This will allow customers to directly control encryption keys, while end users are still able to “take advantage of Google’s native web-based collaboration, access content on mobile devices, and share encrypted files externally.” This will work with Google Drive files (Office, PDF, and more file formats), Docs, Sheets, and Slides.
Client-side encryption is especially beneficial for organizations that store sensitive or regulated data, like intellectual property, healthcare records, or financial data. It can help meet data sovereignty requirements and compliance requirements for ITAR, CJIS, TISAX, IRS 1075, and EAR.
Google is working with Flowcrypt, Futurex, Thales, or Virtru, while enterprises will later be able to build and integrate their own in-house key services.
Each of these partners have built tools in accordance with Google’s specifications and provide both key management and access control capabilities. Your partner of choice holds the key to decode encrypted Google Workspace files, and Google cannot access or decipher these files without this key.
A beta of Client-side encryption in Drive will be available in the “coming weeks” for Google Workspace Enterprise Plus and Google Workspace Education Plus customers. Google Meet will add support in the fall, while this capability will eventually come to Gmail and Calendar.
Other announcements today include trust rules for Drive, and Drive labels that integrate with existing data loss prevention tools.