Google Launches Client-Side Encryption Beta for Gmail
Google has announced the rollout of a beta version of client-side encryption (CSE) for Gmail, allowing users to send and receive encrypted emails both within and outside their domain. This new feature is available in beta for Google Workspace Enterprise Plus, Education Plus, and Education Standard customers. Users can apply for beta testing until January 20, 2023. CSE is not available for personal Google accounts.
According to Google, “Using client-side encryption in Gmail ensures that sensitive data in the email body and attachments cannot be decrypted by Google servers. Customers retain control over their encryption keys and the identity service used to access those keys.”
The Google Drive app for PC, Android, and iOS already supports client-side encryption. Google has stated that this feature will be integrated into the mobile apps for Meet and Calendar in an upcoming release.
How Client-Side Encryption Works in Google Workspace
Client-side encryption in Google Workspace allows content to be encrypted in the user’s browser before any data is transmitted or stored in Drive’s cloud storage. Google has emphasized that it cannot access users’ encryption keys.
To add CSE to any message, simply click the lock icon and select “additional encryption.”
Client-Side Encryption vs. End-to-End Encryption
It’s important to note that client-side encryption (CSE) is different from end-to-end encryption (E2EE). With client-side encryption, organizations can encrypt data using their own cryptographic keys. The data is decrypted on the client side using keys that are generated and managed by a cloud key management service. This means the data is protected from unauthorized access, even from the server or service provider. However, the organization or administrator controls the keys and can monitor encrypted user files or revoke a user’s access to the keys, even if the user generated them.
With end-to-end encryption, information is encrypted on the sender’s device and can only be decrypted on the recipient’s device using a key known only to the sender and recipient.