Google on Friday launched a beta of its client-side encryption (CSE) for Gmail on the web, which will allow users to test out the encryption feature that ensures any sensitive data delivered as part of the email’s body and attachments are unreadable to Google servers.
Customers who have Google Workspace Enterprise Plus, Education Plus, or Education Standard are eligible to apply for the beta until January 20th, 2023, which should include the email address, Project ID, and test group domain.
However, the feature is not yet available to users with personal Google accounts or Google Workspace Essentials, Business Starter, Business Standard, Business Plus, Enterprise Essentials, Education Fundamentals, Frontline, and Nonprofits, as well as legacy G Suite Basic and Business customers.
For those unaware, with Google Workspace Client-side encryption (CSE), content encryption is handled in the client’s browser before any data is transmitted or stored in Google’s cloud-based storage. As a result, Google servers can’t access your encryption keys and decrypt your data.
“Google Workspace already uses the latest cryptographic standards to encrypt all data at rest and in transit between our facilities. Client-side encryption helps strengthen the confidentiality of your data while helping to address a broad range of data sovereignty and compliance needs,” Google said in a blog post.
With Client-side encryption, customers can retain control over encryption keys and the identity service to access those keys.
This encryption feature is already available to users of Google Drive, Google Docs, Sheets, Slides, Google Meet, and Google Calendar (beta).
With Gmail client-side encryption beta, you can send and receive encrypted emails within your domain and outside of your domain.
For instance, the email body and attachments, including inline images are encrypted in Gmail. However, the header of the email, including the subject, timestamps, and recipients lists is not encrypted in Gmail.
“With Google Workspace Client-side encryption (CSE), content encryption is handled in the client’s browser before any data is transmitted or stored in Drive’s cloud-based storage,” Google added.
“That way, Google servers can’t access your encryption keys and decrypt your data. After you set up CSE, you can choose which users can create client-side encrypted content and share it internally or externally.”
?The Client-side encryption will be OFF by default and can be enabled at the domain, organizational unit (OU), and Group levels by heading to Admin console > Security > Access and data control > Client-side encryption.
Once enabled, you can add client-side encryption to any message by clicking on the lock icon next to the Recipients field and then the “Turn on” option under “Additional encryption” when using the web version of Gmail. Further, you can compose your Gmail message and add email attachments as normal.
The company said that it will be accepting beta applications and allow listing customers over the next several weeks.