Google LLC said last week that it has added beta support for client-side encryption in Gmail for some of its Google Workspace customers.

CSE in Gmail has been added for customers who subscribe to the Google Workspace Enterprise Plus, Education Plus and Education Standard plans, which means users of lower-priced tiers and personal Google accounts miss out for now.

For users who can access the feature, they’ll need to switch it on themselves because it remains off by default. It can be enabled via the Admin console by clicking on Security > Access and data control > Client-side encryption.

Google’s CSE support page explains that the feature enables customers to retain control over their security keys, meaning that Google itself won’t be able to access them nor decrypt the content of emails or their attachments. The document goes on to explain that Google Workspace administrators have full power to decide which individuals within an organization can access the encryption keys. As such, they also have the power to monitor the encrypted files of company employees.

CSE is not to be confused with end-to-end encryption, which is more secure because it doesn’t allow admins to see the contents of encrypted emails. With E2EE, the data is encrypted on the sender’s device and can be decrypted only on the intended recipient’s machine. The encryption keys are generated on the sender’s and receiver’s devices only, so they cannot be accessed by company admins. This way, it prevents anyone not involved in the conversation from being able to see the emails.

“With CSE, clients use encryption keys that are generated and stored in a cloud-based key management service, so you can control the keys and who has access to them,” Google said in a statement. “For example, you can revoke a user’s access to keys, even if that user generated them. Also, with CSE, you can monitor users’ encrypted files.”

Google said that while CSE support is limited to select users for now, the feature will be rolled out in more services and for more users “in a later release.”

It’s worth noting that enabling CSE means a lot of advanced Gmail features won’t work, including multisend mode, signatures, Smart Compose, translation, summaries and Confidential mode. In addition, such emails will not be searchable, and third-party add-ons will also be prevented from accessing the plain text contents.

Google said CSE is aimed at customers in highly regulated industries such as government, defense, aerospace and financial services.

Image: Google