ZMR Blog

Google now offers client-side encryption for enterprise and education Gmail users


Those in charge of a Google Workspace who have a compatible subscription plan now have access to yet another option for keeping their customers’ Gmail safe. That’s because Google just launched a beta program for client-side encryption of Gmail on the web, which will operate until January 20, 2023.

Because of this new beta, the Gmail suite’s security measures are even more robust than before. Client-side encryption is more secure and better for regulatory compliance, but Gmail previously allowed for encrypting data at rest and in transit as it moved between Google’s servers. Emails sent and received within the company’s domain will now be encrypted end-to-end, joining the already secured attachments and inline images. Subject lines, sender addresses, and timestamps will remain intact in email headers. Keep in mind that this is only available for Google Workspace Enterprise Plus, Education Plus, and Education Standard edition plans and not for consumer users on personal Google Accounts.

Prior to transmission or storage in Google Cloud, the service encrypts the client’s email in the browser. By keeping encryption keys locally, Gmail users can rest certain that Google’s servers won’t be able to gain access to them and decrypt sensitive information included within the email itself or in any attachments.

Data privacy is available, but it is turned off by default; how many administrators and users will enable it is unknown.

Keep in mind that this is not a fully encrypted system (E2EE). With E2EE, only the two (or more) people involved in a private discussion can read its contents, as the data is encrypted on the sender’s device and decrypted only by the intended recipient’s device.

In addition, using E2EE, encryption keys are produced locally on the sender’s and recipient’s devices, making it impossible for the administrator to monitor or manage the encrypted data.

In contrast, the administrator has more control over client-side encryption. Similar to E2EE, all encryption and decryption is done locally on the sending and receiving devices, which in this case are the client’s browsers.

All recipients must have client-side encryption enabled and switched on, as well as valid certificates, for this to work. It is currently up to IT administrators to do so by enrolling in the beta test. If your Google Workplace administrator has enabled it, you can increase the security of your outgoing emails by selecting Message security from the drop-down menu in the top right corner of the window where you compose new emails. Afterwards, they can either log in with their identity provider of choice or select the Turn on option under extra encryption before sending the message. Recipients will see the encrypted message below the sender’s name in Gmail and will be requested to log in with their identity provider before they can decrypt the message.

Support for this functionality is available on Google’s help page for IT administrators. The feature will be disabled for all participants by default once an organization is added to the beta. If necessary, it can be activated on the domain, organizational unit, and group levels.

Exit mobile version