← All controls

48 CSE self-hosted / HYOK KACLS

The self-hosted variant of client-side encryption: you run the key access control list service (KACLS) yourself, on your own endpoint, paired with an external IdP that the KACLS trusts for authorisation assertions. Google never sees the key, so no order served on Google can produce your plaintext — that is the entire threat-model payoff, and it is why the control is scoped to the OU holding the crown jewels rather than to the tenant.

Caveats

Setup steps

  1. open ↗
    Admin console screen — Data > Compliance > Client-side encryption (key service + per-application user access)

    https://admin.google.com/ac/cse · captured 2026-07-15

    Data › Compliance › Client-side encryption › Key service

    Add key service → Name + KACLS URL (your endpoint, e.g. https://kacls.example.org/v1)

    Add and manage key services for client-side encryption ↗ Build a custom key service for client-side encryption ↗

  2. Data › Compliance › Client-side encryption › Identity provider

    .well-known/cse-configuration file on your domain (or the Admin console IdP fallback): name, client_id, discovery_uri (OIDC discovery URL), grant_type, applications

    Connect to your identity provider for client-side encryption ↗

  3. Data › Compliance › Client-side encryption › Assign to users

    Key service assigned to the high-risk OU/group only

    Assign client-side encryption to users ↗

  4. Data › Compliance › Client-side encryption

    Client-side encryption status = On for Drive (Docs/Sheets/Slides fall under Drive; add Gmail, Calendar, Meet as needed) for the high-risk OU; Off elsewhere

    Turn client-side encryption on or off for users ↗

Ongoing maintenance

How to verify

  1. Probe the self-hosted KACLS from outside, then open a CSE document as an authorised user and confirm the key operation appears in the KACLS’s own logs — the log line is the point of HYOK.

    curl -s -o /dev/null -w "%{http_code}" https://<kacls-host>/status

v0.1.3Preventedition Ent Plus · Edu Std+ · Frontline Plus policy #16 · #19 ↗