← All controls

69 CSE with Google-partner KACLS

Client-side encryption encrypts content in the browser before it reaches Google, using a key wrapped by an external key access control list service (KACLS) run by a partner — FlowCrypt, Fortanix, Futurex, Hitachi Solutions, Stormshield, Thales, Utimaco. Google stores only ciphertext and never holds the key, so it cannot read the content and cannot be compelled to produce it. Setting it up needs the KACLS URL plus a separate identity provider that the KACLS trusts to authorise key unwrapping: a second trust anchor, distinct from Workspace sign-in.

Caveats

Setup steps

  1. Data › Compliance › Client-side encryption › Key services

    Add key service: name + KACLS URL; assign as default at the OU level

    Add and manage key services for client-side encryption ↗

  2. Data › Compliance › Client-side encryption › Identity provider

    IdP configuration (IdP name, client ID, discovery URI) per the partner's instructions

    Connect to your identity provider for client-side encryption ↗

  3. open ↗
    Admin console screen — Data > Compliance > Client-side encryption (Key service — register the external KACLS, then assign CSE to OUs)

    https://admin.google.com/ac/cse · captured 2026-07-15

    Data › Compliance › Client-side encryption

    Assign > select OU or group > key service = the partner KACLS > On for Drive/Docs, Gmail, Meet, Calendar as required

    Assign client-side encryption to users ↗ Turn client-side encryption on or off for users ↗

  4. Data › Compliance › Client-side encryption

    CSE indicator present; content not indexed

Ongoing maintenance

How to verify

  1. Open a CSE-encrypted document as an authorised user (key fetch must succeed), then as an unauthorised user (it must fail).

  2. Probe the partner KACLS endpoint availability from outside.

    curl -s -o /dev/null -w "%{http_code}" https://<kacls-endpoint>/status

v0.0.3Preventedition Ent Plus, Edu Std/Plus, Frontline Plus policy #16 · #15, #23 ↗