Google Workspace Client-Side Encryption
From the Google Workspace Admin Help website: You can use your own encryption keys to encrypt your organization data, in addition to using the default encryption that Google Workspace provides. With Google Workspace Client-side encryption (CSE), content encryption is handled in the client browser before any data is transmitted or stored in Drive's cloud-based storage. That way, Google servers can't access your encryption keys and, therefore, can't decrypt your data. To use CSE, you need to connect Google Workspace to an external encryption key service and an identity provider (IdP).
Google Workspace already uses the latest cryptographic standards to encrypt all data at rest and in transit between its facilities. With CSE, however, you have direct control of encryption keys and the IdP used to access those keys to further strengthen the security of your data.
Your organization might need to use CSE for the following reasons:
- Privacy: Your organization works with extremely sensitive intellectual property.
- Regulatory compliance: Your organization operates in a highly regulated industry, such as aerospace and defense, financial services, or government.
To set up and configure Google Workspace, you need to perform the following tasks:
First, set up an encryption key service through one of the Google partner services (such as the KMES Series 3). This service controls the top-level encryption keys that protect your data.
Next, specify the location of your external key service so Google Workspace can connect CSE for supported apps to it.
For this step, connect to either a third-party IdP or Google identity by using either the Admin console or a well-known file hosted on your server. Your IdP verifies the identity of users before allowing them to encrypt content or access encrypted content. Learn more
This integration guide uses VirtuCrypt as the IdP.
Finally, turn on CSE for only those units, groups, and users in your organization who create client-side encrypted content in the following cases:
- Google Drive: You need to turn on CSE for only users who need to create client-side encrypted documents, spreadsheets, and presentations or upload client-side encrypted files to Drive. You don't need to turn on CSE for users who only view and edit files shared with them.
- Google Meet: You need to turn on CSE for only users who need to host client-side encrypted meetings. You don't need to turn on CSE for other participants in meetings.
For details about turning on CSR for users, see Create client-side encryption policies.
This section describes the administrator, user, and external user CSE requirements.
To set up Google Workspace Client-side encryption for your organization, you must be a Super Admin for Google Workspace.
Set up Google CSE so users can participate appropriately in the following activities:
- Users need a Google Workspace Enterprise Plus, Google Workspace for Education Plus, or Enterprise Essentials license to use CSE to perform the following tasks:
- Create or upload files
- Host meetings
- Users can have any type of Google Workspace or Cloud Identity license to do the following actions:
- View, edit, or download an existing file encrypted with CSE
- Join a CSE meeting
- Users with a consumer Google Account (such as Gmail users) can't access CSE files or participate in CSE meetings.
- To view or edit encrypted files, users must use either the Google Chrome or Microsoft Edge browser.
- To join a CSE meeting, you must invite users or add them during the meeting. Knocking isn't available for CSE meetings.
- Access to CSE files and meetings depends on your organizational CSE policies.
The following external user requirements apply:
- During the beta, external users must have a Google Workspace license to access your content encrypted with CSE. Users with a consumer Google Account or a visitor account can't access files encrypted with CSE.
- External organizations must also set up CSE, either in the Admin console or with a .well-known file.
- Your external encryption service must allowlist the third-party IdP service used by the external domain or the individuals you want to use CSE. You can usually find the IdP service in their publicly available .well-known file, if they set up one. Otherwise, ask the external organization's Google Workspace admin for their IdP details.
After an administrator enables CSE for the organization, users for whom CSE is enabled can choose to create encrypted documents by using the Google Workspace collaborative content creation tools, such as Google Docs and Google Sheets, or encrypt files they upload to Google Drive, such as PDFs.
After the user encrypts a document or file, the following events occur:
- Google Workspace generates a DEK in the client browser to encrypt the content.
- Google Workspace sends the DEK and authentication tokens to your third-party Key Access Control List Service (KACLS) for encryption by using the URL you provide to the Google Workspace organization administrator.
- Your KACLS uses this API to encrypt the content and sends the obfuscated, encrypted data back to Google Workspace.
- Google Workspace stores the obfuscated, encrypted data in the cloud. Only users with CSE enabled and access to your KACLS can access the data.
For more details, see Encrypt and decrypt files.
Personal Keys on the KMES Series 3 encrypt data for Google CSE, and the system generates an individual key for each user. The first time a user creates an encrypted document or encrypts and uploads a file to Google Drive, the KMES generates a new Personal Key Group and Personal Key for that user. Personal Keys created for CSE are AES-256 Data Encryption Keys. You can view and manage Personal Keys in the KMES application interface under Key Management -> Personal Keys.
By default, newly generated Personal Key Groups get a Regenerative rotation policy with the Validity Period set to 1 month. Currently, you cannot modify the default rotation policy, but a later release will add this functionality.
Only one Personal Key can be active at a time for CSE users. After a key is rotated, it remains stored on the KMES and is used for decrypting any documents that were encrypted by that key. Every document encrypted after a key is rotated is encrypted by using the new active key.
This guide discusses Google Workspace CSE concepts and provides instructions for the following integration configuration tasks:
- Prerequisites
- Configure Identity and Access Management
- Set up the external key service
- Validate and test the configuration.