Let's make sure you're in the right place.These steps are for admins who manage Gmail accounts for a company, school, or other group. Client-side encryption isn't available with your personalgmail.comaccount. If you're not an admin but have a Google Account with a company or school that uses client-side encryption, go to the help center for Gmail, Google Calendar, or Google Docs.
Supported editions for this feature: Enterprise Plus;Education Standard and Education Plus. Compareyouredition
As an administrator, you can turn onGoogle WorkspaceClient-side encryption (CSE) for users who need to create encrypted content with these services:
| For this service... | Turn on CSE for... |
|---|---|
| Google Drive | Users who need to create client-side encrypted documents, spreadsheets, and presentationsor upload client-side encryptedfiles to Drive. You don't need to turn on CSE for users who only view and edit files shared with them. |
| Gmail | Users who need to send or receiveencrypted messages. Before you turn on CSE for Gmail: Make sure you enable the Gmail API and upload users'encryption keys. For details, go toGmail only: Upload encryption keys for client-side encryption. |
| Google Calendar | Users who need to create client-side encrypted calendar events. You also need to turn on CSE for Drive and Meet for these users if you want them to attach client-side encrypted documents and host client-side encrypted meetings. You don't need to turn on CSE for event invitees. |
| Google Meet | Users who need to host client-side encrypted online meetings. You don't need to turn on CSE for other meeting participants. |
For users who need to only view or edit encrypted content, make sure:
- Internal users are on your key service's key access control list (KACL). For details, go toSet up your key service for client-side encryption.
- External usershave access to your client-side encrypted content. For details, go to Provide external access to client-side encrypted content.
Before you begin
Expandsection|Collapseall
Make sure you've completed these steps
- Choose a key service.
- Connect to your identity provider (IdP).
- Set up your external key serviceor hardware key encryption.
- Assignakey service or hardware key encryption to organizational units or groups.
If you're using multiple key services,make sure they're assigned to the appropriate organizational units or configuration groups.
Understand the limitations of using CSE with supported services
For more information about features that aren't available to users when they choose to use CSE, seeCSE user experience.
If needed, add users to organizational units and groups
Make sure you've placed users into the organizational units or groups for which you want to turn on CSE for all or specific services.
- For details on creating organizational units,go toAdd an organizational unit.
- For details on creating and using configuration groups,go toCustomize service settings with configuration groups.
You can make CSE the default setting for users apps
Requires having the Assured Controls or Assured Controls Plus add-on.
When turning on CSE for organizational units, you can make CSE the default setting for the following services, including both web and mobile apps:
- Gmail—Content is encrypted by default when users compose, reply to,or forward anemail.
- Google Drive—Content is encrypted by default when users create new files, such as documents, spreadsheets, and presentations.
- Google Calendar—Event descriptions are encrypted by default when users create an event. Google Meet meetings are also encrypted by default.
If you turn on CSE by default, users still have the option turn off encryption if needed. You can monitor user actions to turn off CSE for Drive and Calendar, using the security investigation tool. For details, go toView logs and reports for client-side encryption.
Note: Setting CSE as the default for a service is currently available for only organizational units, not configuration groups.
Turn CSE on or off for users
To turn on CSE for users, you need toturn on CSE for the organizational units or configuration groups the users belong to.Once you turn on user access for CSE, users can choose whether to encrypt content.
When turning on CSE for an organizational unit, you can make CSE the default for Gmail, Google Drive, and Google Calendar—for both web and mobile apps.Requires having the Assured Controls or Assured Controls Plus add-on.
To prevent users from encrypting content, you can turn off CSE for the organizational units or configuration groups they belong to. If you turn off CSE for users, any existing client-side encrypted content remains encrypted and accessible.
You must be signed in as asuper administratorfor this task.
-
Sign in to your GoogleAdminconsole.
Sign in using an account with super administrator privileges(does not end in @gmail.com).
- In the Admin console, go to Menu
DataComplianceClient-side encryption. - UnderApps, click the name of the Google service for which you want to turn CSE on or off for users.
Alternatively, under Encryption with external key service or Encryption with hardware keys, click Assign. Then, under Encryption by app, select theGoogle service for which you want to turn on CSE.
- In the left panel, select an organizational unit or group for which you want to turn CSE on or off.
- Under User access, select On or Off.
- In the pop-up message, confirm your selection.
- (Optional for organization units only) To encrypt Gmail, Drive, or Calendar content with the Google service by default, check the Enable client-side encryption by default box.Users will still have optionto turn off encryption.
Requires having the Assured Controls or Assured Controls Plus add-on. - Click Override to keep your setting if the CSE settings for the parent organizational unit are changed.
- If Overridden is already set for the organizational unit, choose an option:
- Inherit—Reverts to the same CSE setting as its parent.
- Save—Saves your new CSE setting (even if the parent setting changes).
DataChanges can take up to 24 hours but typically happen more quickly.Learn more
If you turned on CSE for Gmail
For each user who will use CSE for Gmail, you need to prepare and upload their S/MIME certificates and encrypted private key metadata to Gmail. For details, go toSet up Gmail CSE for users.
If users have trouble using CSE
Check the Alert Center if users have trouble using CSE. For more information, go toClient-side encryption service unavailable.
Was this helpful?
How can we improve it?
Need more help?
Try these next steps:
Start your free 14-day trial today
Professional email, online storage, shared calendars, video meetings and more. Start your free Google Workspace trial today.
