Google has introduced a new end-to-end encryption (E2EE) feature in Gmail, enabling organizations to send encrypted emails that even Google cannot read to other Gmail users. Later this year, the feature will be expanded to allow the sending of encrypted emails to any email users, including those from other providers.
E2EE differs from encrypting email communication in transit between email servers, which is already achieved with TLS (transport layer security), or at rest when stored in Google’s data centers. E2EE allows users to encrypt sent messages in a way that only the intended recipients can decrypt and read them.
How end-to-end encryption works
E2EE for email is typically achieved with Secure/Multipurpose Internet Mail Extensions (S/MIME), a public protocol and standard that uses public-key cryptography to sign and encrypt messages. However, implementing S/MIME is not straightforward, usually involving digital certificate acquisition and management for every user. Additionally, it only works with recipients who also have S/MIME configured.
There are proprietary solutions for end-to-end encryption that involve deploying additional software, browser extensions, or web portals. Organizations in certain regulated industry sectors, including government agencies, typically go through the trouble of setting up such E2EE solutions for sensitive emails, but most other organizations avoid them due to usability issues.
“These gaps and challenges have created real friction for both IT teams and users for decades,” Johney Burke, senior product manager at Google Workspace, told CSO. “Organizations resolve these issues either through incredibly intricate and expensive IT management or by minimizing communications with entities outside their company. Neither is a satisfactory option.”
Google creates new email encryption model
Google took a different approach and created a new model that no longer requires complex user certificate management or exchanging keys with external organizations to decrypt messages.
Google’s new E2EE Gmail implementation relies on the existing client-side encryption (CSE) feature in Google Workspace, which allows customers to use their own encryption keys to encrypt files and emails on the client-side before they are stored on Google’s servers. This feature allows organizations to control the identity provider used to grant access to the encryption keys and the third-party key management service used to store them.
In its new integration with Gmail, currently available in beta, customers can choose from the regular Gmail message compose web interface if they want to encrypt the message. For now, the feature only works between Gmail users who are members of the same organization, but over the coming weeks, it will be enabled for all Gmail recipients, both enterprise and personal accounts.
Later this year, when the feature is fully implemented, Workspace users with E2EE enabled will be able to send encrypted messages to any external email users. Instead of the message, recipients will receive a link that, when clicked, will take them to a restricted version of Gmail where they need to authenticate with the organization’s chosen identity provider to view the decrypted message. External users will also be able to reply within the same restricted Gmail interface.
Restricted view allows for more control
By default, Gmail users won’t have to go through this restricted Gmail experience, and emails will automatically decrypt when they arrive in their inbox if they are the intended recipients. However, administrators can choose to enforce the restricted Gmail view for everyone, including Gmail users, to ensure sensitive communications are not downloaded locally on third-party servers or devices.
Because this option requires authentication with an approved account and identity provider, organizations can easily revoke access and apply additional security policies. Google describes this experience as similar to a shared document stored in Google Drive.
“At a structural level, this approach offers more comprehensive encryption protection,” Julien Duplant, product manager at Google Workspace, told CSO. “It doesn’t matter who you send a message to or what email they are using; your message will be encrypted, and you are in sole control. There’s just one set of keys, and you’re the only one who has them.”