Cloud key management

Google Workspace CSE

10min

This document provides information about integrating and Google Workspace Client-side Encryption (CSE). For additional information about , see the Administrator Guide.

About Google Workspace CSE

From the Google Workspace Admin Help website, you can use your own encryption keys to encrypt your organization data as a supplement to the default encryption that Google Workspace provides. With Google Workspace CSE, the client browser handles content encryption before any data is transmitted or stored in the Google Drive cloud-based storage. That way, Google servers can't access your encryption keys and, therefore, can't decrypt your data. To use CSE, you must connect Google Workspace to an external encryption key service and an identity provider (IdP).

What is ?

CryptoHub is the most flexible and versatile cryptographic platform in the industry. It combines every cryptographic function within our extensive solution suite. You can operate within a simple web dashboard to deploy virtual cryptographic modules, fulfilling most use cases.

Purpose of the integration

Google Workspace already uses the latest cryptographic standards to encrypt all data at rest and in transit between its facilities. With CSE, however, you have direct control of encryption keys and the identity provider used to access those keys to further strengthen the security of your data.

Your organization might need to use CSE for the following reasons:

  • Privacy: Your organization works with extremely sensitive intellectual property.
  • Regulatory compliance: Your organization operates in a highly regulated industry, like aerospace and defense, financial services, or government.

Basic setup tasks for Google Workspace CSE

Perform the following tasks to set up CSE:

  1. Set up your external encryption key service. First, set up an encryption key service through one of the Google partner services (such as CryptoHub). This service controls the top-level encryption keys that protect your data.
  2. Connect Google Workspace to your external key service. Next, specify the location of your external key service, so Google Workspace can connect CSE for supported apps to it.
  3. Connect Google Workspace to your identity provider. For this step, you must connect to an Identity Provider (IdP). Your IdP verifies the identity of users before allowing them to encrypt content or access encrypted content. This guide covers three IdP options (Learn more):
  4. Turn on CSE for users as needed. You can turn on CSE for any unit or group in your organization. For details about turning on CSE for users, see Create client-side encryption policies. Note, however, that you must turn on CSE for only those users who need to create client-side encrypted content by using the following tools:
    • Google Drive: You must turn on CSE for only users who need to create client-side encrypted documents, spreadsheets, and presentations or upload client-side encrypted files to Drive. You don't need to turn on CSE for users who only view and edit files shared with them.
    • Google Meet: You must turn on CSE only for users who need to host client-side encrypted meetings. You don't need to turn on CSE for other participants in meetings.

Google service-level requirements for CSE

This section explores various requirements for CSE users.

Administrator requirements

To set up Google Workspace Client-side encryption for your organization, you must be a Super Admin for Google Workspace.

User requirements

Users must conform to the following requirements:

  • Users need a Google Workspace Enterprise Plus, Google Workspace for Education Plus, or Enterprise Essentials license to use CSE to:
    • Create or upload files
    • Host meetings
  • Users can have any Google Workspace or Cloud Identity license to:
    • To view, edit, or download an existing file encrypted with CSE
    • Join a CSE meeting
  • Users with a consumer Google Account (such as Gmail users) can't access CSE files or participate in CSE meetings.
  • To view or edit encrypted files, users must use either the Google Chrome or Microsoft Edge browser.
  • To join a CSE meeting, users must be invited or added during the meeting. Knocking isn't available for CSE meetings.
  • Access to CSE files and meetings depends on your organization CSE policies.

External user requirements

External users must conform to the following requirements:

  • During the beta, external users must have a Google Workspace license to access your content encrypted with CSE. Users with a consumer Google Account or a visitor account can't access files encrypted with CSE.
  • External organizations must also set up CSE, either in the Admin console or with a .well-known file.
  • Your external encryption service must allowlist the third-party IdP service used by the external domain or the individuals you want to use CSE. You can usually find the IdP service in their publicly available .well-known file if one is set up. Otherwise, contact the Google Workspace admin of the external organization for their IdP details.

Client-side encryption process

After an administrator enables CSE for the organization and specified users, those users can choose to create encrypted documents by using the Google Workspace collaborative content creation tools, like Docs and Sheets, or encrypt files they upload to Google Drive, such as PDFs.

After the user encrypts a document or file:

  1. Google Workspace generates a DEK in the client browser to encrypt the content.
  2. Google Workspace sends the DEK and authentication tokens to your third-party Key Access Control List Service (KACLS) for encryption by using a URL you provide to the Google Workspace organization administrator.
  3. Your KACLS uses this API to encrypt the content and sends the obfuscated, encrypted data back to Google Workspace.
  4. Google Workspace stores the obfuscated, encrypted data in the cloud. Only users with CSE enabled and access to your KACLS can access the data.

For more details, see Encrypt and decrypt files.

Personal keys and key rotation in

Personal Keys in are used for encrypting data for Google CSE. The first time a user creates an encrypted document or encrypts and uploads a file to Google Drive, generates a new Personal Key specifically for that user. Personal Keys created for CSE are AES-256 Data Encryption Keys. users can view their Personal Keys by going to the Users menu for the deployed Google CSE service, selecting their user, and selecting Keys.

Automatic key rotation

By default, the Validity Period for newly generated Personal Keys is set to 1 month.

Only one Personal Key can be active at a time for CSE users. After a key rotates, it remains stored in ,you can use it to decrypt any documents encrypted with that key. Every document encrypted after you rotate a key is encrypted by using the new active key.