Google rolls out client-side encryption on Gmail, Calendar for enterprise and education

Google has expanded access to client-side encryption (CSE) to Gmail and Calendar, allowing enterprise users to encrypt their emails and calendar invites before it reaches Google’s servers.  

The big tech company announced on Tuesday that its client-side encryption (CSE) is now generally available on Gmail and Calendar to enterprise and educational institutions who have subscribed for Google Workspace Enterprise Plus, Education Plus and Education Standard plans.  

Prior to this, CSE in Gmail and Calendar was available only to a select group of users under a beta program. The privacy feature is already available on Drive, Docs, Slide, Sheets and Meet since 2021. 

CSE will encrypt the email body, attachments, and images, while the email header, subject, timestamps, and name of recipients will remain unencrypted.  

In comparison to end-to-end (E2E) encryption, where only sender and receiver have access to encryption keys, in CSE, encryption keys are generated and stored in a cloud-based key management service, allowing admins to control the keys and who has access to them. This will allow admission to see which emails have been encrypted, even though they can't see the content of the email that has been encrypted.  

Also, CSE is going to be optional unlike some of the more privacy-centric email clients such as Proton Mail which automatically protect all emails with E2E. In Gmail, users will have to enable CSE for each email by clicking on the lock button on top of the compose message window. Similarly, in the Calendar app, the lock button will show next to add the title section.  

According to Google, Workspace already encrypts data at rest and in transit. CSE will take encryption capability to the next level and give customers complete control over their encryption keys and data.  

The feature is not available to personal Gmail accounts. It is also not available to subscribers of Google Workspace Essentials, Business Starter, Business Standard, Business Plus, Enterprise Essentials, and Education Fundamentals.  

Google claims that this will not only enhance user confidence but will also reduce the compliance burden for organizations, especially in the public sector. This might also encourage more enterprises to use Gmail and Google Calendar apps for sharing sensitive information.  

Several Google customers including Verizon and PwC have expressed interest in taking advantage of CSE.  

“We have been searching for the capability to guarantee that our encrypted communications remain inaccessible to third parties, including our technology providers, for some time,” Shaun Bookham, UK Operations & Technology Director at PwC, said in a testimonial.