Google Implements Client-Side Encryption for A Subset of Gmail Users

Highlights:

• CSE in Gmail has been added for customers who subscribe to the Google Workspace Enterprise Plus, Education Plus and Education Standard plans, which means users of lower-priced tiers and personal Google accounts miss out for now.

Last week, Google LLC said that it had added beta support for client-side encryption in Gmail for some of its Google Workspace customers.

Customers who subscribe to the Google Workspace Enterprise Plus, Education Plus, and Education Standard plans now have CSE in Gmail, but users of lower-priced tiers and personal Google accounts do not for now.

Users who can access the feature need to manually switch it on because it remains off by default. It can be enabled via the Admin console by clicking on Security and gt; Access and data control and gt; Client-side encryption.

According to Google’s CSE support page, the feature allows customers to retain control over their security keys, which means that Google will not be able to access them or decrypt the content of emails or attachments. The document explains that Google Workspace administrators can decide which individuals within an organization can access the encryption keys. As such, they also can monitor the encrypted files of company employees.

CSE should not be confused with end-to-end encryption, which is more secure because it prevents administrators from viewing the contents of encrypted emails. E2EE encrypts data on the sender’s device and can only be decrypted on the intended recipient’s machine. The encryption keys are generated on the sender’s and receiver’s devices, so that the company administrators cannot access them. This prevents anyone who isn’t involved in the conversation from seeing the emails.

Google said in a statement, “With CSE, clients use encryption keys that are generated and stored in a cloud-based key management service so that you can control the keys and who has access to them. For example, you can revoke a user’s access to keys, even if that user-generated them. Also, with CSE, you can monitor users’ encrypted files.”

While CSE support is currently limited to a small number of users, Google stated that the feature will be made available to more services and users “in a later release.”

It’s worth noting that enabling CSE means many advanced Gmail features won’t work, including multi-send mode, summaries, Smart Compose, translation, signatures, and Confidential mode. Furthermore, such emails will not be searchable, and third-party add-ons will be unable to access the plain text contents.

CSE is aimed at customers in highly regulated industries such as government, defence, aerospace, and financial services, according to Google.