Client-side encryption

Client-side encryption (CSE) adds a layer of encryption to Workspace data, such as emails and files, before it reaches Google's servers. This ensures that only the organisation holds the keys to decrypt the content, preventing Google or any third party from accessing it.

This feature is designed for organisations with high security or compliance needs, such as those in healthcare, finance, or government. It is available for Workspace Enterprise Plus, Frontline Plus, and specific Education editions.

Admins must first choose a key service provider or build their own using the CSE API, then connect it to the Google Admin console. Once configured, users can enable encryption for individual documents, emails, or calendar events via the lock icon or settings menu within the respective app.