How to Password Protect Google Sheets in 2026 (7 Methods — Only 1 Tracks Views)

Last updated: March 2026

I run Peony, a secure data room platform, and the spreadsheets that land in our rooms are never casual — they are cap tables, financial models, pricing sheets, payroll summaries, and due diligence trackers. Whether it is a startup fundraise, an M&A deal, or PE portfolio reporting, the kind of data where one wrong "anyone with the link" share can create a real problem.

Password protecting a Google Sheet means adding a gate so only authorized people can access the data inside. The catch: Google Sheets has no native "enter a password to open" feature. Google's model is identity-based — you share with specific Google accounts, not with a passphrase. That is arguably more secure for internal teams, but it leaves a gap when you need to share externally with control.

I tested every method to lock down a Google Sheet in 2026. Here is what actually works, what is security theater, and when you need something stronger than Google's built-in controls.

TL;DR: Google Sheets sharing set to Restricted + specific people is your baseline. Sheet/range protection guards edit integrity but does not gate viewing. For external sharing where you need a password gate, view tracking, watermarking, and revocation, export your Sheet and share through Peony — the only method here that gives you all four. Starts free.

---

Quick Guide

---

How Google Sheets Actually Leak

Before the methods, it helps to understand what goes wrong. Most spreadsheet leaks are not sophisticated attacks — they are predictable human mistakes:

• "Anyone with the link" sharing. You set it for convenience. That link ends up in Slack channels, forwarded emails, and Notion pages — effectively public. Research shows 22% of externally shared Google Drive files use open links, and 94% of those shares are never revoked.

• Autocomplete mis-sends. You type "Alex" and pick the wrong one. Verizon's 2025 DBIR shows misdelivery accounts for 49% of human-error breaches.

• Forwarding chains. You share with one person. They forward to their team. Their team forwards to advisors. Now a dozen people you never approved have live access.

• Editors re-sharing. Unless you explicitly uncheck "Editors can change permissions and share," any editor can invite anyone else — and you might not notice for months.

• Downloads and local copies. Even with Viewer-only access, viewers can download, print, and copy by default. That CSV sitting in someone's Downloads folder survives every access revocation you do later.

Over 40% of Google Drive files contain sensitive data, and 34% of those are shared externally. The average company has 35,000 sensitive assets publicly exposed via "anyone with the link" shares.

---

1. Google Sheets Sharing Settings

What it does: Controls who can access your spreadsheet using Google account identity.

How to

1. Open your Google Sheet
2. Click Share (top right)
3. Under General access, set to Restricted (not "Anyone with the link")
4. Add specific email addresses — set each person as Viewer, Commenter, or Editor
5. Click the gear icon and uncheck "Editors can change permissions and share"
6. Uncheck "Viewers and commenters can see the option to download, print, and copy"

Pros

• Built-in, free, no extra tools
• Identity-based (more secure than a shared password for internal use)
• Granular per-person roles
• 2025 update: Enhanced IRM lets Workspace admins block downloads for ALL roles via DLP

Cons

• No password gate — relies entirely on Google account authentication
• Editors can always download, print, and copy (the disable option only works for Viewers/Commenters unless admin enforces IRM)
• No view tracking — you see edit history but not who simply opened and read the sheet
• No automatic expiration
• No watermarking or screenshot protection
• September 2025 change: items in shared folders now inherit folder permissions — you can no longer restrict individual files below folder-level access

My take

This is your minimum viable security and where everyone should start. Set Restricted as a reflex. But if you need to track who actually looked at the data, watermark for leak deterrence, or set automatic expiry — you need more.

Best for

Internal team collaboration where everyone has Google accounts and you trust the sharing boundary.

---

2. Sheet & Range Protection

What it does: Prevents specific people from editing specific cells, ranges, or entire sheet tabs. This is an integrity feature, not an access control.

How to

1. Select the cells or range you want to protect
2. Go to Data → Protect sheets and ranges
3. In the sidebar, click Add a sheet or range
4. Choose Range (specific cells) or Sheet (entire tab)
5. Click Set permissions
6. Choose "Restrict who can edit this range" → select "Only you" or specific people
7. Click Done

Alternative: Right-click selected cells → View more cell actions → Protect range

Pros

• Prevents accidental edits to formulas, headers, totals, and structure
• Allows collaborative templates where people fill in designated fields
• Can protect entire tabs while leaving others editable
• Free and built-in

Cons

• Does NOT control viewing — anyone with access can see, copy, and download all protected data
• The "Show a warning" option can be dismissed with one click — it is not a barrier
• Not encryption — just an editing permission flag
• Hidden sheets can be unhidden by any editor

My take

Use this for formula and structure integrity, not for confidentiality. Protect your SUM rows, your VLOOKUP tables, your validated dropdowns. But do not confuse this with security — it is a collaboration guardrail.

