Google brings client-side encryption to Gmail for Workspace
Google is rolling out what it calls client-side encryption (CSE), giving Workspace customers the option to use their own encryption to protect their data before it reaches Google’s servers.
When client-side encryption (CSE) is enabled, the email body, attachments, and inline images are encrypted. The email header, subject, timestamps, and recipient lists are not.
Google Workspace Enterprise Plus, Education Plus, or Education Standard customers can now request Google to participate in the Gmail CSE beta test through its new support page for the feature.
Also: Google warns: Android’s ‘patch gap’ makes these smartphones vulnerable to attacks
It is not available to users with personal Google accounts, or users of Google Workspace Essentials, Business Starter, Business Standard, Business Plus, Enterprise Essentials, Education Fundamentals, Frontline, and Nonprofits, and former G customers. Basic and Business suite.
Google explains that CSE is different from end-to-end encryption (E2EE) because customers use encryption keys that are generated and stored in a cloud-based key management service, so administrators can control keys and who has access to it. This way, the administrator can revoke a user’s access to the keys, even if that user generated them. With E2EE, administrators have no control over client keys and who can use them, nor can the administrator see what content users have encrypted.
Google has partnered with several key management service providers, including FlowCrypt, Fortanix, FutureX, Stormshield, Thales, and Virtru. Users may not use Google as a key management partner to ensure that Google cannot access keys and decrypt user data.
The company explains that it is bringing CSE to Gmail for this subset of Workspace customers to address a range of data sovereignty and compliance needs. As he notes, CSE is already available for Google Drive, Google Docs, Sheets and Slides, Google Meet, and Google Calendar (beta).
“Google Workspace already uses the latest cryptographic standards to encrypt all data at rest and in transit between our facilities. Client-side encryption helps strengthen the privacy of your data while helping to meet a wide range of data sovereignty and compliance needs,” he notes. on the workspace updates blog.
Google explains that with Workspace CSE, “content encryption is handled in the customer’s browser before the data is transmitted or stored in Google’s cloud-based storage.”
“This way, Google servers cannot access your encryption keys and decrypt your data. After setting up CSE, you can choose which users can create client-side encrypted content and share it internally or externally,” adds he.
Also: Cybersecurity: These are the new things to worry about in 2023
Google’s expansion of Gmail encryption follows Apple’s expansion earlier this month by expanding end-to-end encryption support to iCloud backups, Notes and Photos. This expansion, however, was aimed at all Apple users rather than just customers in highly regulated industries.
Google notes that CSE will be disabled by default and can be enabled at the domain and group level. Once enabled, users can click the lock icon to add CSE to any message.