Supported editions for this feature: Frontline Plus; Enterprise Plus; Education Standard and Education Plus. Compare your edition
As an administrator, you can let external users access your content encrypted with Google Workspace Client-side encryption (CSE). There are 2 methods for providing external access:
- Set up access for external organizations that also use CSE. With this method, you can give an external organization access to encrypted content if they meet the user and CSE requirements.
- Configure a guest identity provider (IdP) to allow access for any external users With this method, your users can provide access to your client-side encrypted content to both Google and non-Google accounts. External organizations don't need to set up CSE, and their users don't need a Google Workspace or Cloud Identity license.
The guest IdP configuration is currently available for Gmail (beta), Google Meet, Drive, Docs, Sheets, and Slides web applications only. The guest IdP configuration for mobile applications of these services will be available in an upcoming release.
About external access to encrypted email
You have 2 options for providing external access to client-side encrypted email messages:
- If users will exchange client-side encrypted messages only with external users who use S/MIME
No additional setup is needed. You don't need to use a guest IdP, and external users don't need a Google Workspace or Cloud Identity license.
- If users will exchange client-side encrypted messages with external users who might not use S/MIME
You can use the Send to Anyone (beta) option, which provides hosted S/MIME. In this case, you need to configure a guest IdP, as described later on this page. Users can then send encrypted messages to any external users. Requires having the Assured Controls or Assured Controls Plus add-on.
Important: For this release, Send to Anyone (beta) allows encrypted message exchange only with external users who use Gmail—either with a Google Workspace account or a consumer Gmail account.
For details about sending and receiving client-side encrypted email messages, go to Learn about Gmail Client-side encryption.
Set up external access for external organizations that use CSE
If an external organization and your organization meet the following requirements, you can give the external access to your organization's client-side encrypted content for Drive & Docs, Calendar, and Meet.
Configure a guest IdP for any external users
To give external organizations access to your client-side encrypted content, you can configure a guest IdP to authenticate external users, using the same IdP you use or a different one. With a guest IdP, your users can share encrypted content with others at external organizations, whether or not those organizations also use CSE.
Note: If you already set up external access for organizations that also use CSE (as described earlier on this page), that setup is ignored once you configure a guest IdP.