As we continue to expand Client-side encryption (CSE) across Google Workspace products, we’re introducing Key Migration which allows admins to enable additional key services or change their existing key service. In both cases, built-in controls ensure key migrations are performed safely, with support for backup key services and potential roll backs. These ensure encrypted data remains inaccessible to Google and fidelity is maintained through the migration process.
Why it’s important
Client-side encryption gives admins direct control of their encryption keys and the identity service that they choose to authenticate for those keys. Google never has access to the keys, rendering the data indecipherable, which may help organizations meet regulatory compliance in many regions.
This update gives admins the flexibility to perform key rotations that best suit their organizational policies—including having different key services —or resolve key service availability issues. Customers can add a new key, assign it to an organizational unit or group and migrate any content encrypted by the previous key to be encrypted by the new key. During this migration process the new key is backed up by an existing key as a safeguard mechanism. Once customers are confident in their new key and have completed any migrations they can remove the backup key.
Additionally, this release provides more granular control for our customers in maintaining their encryption keys by accommodating situations where they may choose to switch key service providers, move from on-premise to a managed service, and migrate encrypted content.
- Admins: Visit the Help Center to learn more about configuring Client-side encryption.
- End users: Visit the Help Center to learn more about getting started with encrypted files in Drive, Docs, Sheets & Slides and collaborating on encrypted files.
- Rapid Release and Scheduled Release domains: Full rollout (1–3 days for feature visibility) starting on November 10, 2020
- Available to Google Workspace Enterprise Plus, Education Standard, and Education Plus customers
- Google Admin Help: Turn client-side encryption on or off
- Google Help: Get started with encrypted files in Drive, Docs, Sheets & Slides
- Google Help: Collaborate on encrypted files in Docs, Sheets & Slides
- Google Workspace Updates Blog: Stronger data security and privacy with Google Workspace Client-side encryption, GA support for Drive, Docs, Sheets, and Slides