Google has announced the availability of client-side encryption (CSE) for Gmail business customers as part of its efforts to enhance security features. This new feature takes existing encryption capabilities to a higher level for Workspace customers. By implementing CSE, users gain sole control over encryption keys and complete authority over data access.
The inclusion of CSE ensures that Google cannot view the contents of emails hosted on its platform, as all data is encrypted before it reaches Google servers. This provides increased protection for business users who handle sensitive or regulated data.
Google emphasizes that Gmail already employs the latest cryptographic standards to encrypt data in transit and at rest between their facilities. However, client-side encryption further strengthens data confidentiality, addressing a wide range of data sovereignty and compliance requirements.
With client-side encryption, Gmail users can encrypt not only emails sent within their organization but also those sent to users of other email providers.
Rollout of Client-Side Encryption: Following a successful beta testing period for selected users in December last year, CSE is now expanding to customers using Google Workspace Enterprise Plus, Education Plus, and Education Standard. Notably, it will not be available for personal accounts or users of specific Google Workspace plans.
Existing beta users will not need to make any changes after the launch.
Enabling Client-Side Encryption in Gmail: By default, CSE will be turned off, and administrators will need to enable the feature at the domain, OU, and group levels. This can be done via the Admin console: Admin console > Security > Access and data control > Client-side encryption.
To enable Gmail client-side encryption, administrators must enable the Gmail API and grant it access to the entire organization. Additionally, for each user, an S/MIME (Secure/Multipurpose Internet Mail Extensions) certificate and private key metadata encrypted by the key service must be uploaded using the API.
Once a Workspace admin has enabled CSE, individual end users can add the feature to any message by clicking the ‘lock’ icon and selecting the additional encryption option.