Best for

Shared templates and workbooks where you need to prevent accidental formula breakage.

---

3. Google Workspace Client-Side Encryption (CSE)

What it does: Encrypts spreadsheet data in your browser before it reaches Google's servers. Google cannot decrypt the data — your organization controls the keys.

How to

1. Your Workspace admin must enable CSE and set up an external Key Access Control List Service (KACLS) — options include FlowCrypt, Futurex, Thales, or Stormshield
2. In Google Sheets, go to File → New → New encrypted spreadsheet
3. Share the encrypted sheet to specific named users who also have CSE access
4. Data is encrypted in the browser; Google only stores ciphertext

Pros

• True end-to-end encryption — Google cannot read your data
• Organization controls encryption keys via external KACLS
• Meets compliance requirements: GDPR, HIPAA, ITAR, CJIS
• Full Sheets support since September 2025
• KACLS can enforce perimeter checks: geolocation, time-based, device-based

Cons

• Only available on Enterprise Plus, Education Standard/Plus, and Frontline Plus — not on Business Starter/Standard/Plus
• Requires admin setup and an external key management service
• Not available on Google Sheets mobile app
• Requires Chrome or Edge browser
• 100 MB file size limit
• Apps Script, macros, and add-ons are not supported on CSE files
• Only .xlsx files can be imported (not .csv, .ods, or .xls)
• Some Sheets features may be unavailable with CSE enabled
• Still identity-based sharing — not a password gate for external recipients

My take

CSE is the strongest option within the Google ecosystem — if your organization qualifies. It is real encryption where Google genuinely cannot see your data. But it requires Enterprise-tier licensing (the most expensive Workspace plan), dedicated admin effort, and external key infrastructure. For most startups and SMBs, this is overkill. For regulated industries (finance, healthcare, government), it is worth the investment.

Best for

Regulated industries on Enterprise Workspace plans that need to prove Google cannot access their data — biotech firms in clinical trials, legal teams handling privileged documents, and financial institutions under GDPR or HIPAA.

---

4. Export to Excel + Password Protect

What it does: Downloads your Sheet as .xlsx, then applies AES-256 file-level password encryption using Microsoft Excel.

How to

1. In Google Sheets: File → Download → Microsoft Excel (.xlsx)
2. Open the .xlsx in Microsoft Excel (desktop — Excel Online cannot encrypt)
3. Go to File → Info → Protect Workbook → Encrypt with Password
4. Enter and confirm a strong password
5. Save the file
6. Share the encrypted .xlsx via email or cloud storage
7. Send the password via a separate channel — phone call, SMS, or Signal (never in the same email)

Pros

• True file-level encryption: AES-256 in Excel 2013+, AES-256-CBC default since October 2023
• Recipient cannot open without the password
• Works offline — no internet required to view
• No Workspace tier requirements

Cons

• Requires Microsoft Excel desktop to apply encryption (Excel Online cannot do it)
• Once the recipient has the password, they can remove it and reshare freely
• No revocation — once the file is sent, it is out of your control
• No audit trail of who opened it or when
• No version control — each export creates a separate snapshot
• Loses real-time collaboration, comments, and revision history
• Separate "modify password" in Excel is NOT encryption — it is trivially bypassable

My take

Solid for one-time file delivery where you need genuine at-rest encryption. The AES-256 is real and strong. But the moment you share that password, you lose control — there is no revocation, no tracking, and no way to update the file behind the same link. For recurring shares (quarterly financials, updated models), this creates version chaos fast.

Best for

One-time delivery of a static spreadsheet snapshot where the recipient needs an offline encrypted copy.

---

5. Export to PDF + Password Protect

What it does: Downloads your Sheet as a PDF, then applies password encryption so the file cannot be opened without a passcode.

How to

1. In Google Sheets: File → Download → PDF document (.pdf)
2. Configure print settings (selected sheets, landscape/portrait, etc.) and click Export
3. Password-protect the PDF using one of:
   • Adobe Acrobat: File → Properties → Security → Password Security (AES-256)
   • macOS Preview: File → Export as PDF → check Encrypt (AES-128)
   • Free online tools: PDF24, Smallpdf, iLovePDF
   • CLI tools: qpdf (qpdf --encrypt password password 256 -- input.pdf output.pdf)
4. Share the encrypted PDF and send the password via a separate channel

See our complete guide to password protecting PDFs for detailed steps on each tool.

