Use Key Migration to change or add key services for Client-side encryption

What’s changing 

As we continue to expand Client-side encryption (CSE) across Google Workspace products, we’re introducing Key Migration which allows admins to enable additional key services or change their existing key service. In both cases, built-in controls ensure key migrations are performed safely, with support for backup key services and potential roll backs. These ensure encrypted data remains inaccessible to Google and fidelity is maintained through the migration process. 

Who’s impacted 


Why it’s important 

Client-side encryption gives admins direct control of their encryption keys and the identity service that they choose to authenticate for those keys. Google never has access to the keys, rendering the data indecipherable, which may help organizations meet regulatory compliance in many regions. 

This update gives admins the flexibility to perform key rotations that best suit their organizational policies—including having different key services —or resolve key service availability issues. Customers can add a new key, assign it to an organizational unit or group and migrate any content encrypted by the previous key to be encrypted by the new key. During this migration process the new key is backed up by an existing key as a safeguard mechanism. Once customers are confident in their new key and have completed any migrations they can remove the backup key. 

Additionally, this release provides more granular control for our customers in maintaining their encryption keys by accommodating situations where they may choose to switch key service providers, move from on-premise to a managed service, and migrate encrypted content. 

Getting started 

Rollout pace 


  • Available to Google Workspace Enterprise Plus, Education Standard, and Education Plus customers