Controlling Key Access in Your Organization

This guide explains how your organization can control who can access your encryption keys in Oten KMS — specifically for Google Workspace Client-Side Encryption (CSE).

With Google CSE, your data in Google Drive (Docs, Sheets, Slides), Google Meet, and Google Calendar is encrypted on the user's device before it reaches Google's servers. Oten KMS acts as your external Key Access Control List Service (KACLS), giving your organization full control over the encryption keys. This means you decide who can encrypt and decrypt your organization's sensitive data — not Google.

Oten KMS provides two complementary methods to enforce access control:

Organization Routing Rules — Control which Workspace handles a request, based on the application, user email, or request time.
CSE Key Selection Rules — Within a Workspace, control which specific key (CMK) is used, based on similar conditions scoped to that Workspace.

PreviousAudit Logs NextWorkspace & Organization Routing Rules

Last updated 25 days ago