Google has announced that client-side encryption (CSE) for Gmail is now generally available. The update is part of Google Workspace and will be available for customers with Enterprise Plus, Education Plus, and Education Standard. CSE was first launched to beta-enrolled customers back in December 2022,
On its support page, Google explains:
With Google Workspace Client-side encryption (CSE), content encryption is handled in the client's browser before any data is transmitted or stored in Google's cloud-based storage. That way, Google servers can't access your encryption keys and decrypt your data. After you set up CSE, you can choose which users can create client-side encrypted content and share or send it internally or externally.
Google says that CSE is different from end-to-end encryption wherein the clients use encryption keys that are generated and stored in a cloud-based key management service. Admins have control over the keys and can also add users to access them. Admins can also revoke this access even if that user generated them. In end-to-end encryption, admins don't really have any control over keys and can't see which content users have encrypted in the first place.
When CSE is enabled, the email body, attachments, and inline images will be encrypted while the email header, subject, timestamps, and recipient lists won't be.
It is worth noting that CSE is not available for Gmail users that have a personal account in addition to Google Workspace Essentials, Business Starter, Business Standard, Business Plus, Enterprise Essentials, Education Fundamentals, Frontline, and Nonprofits, as well as legacy G Suite Basic and Business customers.
Client-side encryption is also available for other Workspace products like Google Drive, Google Docs, Sheets, and Slides, Google Meet, and Google Calendar (beta). The feature will be off by default and needs to be enabled by a Workspace admin.
Click here to know more about how to setup client-side encryption in a Workspace.