What’s changing
Admins can now set client-side encryption (CSE) to be on by default for:
- Newly created Gmail messages, Google Calendar events.
- Newly created Google Docs, Sheets, and Slides files.
- Newly uploaded Google Drive files.
Admins can set client-side encryption as default on for users in Organizational Units (OUs) that regularly handle sensitive data requiring additional encryption. This allows organizations the flexibility to meet their compliance and regulatory requirements and reduce the burden on change management programs. Users are prompted to create a CSE object natively in each app meaning their emails, events and files are encrypted by default with customer-managed keys and are private from Google. For organizations with strict regulatory or sovereignty needs, this can help them close compliance gaps by defaulting users to the preferred mode for handling sensitive data.
Drive:
This is available on the web initially, with support coming for mobile apps in the future.
Who’s impacted
Admins and end users
Why it matters
This feature is important for Google Workspace admins as it improves users compliance behavior without sacrificing productivity and increases control for admins implementing data control policies. It also includes improved audit logs, providing more detail for admins compiling regulatory compliance reports.
Workspace already uses the latest cryptographic standards to encrypt data by default, at rest and in transit between our facilities. Client-side encryption goes beyond this, giving organizations authoritative control and privacy as the sole owner of private encryption keys and the identity provider of the encryption keys. It gives organizations higher confidence that any third party, including Google and foreign governments, cannot access their confidential data. Users can continue to collaborate across their preferred apps in Workspace while IT and compliance teams can ensure that sensitive data stays compliant with regulations.
Getting started
- Admins: This feature will be OFF by default and can be configured at the group or OU level. Visit the Help Center to learn more about client-side encryption.
- End users: Use our Help Center to learn more about working with encrypted files in Drive, Docs, Sheets & Slides.
Rollout pace
- Rapid Release and Scheduled Release domains: Gradual rollout (up to 15 days for feature visibility) starting on December 5, 2023
Availability
- Google Workspace Assured Controls is available as an add-on to Google Workspace Enterprise Plus customers only. For more information, contact your Google account representative.
Resources
- Google Workspace Admin Help: About client-side encryption
- Google Help: Get started with encrypted files in Drive, Docs, Sheets & Slides
- Cloud Blog post: Announcing Assured Controls and expanded Data Regions coverage for Google Workspace
- Google Workspace Blog: Google Workspace expands data privacy controls to Gmail and Calendar with client-side encryption