solution suite. You can operate within a simple web dashboard to deploy virtual cryptographic modules, fulfilling most use cases.
Google Workspace already uses the latest cryptographic standards to encrypt all data at rest and in transit between its facilities. With CSE, however, you have direct control of encryption keys and the identity provider used to access those keys to further strengthen the security of your data.
Your organization might need to use CSE for the following reasons:
- Privacy: Your organization works with extremely sensitive intellectual property.
- Regulatory compliance: Your organization operates in a highly regulated industry, like aerospace and defense, financial services, or government.
Perform the tasks in this section to set up CSE:
First, set up an encryption key service through one of the Google partner services (such as CryptoHub). This service controls the top-level encryption keys that protect your data.
Next, specify the location of your external key service, so Google Workspace can connect CSE for supported apps to it.
Now, connect to either a third-party IdP or Google identity by using either the Admin console or a .well-known file hosted on your server. Your IdP verifies the identity of users before allowing them to encrypt content or access encrypted content. Learn more
This integration guide demonstrates using VirtuCrypt as the identity provider.
You can turn on CSE for any unit or group in your organization. Note, however, that you must turn on CSE for only those users who need to create client-side encrypted content using the following tools:
- Google Drive - You must turn on CSE for only users who need to create client-side encrypted documents, spreadsheets, and presentations or upload client-side encrypted files to Drive. You don't need to turn on CSE for users who only view and edit files shared with them.
- Google Meet - You must turn on CSE only for users who need to host client-side encrypted meetings. You don't need to turn on CSE for other participants in meetings.
For details about turning on CSE for users, see Create client-side encryption policies.
This section explores various requirements for CSE users.
To set up Google Workspace Client-side encryption for your organization, you must be a Super Admin for Google Workspace.
Users must conform to the following requirements:
- Users need a Google Workspace Enterprise Plus, Google Workspace for Education Plus, or Enterprise Essentials license to use CSE to:
- Create or upload files
- Host meetings
- Users can have any type of Google Workspace or Cloud Identity license to:
- To view, edit, or download an existing file encrypted with CSE
- Join a CSE meeting
- Users with a consumer Google Account (such as Gmail users) can't access CSE files or participate in CSE meetings.
- To view or edit encrypted files, users must use either the Google Chrome or Microsoft Edge browser.
- To join a CSE meeting, users must be invited or added during the meeting. Knocking isn't available for CSE meetings.
- Access to CSE files and meetings depends on your organizational CSE policies.
External users must conform to the following requirements:
- During the beta, external users must have a Google Workspace license to access your content encrypted with CSE. Users with a consumer Google Account or a visitor account can't access files encrypted with CSE.
- External organizations must also set up CSE, either in the Admin console or with a .well-known file.
- Your external encryption service must allowlist the third-party IdP service used by the external domain or the individuals you want to use CSE. You can usually find the IdP service in their publicly available .well-known file if they set up one. Otherwise, contact the Google Workspace admin of the external organization for their IdP details.
After an administrator enables CSE for the organization and specified users, those users can choose to create encrypted documents by using the Google Workspace collaborative content creation tools, like Docs and Sheets, or encrypt files they upload to Google Drive, such as PDFs.
After the user encrypts a document or file:
- Google Workspace generates a DEK in the client browser to encrypt the content.
- Google Workspace sends the DEK and authentication tokens to your third-party Key Access Control List Service (KACLS) for encryption by using a URL you provide to the Google Workspace organization administrator.
- Your KACLS uses this API to encrypt the content and sends the obfuscated, encrypted data back to Google Workspace.
- Google Workspace stores the obfuscated, encrypted data in the cloud. Only users with CSE enabled and access to your KACLS can access the data.
For more details, see Encrypt and decrypt files.
Personal Keys in CryptoHub are used for encrypting data for Google CSE. The first time a user creates an encrypted document or encrypts and uploads a file to Google Drive, CryptoHub generates a new Personal Key specifically for that user. Personal Keys created for CSE are AES-256 Data Encryption Keys. CryptoHub users can view their Personal Keys by navigating to the Users menu for the deployed Google CSE service, selecting their user, and selecting Keys.
By default, the Validity Period for newly generated Personal Keys is set to 1 month.
Only one Personal Key can be active at a time for CSE users. After a key is rotated, it remains stored in CryptoHub and is used for decrypting any documents encrypted with that key. Every document encrypted after you rotate a key is encrypted by using the new active key.