What is Google Workspace Client-Side Encryption (CSE), and what does it actually protect?
Google's CSE is the closest workspace-tool feature to what Koaich does by default. It's also gated behind Enterprise Plus licensing and a customer-run KMS. Here's what it covers, what it doesn't, and how it compares.
Google Workspace Client-Side Encryption — CSE — is the feature Google ships for enterprise customers who don't want Google to be able to read their data. It's the closest thing in the hyperscaler world to what Koaich does as a default for every user, and it's worth understanding precisely.
Two questions matter: what does CSE actually protect, and what does a customer have to do to use it. The answers are: more than nothing, less than everything, and quite a lot.
What CSE protects
CSE encrypts content on the user's device before it's uploaded to Google. Google's servers hold ciphertext for the parts of Workspace where CSE is enabled. The encryption key is held by the customer's Key Service — not Google.
Where it's supported:
· Drive — for new files in CSE-enabled shared drives. Existing files don't auto-migrate.
· Docs / Sheets / Slides — when created in a CSE-enabled context.
· Gmail — CSE encryption available for individual messages (composed with CSE on).
· Meet — for calls where CSE is enabled per-organization.
· Calendar — CSE for event descriptions.
Where it's not supported (as of mid-2024):
· Comments, mentions, and inline annotations on encrypted docs
· Full-text search across CSE-encrypted content (you can search file names, not content)
· Server-side AI features (Gemini grounding) on CSE-encrypted content
· Forms responses, Sites content, Keep notes, Tasks
· Many legacy Workspace integrations and add-ons
What a customer has to do to use it
Licensing: CSE requires Google Workspace Enterprise Plus. Pricing is enterprise-tier (typically $30+/user/month). It's not available on the standard Business plans.
Run a Key Service: the customer has to operate a KMS that Google's CSE infrastructure calls during encrypt/decrypt operations. Google lists pre-built integrations with KACLS providers (Thales, Virtru, Fortanix, Stormshield, Atos). The customer is responsible for the KMS's uptime, security, audit, and key management. If the KMS goes down, encrypted content is unreadable.
Identity provider integration: CSE expects SAML SSO from a customer-managed IdP. The KMS authenticates encrypt/decrypt requests against the IdP's signed tokens.
Operational complexity: key rotation, key recovery, backup procedures, and access auditing are all the customer's problem. Google provides the rails; the customer drives the train.
What this means for buyers
CSE is a genuine zero-knowledge offering from Google. For a large enterprise with a dedicated security team, a procurement team, and an existing KMS, CSE is a reasonable answer to "keep our content unreadable to Google" — within the surfaces CSE supports.
For a small business or solo professional, CSE isn't a realistic option. The Enterprise Plus license alone is north of $30/user/month. The KMS integration is months of engineering time. The surface coverage gaps (no search, no Gemini, limited integrations) push users back toward standard Workspace for daily use.
Koaich's approach is the inverted trade-off: end-to-end encryption is the default at every surface, no KMS to run, no Enterprise Plus license required. The cost is that Koaich is a smaller product than Workspace — no spreadsheets, no presentations, no full-blown email client. Koaich does messages, documents, files, and AI; for the kinds of work where that's enough, you get the key-custody property without the procurement journey.