Gmail Client-side Encryption Beta launches

[harlan4096]

Google announced on Friday that Client-side Encryption is now available as a Beta for the web version of its email service Gmail. During Beta, access to the feature is limited to select Enterprise and Education customers.



Client-side encryption protects emails, the body of the message and attachments, from access by unauthorized parties. Emails protected by Client-side Encryption are "indecipherable to Google servers" and also third-parties that listen in on network traffic. Gmail, by default, uses TLS encryption, which gives Google full access to email contents on its servers.

Customers may set up their own encryption keys according to Google to encrypt data. The security feature is already available for select Google services, including Google Drive, Google Meet and Google Calendar (also in Beta).

Content encryption happens in the local web browser before any data is transferred or stored by Google in the cloud. Google servers have no access to the data, as the encryption key is only available on the user system.

The email header, including the email subject and recipients, are not encrypted by the protective feature.

Client-side Encryption is available to Google Workspace Enterprise Plus, Education Plus, and Education Standard customers only. These customers may apply for the beta until January 20th, 2023 according to Google. The feature is not available to all other Google Workspace plans, legacy Google Suite customers and personal Google Accounts.

The security feature is disabled by default and needs to be enabled at the "domain, OU, and Group levels" using the admin console. It is found under Security > Access and data control > Client-side encryption.

End users need to activate the lock icon while composing a message to enable the encryption feature. The following animated GIF demonstrates the functionality.



Emails that are encrypted display "encrypted message" below the sender name on Gmail. Opening the email may prompt the user to sign-in with the identity provider. Once done, the email content is decrypted and accessible on the device.

Google published a support document that provides details on the implementation of Client-side encryption for Google Workspaces administrators. The document, which is accessible here,

After Google has confirmed participation in the beta program, administrators need to sign-in using a super administrator account. They then need to go to Security > Client-side encryption > Gmail, and select the Group that they enrolled in the beta. There, they need to set User access to On. The flipping of the switch may take up to 24 hours to propagate, according to Google.

Then, user S/MIME certificates and wrapped private keys need to be uploaded using the Gmail API with the service account private key file. Full details are found on Google's support website.

Competing email services, including ProtonMail, Skiff, Preveil or Tutanota have supported end-to-end encryption for some time already. While Google is making the security feature available to Enterprise and Education customers, it seems unlikely that it will unlock the functionality for other account types, including personal accounts.

Now You: do you encrypt your emails?
...

Continue Reading