Updated on 2022-12-22: Client-side encryption for Gmail
Google is adding E2EE support for Gmail’s web client. The feature is currently available for Google Workspace users via a beta program. Users allowed in the beta trial will be able to send and receive encrypted emails within and outside their email domain. It’s unclear when this will become available for regular Gmail personal accounts. Read more: Client-side encryption for Gmail available in beta
Overview
Some Gmail users will now have access to client-side encryption. The feature is/will be available in beta. Google says that Workspace Enterprise Plus, Education Plus, and Education Standard customers are eligible to apply for the beta until January 20th, 2023. Client-side encryption is already available for Google Drive, Google Docs, Sheets, Slides, Google Meet, and Google Calendar (beta).
Note
- This is encryption at rest. You need to setup a key management service which will then be used to generate keys to encrypt your data at rest, preventing Google from accessing it. Be aware of what access the service provider has for key recovery anyone with that roll can decrypt your data. Even with this configured you still need to take added steps to achieve end to end encryption, (such as using S/MIME or PGP) allowing only the intended recipients to access your message.
- We know that persistent encryption of data is needed to minimize the impact of data breaches, so good to see Google joining Apple in pushing it forward. However, business use of persistent encryption requirements trustable identities (not reusable password-based), trustable directories, trustable backup processes and effective client side policy enforcement since network-based approaches to data policy enforcement can be blinded.
Read more in