As we continue to expand Client-side encryption (CSE) across Google Workspace products, we’re introducing Key Migration which allows admins to enable additional key services or change their existing key service. In both cases, built-in controls ensure key migrations are performed safely, with support for backup key services and potential roll backs. These ensure encrypted data remains inaccessible to Google and fidelity is maintained through the migration process. 

Admins 

Client-side encryption gives admins direct control of their encryption keys and the identity service that they choose to authenticate for those keys. Google never has access to the keys, rendering the data indecipherable, which may help organizations meet regulatory compliance in many regions. 

This update gives admins the flexibility to perform key rotations that best suit their organizational policies—including having different key services —or resolve key service availability issues. Customers can add a new key, assign it to an organizational unit or group and migrate any content encrypted by the previous key to be encrypted by the new key. During this migration process the new key is backed up by an existing key as a safeguard mechanism. Once customers are confident in their new key and have completed any migrations they can remove the backup key. 

Additionally, this release provides more granular control for our customers in maintaining their encryption keys by accommodating situations where they may choose to switch key service providers, move from on-premise to a managed service, and migrate encrypted content. 

Source: Google Workspace Updates