# 48 CSE self-hosted / HYOK KACLS

> v0.1.3 · role: Prevent · edition: Ent Plus · Edu Std+ · Frontline Plus · [policy: #16 · #19](https://docs.google.com/spreadsheets/d/1nOztaPd1Y7eNeRSR_hdovYy-ncpx-bAx/edit?usp=sharing&ouid=115159875779023172526&rtpof=true&sd=true)

The self-hosted variant of client-side encryption: you run the key access control list service (KACLS) yourself, on your own endpoint, paired with an external IdP that the KACLS trusts for authorisation assertions. Google never sees the key, so no order served on Google can produce your plaintext — that is the entire threat-model payoff, and it is why the control is scoped to the OU holding the crown jewels rather than to the tenant.

Documentation: [About client-side encryption](https://knowledge.workspace.google.com/admin/security/about-client-side-encryption) · [Client-side encryption setup overview](https://knowledge.workspace.google.com/admin/security/client-side-encryption-setup-overview)

## Caveats

- The payoff is near-total against a compelled-provider threat and near-zero against anything else — do not deploy HYOK for a threat model that does not include legal compulsion of Google.
- If your KACLS is unreachable, encrypted content is unreadable — you have built your own single point of failure, and key-service uptime is now your uptime.
- CSE breaks server-side features on the encrypted content — no search inside, no Vault indexing, no DLP inspection, no server-side spam scanning.
- Tenant-wide CSE is an operational cliff, not a security win — turn it on for the high-risk OU and leave it off elsewhere.
- Requires Enterprise Plus, Education Standard or Plus, or Frontline Plus — on other editions this screen does not resolve (as with №69).

## Setup steps

1. Register your self-hosted KACLS (key access control list service) endpoint. Self-hosted (HYOK, 'hold your own key') means you run the key service; Google never sees the key — that is the entire threat-model payoff. — `Data › Compliance › Client-side encryption › Key service`

   Add key service → Name + KACLS URL (your endpoint, e.g. https://kacls.example.org/v1)

   docs: [Add and manage key services for client-side encryption](https://knowledge.workspace.google.com/admin/security/add-and-manage-key-services-for-client-side-encryption) · [Build a custom key service for client-side encryption](https://developers.google.com/workspace/cse/guides/overview)

2. Register the external IdP that the KACLS will trust for authorisation assertions — CSE requires the IdP+key-service pair, not the key service alone. — `Data › Compliance › Client-side encryption › Identity provider`

   .well-known/cse-configuration file on your domain (or the Admin console IdP fallback): name, client_id, discovery_uri (OIDC discovery URL), grant_type, applications

   docs: [Connect to your identity provider for client-side encryption](https://knowledge.workspace.google.com/admin/security/connect-to-your-identity-provider-for-client-side-encryption)

3. Assign the registered key service to the OU (organizational unit) or group that holds the crown jewels — adding the key service alone does not scope it to the OU; the assignment does. Tenant-wide CSE is an operational cliff, not a security win. — `Data › Compliance › Client-side encryption › Assign to users`

   Key service assigned to the high-risk OU/group only

   docs: [Assign client-side encryption to users](https://knowledge.workspace.google.com/admin/security/assign-client-side-encryption-to-users)

4. Turn on Client-side encryption status per service for that OU — the CSE screen's per-service toggles (Drive, Gmail, Calendar, Meet), as in [№69](cse-partner-kacls.md) — so users can create client-side-encrypted files. This per-service toggle is the only CSE on/off switch for users. — `Data › Compliance › Client-side encryption`

   Client-side encryption status = On for Drive (Docs/Sheets/Slides fall under Drive; add Gmail, Calendar, Meet as needed) for the high-risk OU; Off elsewhere

   docs: [Turn client-side encryption on or off for users](https://knowledge.workspace.google.com/admin/security/turn-client-side-encryption-on-or-off-for-users)

## Ongoing maintenance

- **[automatable: script]** Continuously: operate, patch and monitor the KACLS host — its downtime bricks every CSE document.
- **[requires a human]** Quarterly: test KACLS key-material backup restore.

## How to verify

1. Probe the self-hosted KACLS from outside, then open a CSE document as an authorised user and confirm the key operation appears in the KACLS’s own logs — the log line is the point of HYOK.

   ```
   curl -s -o /dev/null -w "%{http_code}" https://<kacls-host>/status
   ```

## Settings screens

- Data > Compliance > Client-side encryption (key service + per-application user access)
  - console: https://admin.google.com/ac/cse
  - screenshot: ../screenshots/admin.google.com/ac/cse.png
