# 69 CSE with Google-partner KACLS

> v0.0.3 · role: Prevent · edition: Ent Plus, Edu Std/Plus, Frontline Plus · [policy: #16 · #15, #23](https://docs.google.com/spreadsheets/d/1nOztaPd1Y7eNeRSR_hdovYy-ncpx-bAx/edit?usp=sharing&ouid=115159875779023172526&rtpof=true&sd=true)

Client-side encryption encrypts content in the browser before it reaches Google, using a key wrapped by an external key access control list service (KACLS) run by a partner — FlowCrypt, Fortanix, Futurex, Hitachi Solutions, Stormshield, Thales, Utimaco. Google stores only ciphertext and never holds the key, so it cannot read the content and cannot be compelled to produce it. Setting it up needs the KACLS URL plus a separate identity provider that the KACLS trusts to authorise key unwrapping: a second trust anchor, distinct from Workspace sign-in.

Documentation: [About client-side encryption](https://knowledge.workspace.google.com/admin/security/about-client-side-encryption) · [Choose your key service for client-side encryption](https://knowledge.workspace.google.com/admin/security/choose-your-key-service-for-client-side-encryption)

## Caveats

- CSE breaks everything that reads content server-side — Drive full-text search, DLP (№26), Vault content search (№30), Gmail Security Sandbox (№23) and most third-party tooling. It is a deliberate trade of detectability for confidentiality: make it knowingly, and only for the data that needs it.
- A partner KACLS makes the partner, not you, the compelled-disclosure boundary — if the threat model is a compelled provider, this only helps when the partner sits in a different jurisdiction; otherwise you want to hold the key service yourself (HYOK, №48).
- Losing the KACLS or its IdP binding is unrecoverable data loss — Google cannot decrypt. Key-custody ceremony (№35) and the air-gapped recovery kit (№55) are prerequisites, not nice-to-haves.
- Requires Enterprise Plus, Education Standard/Plus or Frontline Plus — on other editions this screen does not resolve.
- Changes take up to 24 hours to propagate — a same-day verification attempt can look like a broken configuration.

## Setup steps

1. Add the partner KACLS (key access control list service — e.g. FlowCrypt, Fortanix, Futurex, Hitachi Solutions, Stormshield, Thales, Utimaco) by name and URL, and assign it as the default key service for the OU (organizational unit). — `Data › Compliance › Client-side encryption › Key services`

   Add key service: name + KACLS URL; assign as default at the OU level

   docs: [Add and manage key services for client-side encryption](https://knowledge.workspace.google.com/admin/security/add-and-manage-key-services-for-client-side-encryption)

2. Connect the identity provider the KACLS will use to authorise key unwrapping — this is a second, separate trust anchor from Workspace sign-in. — `Data › Compliance › Client-side encryption › Identity provider`

   IdP configuration (IdP name, client ID, discovery URI) per the partner's instructions

   docs: [Connect to your identity provider for client-side encryption](https://knowledge.workspace.google.com/admin/security/connect-to-your-identity-provider-for-client-side-encryption)

3. Assign CSE to the target population under 'Encryption with external key service'. — `Data › Compliance › Client-side encryption`

   Assign > select OU or group > key service = the partner KACLS > On for Drive/Docs, Gmail, Meet, Calendar as required

   docs: [Assign client-side encryption to users](https://knowledge.workspace.google.com/admin/security/assign-client-side-encryption-to-users) · [Turn client-side encryption on or off for users](https://knowledge.workspace.google.com/admin/security/turn-client-side-encryption-on-or-off-for-users)

4. Verify by creating a client-side-encrypted document as a member of the OU and confirming the shield indicator plus that Drive search cannot find its contents. — `Data › Compliance › Client-side encryption`

   CSE indicator present; content not indexed

## Ongoing maintenance

- **[automatable: script]** Continuously: monitor KACLS availability — when it is down, every CSE document is unreadable.

## How to verify

1. Open a CSE-encrypted document as an authorised user (key fetch must succeed), then as an unauthorised user (it must fail).

2. Probe the partner KACLS endpoint availability from outside.

   ```
   curl -s -o /dev/null -w "%{http_code}" https://<kacls-endpoint>/status
   ```

## Settings screens

- Data > Compliance > Client-side encryption (Key service — register the external KACLS, then assign CSE to OUs)
  - console: https://admin.google.com/ac/cse
  - screenshot: ../screenshots/admin.google.com/ac/cse.png
