What you need to know about Gmail's new client-side encryption feature

The Gmail logo on a smartphone on top of a keyboard
(Image credit: Getty Images)

Google has revealed that client-side encryption (CSE) will be now generally available for Gmail business customers as the company looks to bolster security features for users.

In a blog post, the company revealed that CSE will take “existing encryption capabilities to the next level” for Workspace customers, providing users with “sole control” over encryption keys and complete control over access to data.

The inclusion of CSE means that Google can’t see the contents of emails hosted on the platform as data is “encrypted before it reaches Google servers.”

Google said this will provide greater protection for business users required to store sensitive or regulated data.

“Google Workspace already uses the latest cryptographic standards to encrypt all data at rest and in transit between our facilities,” the company said. “Client-side encryption helps strengthen the confidentiality of your data while helping to address a broad range of data sovereignty and compliance needs.”

“Using client-side encryption in Gmail ensures sensitive data in the email body and attachments are indecipherable to Google servers. Customers retain control over encryption keys and the identity service to access those keys."

Gmail users will also be able to encrypt emails sent within their organisation, in addition to emails they send to users of other email providers.

Client-side encryption rollout

The launch of the feature follows a successful beta testing period for selected users announced in December last year.

CSE is already available for Google Drive, Docs, Sheets, Slides, and Google Meet. However, this move will expand CSE features and will be officially rolled out for customers using Google Workspace Enterprise Plus, Education Plus, and Education Standard.

The new feature will not be available for personal accounts or users of Google Workspace Essentials, Business Starter, Business Standard, Business Plus, Enterprise Essentials, or Legacy G Suite and Business customers.

Customers already enrolled in the beta will not be required to make changes following the launch, the company confirmed.

How to turn on client-side encryption in Gmail

In its blog post, Google said CSE will be switched off by default, meaning admins will be required to enable the feature at the domain, OU, and group levels.

Admins can do this by following: Admin console > Security > Access and data control > Client-side encryption.

“With Google Workspace Client-side encryption (CSE) for Gmail, you need to enable the Gmail API and give it access to your entire organisation,” the company notes in an explainer.

“Then, for each user, you need to use the API to upload an S/MIME (Secure/Multipurpose internet Mail Extensions) certificate and private key metadata encrypted by your key service.”

Once CSE has been enabled by a Workspace admin, individual end users will be able to add this feature to any message by clicking the ‘lock’ icon and selecting the additional encryption option.

Ross Kelly
News and Analysis Editor

Ross Kelly is ITPro's News & Analysis Editor, responsible for leading the brand's news output and in-depth reporting on the latest stories from across the business technology landscape. Ross was previously a Staff Writer, during which time he developed a keen interest in cyber security, business leadership, and emerging technologies.

He graduated from Edinburgh Napier University in 2016 with a BA (Hons) in Journalism, and joined ITPro in 2022 after four years working in technology conference research.

For news pitches, you can contact Ross at ross.kelly@futurenet.com, or on Twitter and LinkedIn.