Google Gmail client-side encryption is available globally

Gmail client-side encryption (CSE) is now available for Workspace Enterprise Plus, Education Plus, and Education Standard customers.

Google announced that Gmail client-side encryption (CSE) is now available for all Google Workspace Enterprise Plus, Education Plus, and Education Standard customers.

In December, Google announced end-to-end encryption for Gmail (E2EE), with Gmail client-side encryption beta users can send and receive encrypted emails within their domain and outside of their domain. 

Google E2EE was already available for users of Google Drive, Google Docs, Sheets, Slides, Google Meet, and Google Calendar (beta).

The client-side encryption in Gmail on the web was initially available in beta for Google Workspace Enterprise Plus, Education Plus, and Education Standard customers.

Using end-to-end encryption for Gmail will make sensitive data in the email body and attachments from indecipherable to Google servers.

Google Workspace Client-side encryption (CSE) allows handling content encryption in the client’s browser before data is transmitted or stored in Drive’s cloud-based storage.

The company pointed out that it can’t access users’ encryption keys.

End users can add client-side encryption to any message by clicking the lock icon and select additional encryption.

“Client-side encryption takes this encryption capability to the next level by ensuring that customers have sole control over their encryption keys—and thus complete control over all access to their data. Starting today, users can send and receive emails or create meeting events with internal colleagues and external parties, knowing that their sensitive data (including inline images and attachments) has been encrypted before it reaches Google servers.” reads the announcement published by the company.

The move to expand CSE capabilities across Google Workspace will give organizations more confidence that any third party, including Google and foreign governments, cannot access their confidential data.

“Users can continue to collaborate across other essential apps in Google Workspace while IT and security teams can ensure that sensitive data stays compliant with regulations.” continues the announcement. “As customers retain control over the encryption keys and the identity management service to access those keys, sensitive data is indecipherable to Google and other external entities.”

Users can enable “additional encryption” by clicking the lock icon next to the Recipients field.

The Gmail client-side encryption (CSE) will be off by default, but admins can turn on the feature from Admin console > Security > Access and data control > Client-side encryption.

The company published a guide to “Set up organization for Gmail client-side encryption“.

“The company says the feature is not yet available to users with personal Google Accounts, as well as for Google Workspace Essentials, Business Starter, Business Standard, Business Plus, Enterprise Essentials, Education Fundamentals, Frontline, and Nonprofits, or legacy G Suite Basic and Business customers.

“While each customer’s digital transformation journey is different, with all essential Google Workspace apps now being covered by CSE, companies of all sizes in all industries can benefit from these protections.” concludes Google.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Google Gmail client-side encryption)