> For the complete documentation index, see [llms.txt](https://oten.gitbook.io/kms-support/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://oten.gitbook.io/kms-support/google-cse-integration/overview.md).

# Overview

### Introduction

The goal of the solution is to integrate Google Workspace Client-Side Encryption (CSE) with the internal Key Management Service (**Oten KMS**) platform through a single Key Access Control Layer Service (KACLS).\
The solution enables:

* Full control of the key lifecycle (create, wrap, unwrap, rewrap).
* Separation of encryption policies by org, workspace, group, and user.
* Ensuring multi-tenant isolation without requiring multiple integration links in Google Admin.

&#x20;**Who holds the key to your data?**

When you use Google's Client-Side Encryption (CSE) feature, you are applying an additional layer of security to your data. Think of it this way:

* **Google's Role**: Provides the "house" (Docs, Sheets, Slides) and handles the actual data encryption using DEKs
* **Your Role**: Maintain ultimate control through **Oten KMS** that manages your CMKs
* **DEK (Data Encryption Key)**: Unique key generated by Google for each document
* **CMK (Customer Master Key)**: Your master key managed in **Oten KMS** that protects all DEKs

Google never has access to this "master key," ensuring that only your company can control the decryption of sensitive data.