Pros

• Read-only format prevents casual editing
• AES-256 available via Acrobat, qpdf, and some free tools
• Universal compatibility — any PDF reader can open with the password
• Good for snapshots, reports, and presentation-ready formats

Cons

• Same revocation and audit gaps as the Excel export method
• Loses all spreadsheet functionality — no formulas, sorting, filtering, or pivot tables
• Some free PDF tools use weaker encryption (AES-128 or RC4)
• PDF may not preserve complex Sheets formatting (wide tables, multiple tabs)
• No watermarking unless you add it separately before encryption

My take

The PDF route makes sense when the recipient needs a read-only snapshot and you want a universal format. For financial data where the structure matters (sortable columns, linked tabs), the Excel export in Method 4 preserves more utility. Both methods share the same fundamental weakness: once the password is out, so is the file.

Best for

Sharing read-only snapshots of spreadsheet data — quarterly reports, board summaries, client deliverables.

---

6. Share Through Peony (Full Control)

What it does: Instead of sharing the raw Google Sheet link, you export the spreadsheet and share it through Peony — getting a password gate, identity verification, view tracking, watermarking, and revocation in one link.

How to

1. In Google Sheets: File → Download as .xlsx (for data utility) or .pdf (for read-only)
2. In Peony, create a room named by context — "Series A — Financial Model" (for VC fundraising), "Client — Pricing Schedule" (for sales), "Board — Q1 2026 Financials" (for investor relations)
3. Upload the exported file to that room
4. Set access controls: grant access to specific email addresses or trusted domains (e.g., @investor.com)
5. Optionally add a passcode for an extra gate — recipients must verify identity AND enter the passcode
6. Enable dynamic watermarking (viewer email + timestamp) and screenshot protection
7. Set link expiry for time-boxed deals
8. Share the single Peony link — this is now the only way to access the spreadsheet
9. Monitor engagement via page-level analytics — see who opened, when, and how long they viewed each page

Pros

• Password gate + identity verification — two layers, not one
• Page-level analytics: who viewed what, when, how long, which pages
• Dynamic watermarking: viewer identity burned into every page view
• Screenshot protection: deters casual screen captures
• Instant revocation: cut access for anyone, anytime
• Link expiry: automatic access termination for time-boxed sharing
• Version updates behind the same link: replace the file, same URL, no resending
• Download controls: disable downloads entirely or allow per-recipient
• No Google Workspace tier requirements — works with any Google account
• Free tier available with core security features

Cons

• Requires exporting from Google Sheets (one extra step)
• Loses real-time collaboration — the shared version is a snapshot, not a live Sheet
• Updating requires re-exporting and replacing the file in Peony (though the link stays the same)

My take

This is the method I recommend for anything you would be uncomfortable seeing forwarded — investor financial models, cap tables, compensation benchmarks, client pricing, M&A deal documents, and board financials. You get everything that Methods 1-5 are individually missing: a password gate, identity verification, view tracking, watermarking, revocation, and expiry — all in one link. The export step adds 30 seconds. The control you gain is permanent.

Best for

External sharing with investors, clients, partners, or anyone outside your organization where you need control, visibility, and the ability to revoke access — especially in fundraising, due diligence, and private equity workflows.

---

7. Google Apps Script Password Prompt (NOT Recommended)

What it does: A custom script creates a password dialog when the spreadsheet opens. If the user enters the wrong password (or cancels), the script hides all sheets.

How to (for awareness only)

1. Open the Google Sheet
2. Go to Extensions → Apps Script
3. Paste a script that uses onOpen() to prompt for a password and hide sheets if it fails
4. Store the password in Script Properties via PropertiesService.getScriptProperties()
5. Run the onOpen function to trigger on every open

Why this is not real security

• The password is readable: Any editor can open Extensions → Apps Script and read the stored password
• Mobile bypass: onOpen() only runs on desktop web — mobile users see all data without any prompt
• Manual bypass: Anyone can unhide sheets via the View menu
• No encryption: Data is not encrypted in any way — it is just hidden from the UI
• Race condition: On slow connections, sheets may be visible briefly before the script runs
• Editor access: Any editor can modify or delete the script entirely

My take

This is security theater — it looks like protection but provides none against anyone who spends 30 seconds looking. I include it because you will find tutorials recommending it. Do not rely on it for anything that matters.

Best for

Deterring extremely casual, non-technical viewers from accidentally seeing data they should not. Nothing more.

