Build a custom key service for client-side encryption
Stay organized with collections
Save and categorize content based on your preferences.
You can use your own encryption keys to encrypt your organization's data,
instead of using the encryption that Google Workspace provides. With Google Workspace Client-side Encryption (CSE), file encryption is handled in the
client's browser before it's stored in Drive's cloud-based storage. That way,
Google servers can't access your encryption keys and, therefore, can't decrypt
your data. For more details, see
About client-side encryption.
This API lets you control the top-level encryption keys that protect your data
with a custom external key service. After you create an external key service
with this API, Google Workspace administrators can connect to it and enable CSE
for their users.
Important terminology
Below is a list of common terms used in the Google Workspace Client-side Encryption API:
Client-side encryption (CSE)
Encryption that's handled in the client's browser before it's stored in
cloud-based storage. This protects the file from being read by the storage
provider. Learn more
Key Access Control List Service (KACLS)
Your external key service that uses this API to control access to encryption
keys stored in an external system.
Identity Provider (IdP)
The service that authenticates users before they can encrypt files or access
encrypted files.
Encryption & decryption
Data Encryption Key (DEK)
The key used by Google Workspace in the browser client to encrypt the data
itself.
Key Encryption Key (KEK)
A key from your service used to encrypt a Data Encryption Key (DEK).
Access control
Access Control List (ACL)
A list of users or groups that can open or read a file.
Authentication JSON Web Token (JWT)
Bearer token (JWT: RFC 7516)
issued by the identity partner (IdP) to attest a user's identity.
Authorization JSON Web Token (JWT)
Bearer token (JWT: RFC 7516)
issued by Google to verify that the caller is authorized to encrypt or decrypt a resource.
JSON Web Key Set (JWKS)
A read-only endpoint URL that points to a list of public keys used to verify
JSON Web Tokens (JWT).
Perimeter
Additional checks performed on the authentication and authorization tokens
within the KACLS for access control.
Client-side encryption process
After an administrator enables CSE for their organization, users for whom CSE is
enabled can choose to create encrypted documents using the Google Workspace
collaborative content creation tools, like Docs and Sheets, or encrypt files
they upload to Google Drive, such as PDFs.
After the user encrypts a document or file:
Google Workspace generates a DEK in the client browser to encrypt the
content.
Google Workspace sends the DEK and authentication tokens to your third-party
KACLS for encryption, using a URL you provide to the
Google Workspace organization's administrator.
Your KACLS uses this API to encrypt the DEK, then sends the obfuscated,
encrypted DEK back to Google Workspace.
Google Workspace stores the obfuscated, encrypted data in the cloud.
Only users with access to your KACLS are able to access the data.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Missing the information I need","missingTheInformationINeed","thumb-down"],["Too complicated / too many steps","tooComplicatedTooManySteps","thumb-down"],["Out of date","outOfDate","thumb-down"],["Samples / code issue","samplesCodeIssue","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-04 UTC."],[[["\u003cp\u003eGoogle Workspace Client-side Encryption (CSE) allows you to encrypt your organization's data with your own keys, preventing Google servers from accessing or decrypting it.\u003c/p\u003e\n"],["\u003cp\u003eThis API enables you to manage the encryption keys via an external key service, giving you control over data access.\u003c/p\u003e\n"],["\u003cp\u003eCSE encrypts files in the user's browser before they are stored in Google Drive, ensuring only authorized users with access to your external key service can decrypt them.\u003c/p\u003e\n"],["\u003cp\u003eWhen a file is encrypted, Google Workspace generates a Data Encryption Key (DEK), which is then encrypted by your external key service and stored with the encrypted data.