After you connect Google Workspace to your identity provider (IdP), you're ready to set up the external encryption key service you chose. This article provides information about using a partner key service. If you're building your own key service, refer to the documentation for the Google Workspace Client-side Encryption API.
Work with your partner key service
Follow the key service's instructions to set up your encryption keys and key access control list. Your key service, also called a key access control list service (KACLS), will give you a URL to access their service. You'll add this URL to your Admin console to connect Google Workspace to your external key service.
| Key service | Get started |
|---|---|
| Cloud HSM | Onboarding guide |
| FlowCrypt | Instructions |
| Fortanix | Instructions |
| FutureX | Instructions |
| Stormshield | Overview |
| Thales | Instructions |
| Utimaco | Instructions (PDF) |
About adding users to your key service
Work with your key service to add internal and external users who need to use CSE.
Internal users
When you set up a key service, you'll also create your key access control list—that is, the internal users, groups, or domains that you want to encrypt content or have view and edit access to encrypted content.
External users
If your users need to share encrypted content with external organizations that also use Google Workspace CSE, you can have your key service add the external organization's identity provider (IdP) to their allowlist. For more information about this and other options for providing external access to client-side encrypted content, go to Provide external access to client-side encrypted content.
Keep your encryption keys safe
Next step
After you set up your external key service, you need to add the key service to your Admin console.