Gmail Client-side Encryption Beta launches

Martin Brinkmann
Dec 18, 2022

Google announced on Friday that Client-side Encryption is now available as a Beta for the web version of its email service Gmail. During Beta, access to the feature is limited to select Enterprise and Education customers.

client-side encryption gmail

Client-side encryption protects emails, the body of the message and attachments, from access by unauthorized parties. Emails protected by Client-side Encryption are "indecipherable to Google servers" and also third-parties that listen in on network traffic. Gmail, by default, uses TLS encryption, which gives Google full access to email contents on its servers.

Customers may set up their own encryption keys according to Google to encrypt data. The security feature is already available for select Google services, including Google Drive, Google Meet and Google Calendar (also in Beta).

Content encryption happens in the local web browser before any data is transferred or stored by Google in the cloud. Google servers have no access to the data, as the encryption key is only available on the user system.

The email header, including the email subject and recipients, are not encrypted by the protective feature.

Client-side Encryption is available to Google Workspace Enterprise Plus, Education Plus, and Education Standard customers only. These customers may apply for the beta until January 20th, 2023 according to Google. The feature is not available to all other Google Workspace plans, legacy Google Suite customers and personal Google Accounts.

The security feature is disabled by default and needs to be enabled at the "domain, OU, and Group levels" using the admin console. It is found under Security > Access and data control > Client-side encryption.

End users need to activate the lock icon while composing a message to enable the encryption feature. The following animated GIF demonstrates the functionality.

google gmail-client side encryption

Emails that are encrypted display "encrypted message" below the sender name on Gmail. Opening the email may prompt the user to sign-in with the identity provider. Once done, the email content is decrypted and accessible on the device.

Google published a support document that provides details on the implementation of Client-side encryption for Google Workspaces administrators. The document, which is accessible here,

After Google has confirmed participation in the beta program, administrators need to sign-in using a super administrator account. They then need to go to Security > Client-side encryption > Gmail, and select the Group that they enrolled in the beta. There, they need to set User access to On. The flipping of the switch may take up to 24 hours to propagate, according to Google.

Then, user S/MIME certificates and wrapped private keys need to be uploaded using the Gmail API with the service account private key file. Full details are found on Google's support website.

Competing email services, including ProtonMail, Skiff, Preveil or Tutanota have supported end-to-end encryption for some time already. While Google is making the security feature available to Enterprise and Education customers, it seems unlikely that it will unlock the functionality for other account types, including personal accounts.

Now You: do you encrypt your emails?

Gmail Client-side Encryption Beta launches
Article Name
Gmail Client-side Encryption Beta launches
Google announced on Friday that Client-side Encryption is now available as a Beta for the web version of its email service Gmail
Ghacks Technology News

Previous Post: «
Next Post: «


  1. worldcup2022oneofhtebest said on December 19, 2022 at 3:09 am

    well google try to sell privacy just like their vpn

  2. ECJ said on December 18, 2022 at 1:27 pm

    It’s nuts that email is still sent in plain text, as users can’t control what happens to their email beyond their own email client and server.

    Why is S/MIME not the default for *all* email providers? Is it because of spam? If so, how do other encrypted providers like Signal deal with it?

    1. Anonymous said on December 19, 2022 at 2:27 am

      You can send and receive emails using different email providers, but can Signal communicate with Whatsapp?

      You need to rework the whole email system for that. It’s not easy and cheap.

      Understand now?

    2. Martin Brinkmann said on December 18, 2022 at 1:47 pm

      May have something to do with advertisement, at least for the big webmail providers.

  3. Paul(us) said on December 18, 2022 at 12:02 pm

    Nice one Martin, this would be also a really great feature for customers with a free account.
    Any thoughts about whether it will be also available for the free accounts and even maybe when?

    1. some1 said on December 18, 2022 at 10:54 pm

      It will never be available to free accounts. Google makes money from scanning your emails to show ads…

      1. Gowron said on December 19, 2022 at 8:56 am

        Yeah unless you encrypt in Thunderbird and keep your key material safe from google. But that would require some people to know OPSEC :^)

      2. Norwog said on January 19, 2023 at 4:45 am

        …and some people who know OPSEC know there are email providers (:

    2. Martin Brinkmann said on December 18, 2022 at 12:59 pm

      I do not think that this will become available for personal accounts.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.