Gmail client-side encryption (CSE) is now generally available for Google Workspace Enterprise Plus, Education Plus, and Education Standard customers.
The feature was first introduced in Gmail on the web as a beta test in December 2022, after being available in Google Drive, Google Docs, Sheets, Slides, Google Meet, and Google Calendar (in beta) since last year.
Once enabled, Gmail CSE ensures that any sensitive data sent as part of the email’s body and attachments (including inline images) will be unreadable and encrypted before reaching Google’s servers.
It’s also important to note that the email header (including subject, timestamps, and recipients lists) will not be encrypted.
“Client-side encryption takes this encryption capability to the next level by ensuring that customers have sole control over their encryption keys—and thus complete control over all access to their data,” Googled explained.
“Starting today, users can send and receive emails or create meeting events with internal colleagues and external parties, knowing that their sensitive data (including inline images and attachments) has been encrypted before it reaches Google servers.
“As customers retain control over the encryption keys and the identity management service to access those keys, sensitive data is indecipherable to Google and other external entities.”
Once toggled on, you can turn on “additional encryption” for any email by clicking the lock icon next to the Recipients field. Gmail users can then compose their email messages and add attachments as they would typically do.
While Gmail CSE will prevent Google from viewing the contents of your emails, this feature is different than traditional end-to-end encryption (E2EE).
With E2EE, any emails you send are encrypted on your device and only decrypted when they reach a recipient’s device. This type of encryption makes it so that only the sender and recipient will see the full contents of an email.
With Gmail CSE, the private keys used to decrypt encrypted emails are potentially accessible by the company’s administrators and other applications.
The ability to decrypt emails at a corporate level is necessary for corporate data retention or management policies and for content to be scanned by secure email gateways, and security software.
The feature will be off by default, but admins can enable it at the domain, organizational unit, and Group levels from Admin console > Security > Access and data control > Client-side encryption.
Admins can set up Gmail CSE following these steps to configure their environment, prepare S/MIME certificates for each user, and configure the key service and identity provider.
The company says the feature is not yet available to users with personal Google Accounts, as well as for Google Workspace Essentials, Business Starter, Business Standard, Business Plus, Enterprise Essentials, Education Fundamentals, Frontline, and Nonprofits, or legacy G Suite Basic and Business customers.
“Workspace already encrypts data at rest and in transit by using secure-by-design cryptographic libraries,” Google said on Tuesday.
“Client-side encryption takes existing encryption capabilities to the next level by ensuring that customers have sole control over their encryption keys—and thus complete control over access to their data.”