Google Drive Client Side Encryption

[Inacayal Tanoesoedibjo]

Beforeyou turn on CSE for Gmail: Make sure you enable the Gmail API and upload users' encryption keys. For details, go to Gmail only: Upload encryption keys for client-side encryption.

Users who need to create client-side encrypted calendar events. You also need to turn on CSE for Drive and Meet for these users if you want them to attach client-side encrypted documents and host client-side encrypted meetings.

If you turn on CSE by default, users still have the option turn off encryption if needed. You can monitor user actions to turn off CSE for Drive and Calendar, using the security investigation tool. For details, go to View logs and reports for client-side encryption.

To turn on CSE for users, you need to turn on CSE for the organizational units or configuration groups the users belong to. Once you turn on user access for CSE, users can choose whether to encrypt content.

To prevent users from encrypting content, you can turn off CSE for the organizational units or configuration groups they belong to. If you turn off CSE for users, any existing client-side encrypted content remains encrypted and accessible.

You can use your own encryption keys to encrypt your organization's data,instead of using the encryption that Google Workspace provides. With Google Workspace Client-side Encryption (CSE), file encryption is handled in theclient's browser before it's stored in Drive's cloud-based storage. That way,Google servers can't access your encryption keys and, therefore, can't decryptyour data. For more details, seeAbout client-side encryption.

This API lets you control the top-level encryption keys that protect your datawith a custom external key service. After you create an external key servicewith this API, Google Workspace administrators can connect to it and enable CSEfor their users.

After an administrator enables CSE for their organization, users for whom CSE isenabled can choose to create encrypted documents using the Google Workspacecollaborative content creation tools, like Docs and Sheets, or encrypt filesthey upload to Google Drive, such as PDFs.

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

When you perform client-side encryption, you must create and manage your ownencryption keys, and you must use your own tools to encrypt data prior tosending it to Cloud Storage. Data that you encrypt on the client side arrivesat Cloud Storage in an encrypted state, and Cloud Storage has no knowledgeof the keys you used to encrypt the data.

When Cloud Storage receives your data, it is encrypted a second time. Thissecond encryption is called server-side encryption, which Cloud Storagemanages. When you retrieve your data, Cloud Storage removes the server-sidelayer of encryption, but you must decrypt the client-side layer yourself.

You can use the open source cryptographic SDK, Tink, to perform client-sideencryption, then protect your keys with Cloud Key Management Service. For moredetails, see Client-side encryption with Tink and Cloud Key Management Service.

Users can continue to collaborate across other essential apps in Google Workspace while IT and security teams can ensure that sensitive data stays compliant with regulations. As customers retain control over the encryption keys and the identity management service to access those keys, sensitive data is indecipherable to Google and other external entities.

One key use case for CSE in this context centers on helping organizations subject to regulatory requirements, such as PwC, remain compliant, by meeting the need for the highest levels of encryption for certain types of communication.

We have been searching for the capability to guarantee that our encrypted communications remain inaccessible to third-parties, including our technology providers, for some time. Google appears to be uniquely positioned with client-side encryption in providing us with complete control over our sensitive data, ensuring that we remain compliant as an organization in the ever-changing world of data regulation. These features now being available across Google Workspace represent a pivotal moment for us. We're enthusiastic about the ability to continue to benefit from the efficiency in working that Workspace provides us with, whilst at the same time maintaining trust with our customers that their confidential data will stay private and compliant," said Shaun Bookham, UK Operations & Technology Director at PwC.

One of our global telecommunications customers, Verizon, is leveraging CSE to gain complete control over their sensitive data, ensuring that they remain compliant as an organization while supporting customers in highly regulated industries. This opens doors for the company to deliver an exceptional experience for its customers, by extending the level of data protection and privacy to their clients.

Customers, such as media giant Groupe Le Monde, rely on client-side encryption to protect their most crucial assets. By leveraging client-side encryption across Workspace, Groupe Le Monde can be assured that their communications, appointments, and files will not be subject to leaks, thus helping to keep their journalists safe.

"Client-side encryption gives us the next level of privacy, to ensure integrity within the journalistic process. This allows us to guarantee a higher level of security for our journalists, and to protect our sensitive content," said Sacha Morard, Chief Technology Officer at Groupe Le Monde.

Another industry-leading Google Workspace enterprise customer uses client-side encryption to protect their most sensitive projects. For these projects, the customer is the sole owner of their encryption keys, thereby protecting their critical intellectual property and maintaining their data sovereignty requirements.

Client-side encryption is especially beneficial for organizations that store sensitive or regulated data, like intellectual property, healthcare records, or financial data. It can help meet data sovereignty requirements and compliance requirements for ITAR, CJIS, TISAX, IRS 1075, and EAR.

Trust rules gives admins more control over how files can be shared, both within and outside of their organization. With these new rules in place, admins can enforce restrictions that limit internal and external sharing. Specific rules can even be set for organizational units and groups, allowing a more granular approach than enforcing blanket policies on every user.

Drive labels is now available in beta for Google Workspace Business Standard, Google Workspace Business Plus, Google Workspace Enterprise, Google Workspace for Education Standard, and Google Workspace Education Plus customers. Interested customers can sign up now for the beta. Automated classification through DLP is available to Google Workspace Enterprise Standard, Enterprise Plus, and Education Plus customers.

At Google Workspace, we consistently hear from our customers that the privacy of their data is top of mind, and that they need to ensure their confidential data cannot be accessed by any third party, including Google or foreign governments. Client-side encryption (CSE) is a state-of-the-art privacy-preserving technology that keeps customer data private and allows the customer to be the sole arbiter of their data.

We are delighted to announce that Google has now partnered with global data security leader, Thales, to provide customers with a variety of key service options when they enable CSE in Workspace. In addition, Google has launched strategic partnerships with Stormshield and Flowcrypt, who also provide options for customers to manage their own encryption keys and help keep their data sovereign and confidential.

On Tuesday, Google made client-side encryption available to a limited set of Gmail and Calendar users in a move designed to give them more control over who sees sensitive communications and schedules.

Abbreviated as CSE, client-side encryption was already available for Google Drive, Docs, Slides, Sheets, and Meet for users of Google Workspace, which the company sells to businesses. Starting on Tuesday, Google is rolling it out to customers of Gmail and Calendar Workspace.

CSE is significantly different from PGP (Pretty Good Privacy) mail encryption that was popular with security-minded people a decade ago. That system offered true end-to-end encryption since the contents could only be decrypted with a key in the recipient's possession. The difficulty of managing a different key for each party eventually proved too cumbersome, particularly at scale, so the use of PGP has largely vanished and been replaced with end-to-end encryption apps such as Signal.

The middle ground CSE is intended to occupy is aimed at organizations with strict compliance requirements that are mandated by law or contractual obligations. CSE gives these customers more control over the data Google stores while at the same time making it easy for authorized users to decrypt for sharing and collaboration.

Overall, CSE provides an incremental improvement over the current protections available from Google. People and organizations with specific uses or requirements may find them useful, but the masses are unlikely to clamor for it any time soon.

Google on Monday announced that it's rolling out client-side encryption to Google Workspace (formerly G Suite), thereby giving its enterprise customers direct control of encryption keys and the identity service they choose to access those keys.

3a8082e126