(Photo Illustration by Mateusz Slodkowski/SOPA Images/LightRocket via Getty Images)
Gmail enterprise users are getting a new end-to-end encryption (E2EE) feature that prevents even Google from accessing your inbox.
Google describes the feature as a “protective bubble” for emails. It's built on the company's existing client-side encryption, which it began testing in December 2022 for Workspace users.
The result is an "entirely new form of encryption" designed to simplify the technology even more. It's still a beta feature, but starting today, "users can send encrypted emails to other users in their own organization," the company said.
"In the coming months, we will introduce the ability to send encrypted emails to any Gmail inbox, and, later this year, to any email inbox," it added.
E2EE is one of the highest privacy standards for internet services, ensuring that only the sender and recipient can read messages. It relies on private keys for security, but managing these keys can be a technical challenge for companies and their users, which has slowed adoption of end-to-end encryption on email services.
In adopting E2EE, companies usually install Secure/Multipurpose Internet Mail Extensions or S/MIME, which Google says can be a hassle to use, resulting in “frustration and the inability to send encrypted emails.” The company's existing client-side encryption also only works through S/MIME.
But to improve things further, a Google spokesperson said: "The functionality we're launching will add a brand new form of encryption to the CSE feature-set and give organizations a new seamless way to exchange encrypted messages."
How it works on the backend was left unclear, but the feature is activated by clicking a lock icon when writing an email message and turning on the advanced encryption.
(Credit: Google)
(Credit: Google)“The emails are protected using encryption keys controlled by the customer and not available to Google servers, providing enhanced data privacy and security. And the IT team no longer needs to go through the complex S/MIME setup or certificate management,” Google says.
Encrypted emails can also be sent to non-Gmail addresses. But the contents of the email can’t be viewed from a third-party inbox. Instead, the email will ask the recipient to click a link that invites the user to view the E2EE email in a restricted version of Gmail, ensuring the private keys are kept within the customer’s IT environment. "The recipient can then use a guest Google Workspace account to securely view and reply to the email,” the company said.
(Credit: Google)
(Credit: Google)
(Credit: Google)“IT teams also have the option to require all external recipients (even if they are Gmail users) to use the restricted version of Gmail,” Google adds. “This helps ensure that their organization’s data does not end up stored on third-party servers and devices. It also makes it easier for organizations to protect their data by having the ability to apply security policies and revoke access to emails, no matter how long ago they were sent.”
For now though, interested Workspace customers must apply for access. But Google plans on making it more widely available in the coming months.
In the sign-up form, the company also notes that a “Super Admin” will have the ability to manage the encryption keys used for exchanging emails sent through the feature. So a company could theoretically decrypt any encrypted email sent by an employee.
“Encryption is limited to the body of emails; including attachments,” Google adds in the sign-up form. “The header of the email, including subject line, timestamps, and recipient lists, is not encrypted.” The company is marketing the feature to Workspace users on the Enterprise Plus and Assured Controls plans.