Google Workspace Client-Side Encryption

from the google workspace admin help website you can use your own encryption keys to encrypt your organization data in addition to using the default encryption that google workspace provides with google workspace client side encryption (cse), content encryption is handled in the client browser before any data is transmitted or stored in drive's cloud based storage that way, google servers can't access your encryption keys and, therefore, can't decrypt your data to use cse, you must connect google workspace to an external encryption key service and an identity provider (idp) purpose of the integration google workspace already uses the latest cryptographic standards to encrypt all data at rest and in transit between its facilities with cse, however, you have direct control of encryption keys and the idp used to access those keys to further strengthen the security of your data your organization might need to use cse for the following reasons privacy your organization works with extremely sensitive intellectual property regulatory compliance your organization operates in a highly regulated industry, such as aerospace and defense, financial services, or government basic setup steps for google workspace cse to set up and configure google workspace, you need to perform the following tasks step 1 set up your external encryption key service first, set up an encryption key service through one of the google partner services (such as the kmes series 3) this service controls the top level encryption keys that protect your data step 2 connect google workspace to your external key service next, specify the location of your external key service so google workspace can connect cse for supported apps to it step 3 connect google workspace to your idp for this step, connect to either a third party idp or google identity by using either the admin console or a well known file hosted on your server your idp verifies the identity of users before allowing them to encrypt content or access encrypted content learn more https //support google com/a/answer/10743588 this integration guide uses virtucrypt as the idp step 4 turn on cse for users finally, turn on cse for only those units, groups, and users in your organization who create client side encrypted content in the following cases google drive you need to turn on cse for only users who need to create client side encrypted documents, spreadsheets, and presentations or upload client side encrypted files to drive you don't need to turn on cse for users who only view and edit files shared with them google meet you need to turn on cse for only users who need to host client side encrypted meetings you don't need to turn on cse for other participants in meetings for details about turning on csr for users, see create client side encryption policies ( support google com/a/answer/10745596 ) google service level requirements for cse this section describes the administrator, user, and external user cse requirements administrator requirements to set up google workspace client side encryption for your organization, you must be a super admin for google workspace user requirements set up google cse so users can participate appropriately in the following activities users need a google workspace enterprise plus, google workspace for education plus, or enterprise essentials license to use cse to perform the following tasks create or upload files host meetings users can have any type of google workspace or cloud identity license to do the following actions view, edit, or download an existing file encrypted with cse join a cse meeting users with a consumer google account (such as gmail users) can't access cse files or participate in cse meetings to view or edit encrypted files, users must use either the google chrome or microsoft edge browser to join a cse meeting, you must invite users or add them during the meeting knocking isn't available for cse meetings access to cse files and meetings depends on your organizational cse policies external user requirements the following external user requirements apply during the beta, external users must have a google workspace license to access your content encrypted with cse users with a consumer google account or a visitor account ( support google com/drive/answer/9195194 ) can't access files encrypted with cse external organizations must also set up cse, either in the admin console or with a well known file your external encryption service must allowlist the third party idp service used by the external domain or the individuals you want to use cse you can usually find the idp service in their publicly available well known file if they set up one otherwise, ask the external organization's google workspace admin for their idp details client side encryption process after an administrator enables cse for the organization, users for whom cse is enabled can choose to create encrypted documents by using the google workspace collaborative content creation tools, such as google docs and google sheets, or encrypt files they upload to google drive, such as pdfs after the user encrypts a document or file, the following events occur google workspace generates a dek in the client browser to encrypt the content google workspace sends the dek and authentication tokens to your third party key access control list service (kacls) for encryption by using the url you provide to the google workspace organization administrator your kacls uses this api to encrypt the content and sends the obfuscated, encrypted data back to google workspace google workspace stores the obfuscated, encrypted data in the cloud only users with cse enabled and access to your kacls can access the data for more details, see encrypt and decrypt files ( developers google com/workspace/cse/guides/encrypt and decrypt data ) personal keys and key rotation on the {{k3}} personal keys on the {{k3}} encrypt data for google cse, and the system generates an individual key for each user the first time a user creates an encrypted document or encrypts and uploads a file to google drive, the {{k}} generates a new personal key group and personal key for that user personal keys created for cse are aes 256 data encryption keys you can view and manage personal keys in the {{k}} application interface under key management > personal keys automatic key rotation by default, newly generated personal key groups get a regenerative rotation policy with the validity period set to one month currently, you cannot modify the default rotation policy, but a later release will add this functionality only one personal key can be active at a time for cse users after a key rotates, it remains stored on the {{k}} and can decrypt any documents that were encrypted by that key every document encrypted after a key rotates is encrypted by using the new active key integration overview this guide discusses google workspace cse concepts and provides instructions for the following integration configuration tasks prerequisites configure identity and access management set up the external key service validate and test the configuration