Gmail Client-Side Encryption (CSE) is now generally available for Google Workspace Enterprise Plus, Education Plus, and Education Standard customers.
The function was first introduced in Gmail on the web in beta testing in December 2022, after being available in Google Drive, Google Docs, Sheets, Slides, Google Meet and Google Calendar (in beta) since last year.
Once activated, Gmail CSE ensures that all sensitive data sent in the email body and attachments (including inline images) will be unreadable and encrypted before reaching Google’s servers.
It is also important to note that the email header (including subject, timestamps and recipient lists) will not be encrypted.
“Client-side encryption takes this encryption capability to the next level by ensuring that customers have sole control of their encryption keys, and therefore complete control over all access to their data,” Google said. explain.
“Starting today, users can send and receive emails or create meeting events with internal colleagues and external parties, knowing that their sensitive data (including online images and attachments ) were encrypted before reaching Google’s servers.
“Because customers retain control of encryption keys and the identity management service to access those keys, sensitive data is indecipherable to Google and other external entities.”
Once enabled, you can enable “additional encryption” for any email by clicking the lock icon next to the Recipients field. Gmail users can then compose their emails and add attachments as they usually would.
While Gmail CSE will prevent Google from viewing your email content, this feature is different from traditional end-to-end encryption (E2EE).
With E2EE, all emails you send are encrypted on your device and only decrypted when they reach a recipient’s device. This type of encryption ensures that only the sender and recipient see the full content of an email.
With Gmail CSE, the private keys used to decrypt encrypted emails are potentially accessible by enterprise administrators and other applications.
The ability to decrypt enterprise-level emails is necessary for corporate data retention or management policies and for content to be scanned by secure email gateways and security software.
The feature will be disabled by default, but administrators can enable it at the domain, organizational unit, and group level from Admin Console > Security > Access and Data Control > Client-Side Encryption .
Administrators can configure Gmail CSE after these steps to configure their environment, prepare S/MIME certificates for each user, and configure the key service and identity provider.
The company says the feature is not yet available to users with personal Google accounts, as well as Google Workspace Essentials, Business Starter, Business Standard, Business Plus, Enterprise Essentials, Education Fundamentals, Frontline, and Nonprofits, or former. G Suite Basic and Enterprise Customers.
“Workspace already encrypts data at rest and in transit using secure-by-design cryptographic libraries,” Google said Tuesday.
“Client-side encryption takes existing encryption capabilities to the next level by ensuring that customers have sole control of their encryption keys, and therefore full control over access to their data.”