---

What About Third-Party Add-ons?

The Google Workspace Marketplace offers add-ons like CellEncrypt, Password Protect for Google Documents, and Cryptograph that can encrypt individual cell values or export password-protected PDFs.

Use caution:

• Quality and security vary widely — verify the publisher's reputation
• Cell-level encryption makes data unusable for formulas, charts, and sorting
• Some add-ons request broad Drive permissions (access to all your files)
• Adding another dependency increases your attack surface

For most users, the seven methods above cover the full spectrum. If you need cell-level encryption for specific sensitive values (SSNs, account numbers), CellEncrypt is the most established option.

---

Understanding the Two Types of Protection

People conflate two different things when they say "protect" a Google Sheet:

For real access protection with a password gate, you need Method 4 (Excel export), Method 5 (PDF export), or Method 6 (Peony) — the native Google Sheets controls only offer identity-based access, not password-based gating.

---

Comparison: Google Sheets vs. Other Spreadsheet Apps

Google Sheets trades file-level password encryption for cloud-native identity controls and admin DLP. That is a reasonable trade-off for internal teams — identity-based access is objectively more secure than a shared password that can be forwarded. But for external sharing, the gap is real.

Peony fills that gap: identity-bound access + optional passcodes + page-level analytics + watermarking + revocation + link expiry — the controls Google Sheets does not provide, in a single link.

---

By the Numbers

• No native password-to-open feature in Google Sheets — confirmed by Google and requested since 2018 with no implementation
• AES-256 encryption at rest for all Google Drive files, including Sheets — Google-managed keys
• 60% of breaches involve human error — misdelivery, wrong permissions, social engineering — Verizon DBIR 2025
• 49% of human-error breaches are misdelivery — sending to the wrong person — Verizon DBIR 2025
• 40% of Google Drive files contain sensitive information; 34% of those are shared externally — Metomic 2023
• 22% of external shares use "anyone with the link"; 94% of those are never revoked — Valence Security
• $10.22 million average U.S. data breach cost in 2025, all-time high — IBM Cost of a Data Breach 2025
• 3 billion+ active Google Workspace users worldwide — ElectroIQ 2025
• 30% of breaches involved third parties in 2025, doubled from 15% the year before — Verizon DBIR 2025

---

Practical Tips (Tiny Habits, Real Protection)

1. Make Restricted your default reflex. Every time you create a Sheet, check that General access says "Restricted" before adding anyone. The 2 seconds this takes prevents the #1 leak vector.

2. Separate authoring from sharing. Google Sheets is where you write and collaborate. Peony (or at minimum, locked-down Restricted sharing) is where you control external distribution. Keep these as two distinct steps in your head.

3. Protect formulas separately from data. Use sheet/range protection (Method 2) for structural integrity, and sharing controls or Peony (Method 1 or 6) for access gating. They solve different problems.

4. Send passwords out-of-band. If you use Excel or PDF export with a password, never send the password in the same email as the file. Phone call, SMS, or a different messaging app. NIST guidelines recommend longer passphrases over short complex passwords.

5. Close doors when deals end. When a fundraise closes, a diligence process completes, or an engagement wraps — revoke access. Verizon's data shows lingering access is a persistent breach vector. In Peony, this is one click per room.

6. Uncheck "Editors can change permissions and share." This single checkbox prevents unauthorized re-sharing by editors. Make it standard for every external share.

7. Audit your "anyone with the link" shares. Go to Google Drive, search for files shared with "anyone with the link," and switch them to Restricted. Research shows 94% of open-link shares are never intentionally revoked.

---

Bottom Line

There is no "enter a password to open this Google Sheet" button. That feature does not exist and Google has shown no indication of building it.

What you can build instead is better:

• For internal teams: Google Sheets sharing set to Restricted + specific people + sheet/range protection for formula integrity. Add CSE if you are on Enterprise Plus and need compliance-grade encryption. This covers most internal collaboration securely.

• For external sharing (investors, clients, partners, board members): Export your Sheet and share through Peony. Whether it is a venture capital fundraise, M&A due diligence, or PE portfolio reporting, you get identity-based access, an optional password gate, page-level analytics, dynamic watermarking, screenshot protection, link expiry, and instant revocation — all starting free.

• For one-off file delivery: Export to Excel or PDF, encrypt with AES-256, and send the password separately. Solid at-rest protection, but no revocation or tracking once the file is out.

The spreadsheet data worth protecting — your cap table, your financial model, your compensation benchmarks — deserves more than "anyone with the link" and hope.

