End-to-end encryption (E2EE), which Google introduced on Friday, enables enrolled Google Workspace users to send and receive encrypted emails inside and outside their domain. Users of Google Drive, Google Meet, Google Docs, Slides, Sheets, and Google Calendar (beta) already have access to client-side encryption (referred to as E2EE).
The email header (containing the subject, timestamps, and recipients lists) will not be encrypted until Gmail client-side encryption is enabled, ensuring that any sensitive data provided as part of the email’s body and attachments (including inline pictures) can’t be decrypted by Google servers.
“With Google Workspace Client-side encryption (CSE), content encryption is handled in the client’s browser before any data is transmitted or stored in Drive’s cloud-based storage,” explained Google. Thus, your data won’t be decrypted by Google servers with access to your encryption keys. You may select which users can produce client-side encrypted material and share it either internally or externally after configuring CSE.
Customers of Google Workspace Enterprise Plus, Education Standard, and Education Plus can presently access the Gmail E2EE beta. They can submit a Gmail CSE Beta Test Application with the email address, Project ID, and test group domain to request access to the beta until January 20, 2023. Users with personal Google Accounts, Google Workspace Essentials, Business Standard, Business Starter, Business Plus, Education Fundamentals, Frontline, Enterprise Essentials, and Nonprofits, as well as legacy G Suite Basic and Business customers, the company claims, are not yet able to use the feature.
Administrators can set up Gmail CSE for their users by following these steps to set up their environment, create S/MIME certificates for each user in the test group, configure the critical service, and configure the identity provider after receiving an email from Google confirming that the account is ready. The functionality may be turned on at the domain, organizational unit, and group levels by heading to the Admin console > Security > Access and data control > Client-side encryption. The option is disabled by default.
Once enabled, you may enable E2EE for any message by selecting “Turn on” from the “Additional encryption” menu when you click the lock symbol next to the recipients’ field. After that, users may compose their Gmail messages and include email attachments as usual.
“Google Workspace already uses the latest cryptographic standards to encrypt all data at rest and in transit between our facilities,” Google added. Client-side encryption supports various data sovereignty and compliance requirements while enhancing the secrecy of your data.