Google Workspace CSE Resources
Client Side Encryption (CSE) in Google Workspace enables encryption operations within the client, storing only encrypted files and encrypted keys in the cloud. AES symmetric keys are used to encrypt the user content.
Google Workspace CSE allows the user to secure Docs, Sheets, and Slides data inside a Drive with an external encryption key that Google servers cannot access. File contents are encrypted on the browser before being sent to Google servers for storage.
With Google Workspace CSE:
Key ACL Service (KACLS) controls the top-level encryption keys that protect users Docs, Sheets, and Slides data. KACLS is also referred to as external key management service in this document.
The authorization to encrypt or decrypt an object is created by Google Workspace.
End-user authentication is provided by a third-party identity provider.
Only encrypted files and encrypted keys are sent to Google Workspace servers.