---

Frequently Asked Questions

Can you password protect a Google Sheet?

Google Sheets does not have a native "enter password to open" feature like Microsoft Excel. You can restrict sharing to specific people and protect sheets or ranges from editing, but there is no file-level password encryption. To add a true password gate plus view tracking, export your spreadsheet and share it through Peony — which provides identity-bound access, optional passcodes, page-level analytics, dynamic watermarking, and instant revocation, all starting free.

What is the difference between protecting a sheet and protecting a range in Google Sheets?

Sheet protection locks an entire tab so only authorized users can edit it. Range protection locks specific cells while leaving others editable — useful for shared templates where people fill in certain fields. Both control editing only, not viewing. Anyone with access to the spreadsheet can still see, copy, and download all data in protected sheets and ranges. For full access gating with audit trails, Peony lets you share spreadsheets as view-only documents with identity verification, download restrictions, and page-level engagement tracking.

How do I encrypt a Google Sheet?

Google encrypts all Sheets at rest with AES-256 and in transit with TLS, but Google holds the keys. For organization-controlled encryption, Google Workspace Client-Side Encryption encrypts data in your browser before it reaches Google — available on Enterprise Plus and Education Plus tiers with admin setup. For external sharing where you need a password gate, Peony provides a simpler approach: export your Sheet, upload to a secure Peony room with AES-256 encryption, and share via identity-bound links with optional passcodes and dynamic watermarking.

Is Google Sheets secure enough for sensitive financial data?

Google Sheets provides solid baseline security — AES-256 at rest, TLS in transit, identity-based sharing, and admin DLP controls. But 40% of Google Drive files contain sensitive data and 34% of those are shared externally. The gap is visibility: Google Sheets gives you edit history but no view tracking, no watermarking, and no automatic expiration. For cap tables, financial models, and investor reporting, Peony adds the missing controls — page-level analytics showing exactly who viewed which pages, dynamic watermarks deterring screenshots, link expiry for time-boxed deals, and instant revocation when a round closes.

How do I share a Google Sheet securely with someone outside my organization?

The safest native method is setting sharing to Restricted and adding the external person's email with Viewer access, then unchecking download, print, and copy for viewers. But this still allows screenshots, has no expiration, and provides no engagement tracking. For controlled external sharing, Peony is purpose-built: export your Sheet as Excel or PDF, upload to a Peony room, set identity-bound access with optional passcodes, enable watermarking and screenshot protection, and monitor exactly who opens the document and how long they spend on each page via page-level analytics.

What encryption does Google Sheets use?

Google Sheets uses AES-256 encryption at rest with a layered key management system — Data Encryption Keys encrypt your data, then Key Encryption Keys encrypt those keys. Data in transit uses TLS encryption. With Client-Side Encryption (Enterprise Plus only), data is encrypted in your browser before reaching Google servers using organization-controlled keys, so Google cannot decrypt it. For external sharing, Peony adds another encryption layer with AES-256 at rest and TLS 1.3 in transit, plus access controls that Google Sheets alone cannot provide.

Can I track who viewed my Google Sheet?

Google Sheets shows edit history (who changed what) but does not show who simply viewed the spreadsheet or how long they looked at it. Google Workspace admins can see some access logs via the Admin Console, but individual file owners cannot. Peony solves this completely: page-level analytics show exactly who opened your document, when, how many times, and how long they spent on each page — giving you real engagement signal for investor follow-ups, sales proposals, and board reporting.

Should I use Google Apps Script to password protect a Google Sheet?

No — Apps Script password prompts are security theater, not real protection. The password is stored in Script Properties that any editor can read, the prompt only runs on desktop web browsers, mobile users see all data without any prompt, and anyone can unhide sheets manually. For actual access control, either use Google Sheets native sharing set to Restricted with specific people, or share through Peony where access is enforced server-side with identity verification, optional passcodes, and a complete audit trail that cannot be bypassed.

---

Related Resources

• How to Password Protect Excel Files
• How to Password Protect a PowerPoint
• How to Password Protect a PDF Without Adobe
• How to Password Protect Google Documents
• How to Password Protect a Google Drive Folder
• Document Security Software Comparison
• How to Prevent PDF Forwarding
• How to Share Confidential Documents Securely
• Secure File Sharing Best Practices
• Google Workspace: Protect Sheets & Ranges
• Google Workspace: Client-Side Encryption
• Verizon Data Breach Investigations Report
• Peony for M&A
• Peony for Venture Capital
• Peony for Private Equity
• Peony for Due Diligence
• Peony for Fundraising