Google adds stronger encryption for some Gmail users, in beta
Slowly inching toward E2EE
Google has added client-side encryption for some email customers, allowing enterprise and education Gmail users to send and receive encrypted messages.
The service encrypts email messages in the client's browser before they are transmitted or stored in Google Cloud. It allows Gmail customers — not the cloud provider — to retain control over encryption keys, thus ensuring Google servers can't access the keys or decrypt customer data in the body of the email or delivered as an attachment.
However, it's off by default, so it remains to be seen how many admins and users will turn on the data privacy service.
It's also worth noting that this is not end-to-end encryption (E2EE). With E2EE, data is encrypted on the sender's device and decrypted only by the intended recipient's device, thus preventing anyone other than the two (or more) people involved in the private conversation from accessing its contents.
Additionally, with E2EE, encryption keys are generated on the sender and receivers' devices, which means the administrator doesn't have control over the keys or visibility into what content has been encrypted.
Client-side encryption, on the other hand, gives the admin more access. Like E2EE, encryption and decryption only occur on the sender and receiver's devices — the clients' browsers, in this case. But as Google explained in a support document:
"With CSE, clients use encryption keys that are generated and stored in a cloud-based key management service, so you can control the keys and who has access to them. For example, you can revoke a user's access to keys, even if that user generated them. Also, with CSE, you can monitor users' encrypted files."
While it's not full E2EE, and limited to a select group of Gmail customers, security professionals welcomed the move.
"To be clear, this service is very limited and partial. But limited and partial is a lot better than the historical trend," cryptography guru Matthew Green tweeted. "I think once the ball really gets rolling, we will see a lot more of these features."
Google Workspace Enterprise Plus, Education Plus, and Education Standard customers can apply for the beta until January 20. E2EE is not available to Google Workspace Essentials, Business Starter, Business Standard, Business Plus, Enterprise Essentials, Education Fundamentals, Frontline, Nonprofits, legacy G Suite Basic and Business customers, or users with personal Google accounts.
- Egad, did Apple do something right? End-to-end encryption for (most) iCloud services
- Meta, Twitter, Apple, Google urged to up encryption game in post-Roe America
- Cooler heads needed in heated E2EE debate, says think tank
- Matrix chat encryption sunk by five now-patched holes
Google already made client-side encryption available for Drive, Docs, Sheets, Slides, Meet and Google Calendar (beta).
The search and cloud giant has also taken steps to expand E2EE. Google Messages added support in late 2020, and Group messages got E2EE earlier this year. Google Chat, however, is not end-to-end encrypted.
Google's client-side encryption announcement comes about a week after Apple said it will provide E2EE for most of its iCloud services. ®