Cloud key management
Google Workspace CSE for Gmail
Prerequisites
5min
Before beginning, ensure your environment conforms to the following specifications:
- , version 7.0.2.x and later, with the Google CSE license enabled
- Google Workspace Client-side Encryption (CSE) requires an Enterprise Plus or Education Plus license
This section covers the various levels of requirements for CSE.
To set up Google Workspace Client-side encryption for your organization, you must be a Super Admin for Google Workspace.
- Users need a Google Workspace Enterprise Plus, Google Workspace for Education Plus, or Enterprise Essentials license to use CSE to:
- Create or upload files
- Host meetings
- Users can have any Google Workspace or Cloud Identity license to:
- View, edit, or download an existing file encrypted with CSE
- Join a CSE meeting
- Users with a consumer Google Account (such as Gmail users) can't access CSE files or participate in CSE meetings.
- To view or edit encrypted files, users must use either the Google Chrome or Microsoft Edge browser.
- To join a CSE meeting, users must be invited or added during the meeting. Knocking isn't available for CSE meetings.
- Access to CSE files and meetings depends on your organization's CSE policies.
- During the beta, external users must have a Google Workspace license to access your content encrypted with CSE. Users with a consumer Google Account or a visitor account can't access files encrypted with CSE.
- External organizations must also set up CSE, either in the Admin console or with a .well-known file.
- Your external encryption service must allowlist the third-party IdP service used by the external domain or the individuals you want to use CSE. You can usually find the IdP service in their publicly available .well-known file, if they set up one. Otherwise, contact the Google Workspace admin of the external organization for their IdP details.