\u003c/p\u003e\n"],["\u003cp\u003eTo get started, you can configure your external key service and learn how to encrypt and decrypt data using the provided guides.\u003c/p\u003e\n"]]],["Google Workspace Client-side Encryption (CSE) allows users to encrypt data in their browser before cloud storage. This is achieved by using your own external Key Access Control List Service (KACLS). Google Workspace generates a Data Encryption Key (DEK) and sends it to your KACLS for encryption with a Key Encryption Key (KEK). Your service then returns the encrypted DEK to Google Workspace. This ensures that only users with KACLS access can decrypt the stored data.\n"],null,["You can use your own encryption keys to encrypt your organization's data,\ninstead of using the encryption that Google Workspace provides. With Google Workspace Client-side Encryption (CSE), file encryption is handled in the\nclient's browser before it's stored in Drive's cloud-based storage. That way,\nGoogle servers can't access your encryption keys and, therefore, can't decrypt\nyour data. For more details, see\n[About client-side encryption](https://support.google.com/a/answer/10741897#zippy=%2Cbasic-setup-steps-for-cse).\n\nThis API lets you control the top-level encryption keys that protect your data\nwith a custom external key service. After you create an external key service\nwith this API, Google Workspace administrators can connect to it and enable CSE\nfor their users.\n\nImportant terminology\n\nBelow is a list of common terms used in the Google Workspace Client-side Encryption API:\n\n*Client-side encryption (CSE)*\n: Encryption that's handled in the client's browser before it's stored in\n cloud-based storage. This protects the file from being read by the storage\n provider. [Learn more](https://support.google.com/a/answer/10741897#zippy=%2Chow-is-cse-different-from-end-to-end-ee-encryption)\n\n*Key Access Control List Service (KACLS)*\n: Your external key service that uses this API to control access to encryption\n keys stored in an external system.\n\n*Identity Provider (IdP)*\n: The service that authenticates users before they can encrypt files or access\n encrypted files.\n\nEncryption \\& decryption\n\n*Data Encryption Key (DEK)*\n: The key used by Google Workspace in the browser client to encrypt the data\n itself.\n\n*Key Encryption Key (KEK)*\n: A key from your service used to encrypt a Data Encryption Key (DEK).\n\nAccess control\n\n*Access Control List (ACL)*\n: A list of users or groups that can open or read a file.\n\n*Authentication JSON Web Token (JWT)*\n: Bearer token ([JWT: RFC 7516](https://tools.ietf.org/html/rfc7516))\n issued by the identity partner (IdP) to attest a user's identity.\n\n*Authorization JSON Web Token (JWT)*\n: Bearer token ([JWT: RFC 7516](https://tools.ietf.org/html/rfc7516))\n issued by Google to verify that the caller is authorized to encrypt or decrypt a resource.\n\n*JSON Web Key Set (JWKS)*\n: A read-only endpoint URL that points to a list of public keys used to verify\n JSON Web Tokens (JWT).\n\n*Perimeter*\n: Additional checks performed on the authentication and authorization tokens\n within the KACLS for access control.\n\nClient-side encryption process\n\nAfter an administrator enables CSE for their organization, users for whom CSE is\nenabled can choose to create encrypted documents using the Google Workspace\ncollaborative content creation tools, like Docs and Sheets, or encrypt files\nthey upload to Google Drive, such as PDFs.\n\nAfter the user encrypts a document or file:\n\n1. Google Workspace generates a DEK in the client browser to encrypt the\n content.\n\n2. Google Workspace sends the DEK and authentication tokens to your third-party\n KACLS for encryption, using a URL you provide to the\n Google Workspace organization's administrator.\n\n3. Your KACLS uses this API to encrypt the DEK, then sends the obfuscated,\n encrypted DEK back to Google Workspace.\n\n4. Google Workspace stores the obfuscated, encrypted data in the cloud.\n Only users with access to your KACLS are able to access the data.\n\nFor more details, see [Encrypt and decrypt files](/workspace/cse/guides/encrypt-and-decrypt-data).\n\nNext steps\n\n- Learn how to [configure your service](/workspace/cse/guides/configure-service).\n- Learn how to [encrypt \\& decrypt data](/workspace/cse/guides/encrypt-and-decrypt-data)."]]
