Google Workspace CSE Resources
Client Side Encryption (CSE) in Google Workspace enables encryption operations within the client, storing only encrypted data and encrypted keys in the cloud. AES symmetric keys are used to encrypt the user content.
Google Workspace CSE allows the users to secure:
Calls over Google Meet
Docs, Sheets, and Slides data inside a Drive
Google Calendar events
Gmail (Google email) messages
Content is secured with an external encryption key that Google servers cannot access. File and call contents are encrypted on the browser before being sent to Google servers for storage.
With Google Workspace CSE:
Key ACL Service (KACLS) controls the top-level encryption keys that protect users' Gmail messages, Meet Calls, Calendar event data, and Google Drive (Docs, Sheets, and Slides data). KACLS is also referred to as external key management service in this document.
The authorization to encrypt or decrypt an object is created by Google Workspace.
End-user authentication is provided by a third-party identity provider.
Only encrypted data and encrypted keys are sent to Google Workspace servers.