What’s changing
Last year we announced the beta for Google Workspace Client-side encryption. Now, this feature is generally available for Google Drive, Docs, Sheets and Slides, with support for multiple file types including Office files, PDFs, and more.
This is a step in our commitment to enable Client-side encryption across Google Workspace, including Gmail, Meet, and Calendar. Follow the Google Workspace Updates blog to be informed on our next milestones on Client-side encryption.
Who’s impacted
Admins
Why it’s important
Google Workspace already uses the latest cryptographic standards to encrypt all data by default, at rest and in transit between our facilities. Client-side encryption goes beyond this, giving you authoritative control and privacy as the sole owner of private encryption keys and the identity provider used to access those keys.
This can help you strengthen the confidentiality of your sensitive or regulated data while addressing a broad range of data sovereignty and compliance needs.
When using Client-side encryption, your data is indecipherable to Google. You can create a fundamentally stronger privacy posture, whether that’s to help your organization comply with regulations like ITAR and CJIS or simply to better protect the privacy of your confidential data.
Read our announcement blog post to learn our plans for Client-side encryption across Google Workspace.
Additional details
To enable Client-side encryption, you’ll choose a key access service partner: Flowcrypt, Fortanix, Futurex, Stormshield, Thales, or Virtru. Each of these partners have built tools in accordance with Google’s specifications and provide both key management and access control capabilities. Your partner of choice either holds the key to decode encrypted Google Workspace files or simply provides you with software that allows you to hold the keys on-premise. Either way, Google cannot decipher these files without this key, which Google never has access to. You can also decide to build your own key service implementation using our API specifications.
Getting started
- Admins: This feature will be OFF by default and can be enabled at the domain, OU, and Group levels (Admin console > Security > Access and data control > Client-side encryption). Visit our Help Center to learn more about client side encryption.
- End users: Get started with encrypted files in Drive, Docs, Sheets & Slides
Rollout pace
- Rapid and Schedule Release domains: Gradual rollout (up to 15 days for feature visibility) starting on March 31, 2022
Availability
- Available to Enterprise Plus and Education Plus customers
- Not available to Google Workspace Essentials, Business Starter, Business Standard, Business Plus, Enterprise Essentials, Enterprise Standard, Education Fundamentals, Frontline, and Nonprofits, as well as legacy G Suite Basic and Business customers.