Google is rolling out what it calls client-side encryption (CSE), giving Workspace customers the ability to use their own encryption to shield their data before it reaches Google’s servers.
With client-side encryption (CSE) enabled, the email body, attachments, and inline images are encrypted. The email header, subject, timestamps, and recipients lists are not.
Google Workspace Enterprise Plus, Education Plus, or Education Standard customers can now apple to Google to join the Gmail CSE Beta test via its new support page for the feature.
It’s not available to users with personal Google Accounts, and not available to users with Google Workspace Essentials, Business Starter, Business Standard, Business Plus, Enterprise Essentials, Education Fundamentals, Frontline, and Nonprofits, as well as legacy G Suite Basic and Business customers
Google explains CSE is different to end-to-end encryption (E2EE) because clients use encryption keys that are generated and stored in a cloud-based key management service, so admins can control the keys and who has access to them. This way, the admin can revoke a user’s access to keys, even if that user generated them. With E2EE, admins don’t have control over the keys on the clients and who can use them, nor can the admin see which content users have encrypted.
Google has partnered with several key management service providers, including FlowCrypt, Fortanix, FutureX, Stormshield, Thales, and Virtru. Users can’t use Google as the key management partner to ensure that Google can’t access the keys and decrypt users data.
The company explains it’s bringing CSE to Gmail for this subset of Workspace customers to help address a range of data sovereignty and compliance needs. As it notes, CSE is already available for Google Drive, Google Docs, Sheets, and Slides, Google Meet, and Google Calendar (beta).
“Google Workspace already uses the latest cryptographic standards to encrypt all data at rest and in transit between our facilities. Client-side encryption helps strengthen the confidentiality of your data while helping to address a broad range of data sovereignty and compliance needs,” it notes on the Workspace Updates blog.
Google explains that, with Workspace CSE, “content encryption is handled in the client’s browser before any data is transmitted or stored in Google’s cloud-based storage.”
“That way, Google servers can’t access your encryption keys and decrypt your data. After you set up CSE, you can choose which users can create client-side encrypted content and share it internally or externally,” it adds.
Google’s expansion of Gmail encryption follows Apple earlier this month expanding end-to-end encryption support to iCloud backups, Notes, and Photos. That expansion, however, catered to all Apple users rather than just customers in highly regulated sectors.
Google notes that CSE will be off by default and can be enabled at the domain and group levels. Once it is enabled, users can click the lock icon to add CSE to any message.