Google is rolling out what it calls client-side encryption (CSE), giving Workspace customers the ability to use their own encryption to shield their data before it reaches Google's servers.
With client-side encryption (CSE) enabled, the email body, attachments, and inline images are encrypted. The email header, subject, timestamps, and recipients lists are not.
Google Workspace Enterprise Plus, Education Plus, or Education Standard customers can now apple to Google to join the Gmail CSE Beta test via its new support page for the feature.
It's not available to users with personal Google Accounts, and not available to users with Google Workspace Essentials, Business Starter, Business Standard, Business Plus, Enterprise Essentials, Education Fundamentals, Frontline, and Nonprofits, as well as legacy G Suite Basic and Business customers
Google explains CSE is different to end-to-end encryption (E2EE) because clients use encryption keys that are generated and stored in a cloud-based key management service, so admins can control the keys and who has access to them. This way, the admin can revoke a user's access to keys, even if that user generated them. With E2EE, admins don't have control over the keys on the clients and who can use them, nor can the admin see which content users have encrypted.
Google has partnered with several key management service providers, including FlowCrypt, Fortanix, FutureX, Stormshield, Thales, and Virtru. Users can't use Google as the key management partner to ensure that Google can't access the keys and decrypt users data.
The company explains it's bringing CSE to Gmail for this subset of Workspace customers to help address a range of data sovereignty and compliance needs. As it notes, CSE is already available for Google Drive, Google Docs, Sheets, and Slides, Google Meet, and Google Calendar (beta).