Cloud key management

Google Workspace CSE for Gmail

9min

Google Workspace has expanded its Client-Side Encryption (CSE) capabilities to Gmail, offering enhanced confidentiality and data integrity for commercial and public sector organizations. This expansion complements existing CSE functionalities available in Drive, Docs, Slides, Sheets, and Meet. The Gmail CSE is specifically designed to give customers full control over encryption keys, ensuring that data remains encrypted from the client side before it reaches the Google servers. This client-side encryption ensures that Google has no access to the decryption keys, thus enhancing privacy and security.

Key features

This integration has the following features:

  • Enhanced Data Protection: Encrypts email content on the client device before it is sent to Google servers, maintaining data confidentiality as Google does not possess the decryption keys.
  • Seamless User Experience: Operates entirely within the browser without requiring additional desktop applications or browser extensions, preserving the native Gmail user interface and functionalities.
  • Advanced Key Management: Uses the Key Access Control List Service (KACLS), a proprietary Google service that supports cryptographic operations across all essential Workspace applications. This service verifies user authentication and authorization before performing any cryptographic operations.

Technical implementation

The technical implementation of this integration includes the following elements:

  • Encryption methodology: Uses envelope encryption, where you encrypt data by using a Data Encryption Key (DEK) that is further secured by KACLS.
  • Authentication and authorization: Integrates with the customer's OpenID Connect (OIDC) Identity Provider (IdP) to authenticate end-users and manage access through JSON Web Tokens (JWT) that authorize specific operations.
  • S/MIME standard: Employs S/MIME, an open standard for email encryption, ensuring compatibility with most enterprise email clients and allowing secure communications across different providers without proprietary restrictions.

Operational workflow

The following steps comprise the operational workflow:

  1. Email Composition: When a user composes an email, the Gmail client encrypts the message with a DEK, which is then encrypted by using the recipient’s public key. The DEK and the encrypted message are wrapped in an S/MIME format.
  2. Digital Signing and Encryption: The encrypted message is digitally signed by using keys managed by KACLS, ensuring that the sender’s identity is verifiable and the content has not been tampered with during transit.
  3. Receiving and Decrypting Emails: Upon receiving an encrypted email, Gmail verifies the digital signature against the sender’s S/MIME certificate, decrypts the DEK using KACLS, and renders the email content to the user.

Security and compliance

The integration conforms to standard security and compliance requirements with respect to the following aspects:

  • High Security Standards: Besides standard TLS encryption for data in transit, Gmail CSE uses multiple security controls, including iframe origin isolation and Content Security Policy, to secure sensitive data within a secure container in the browser.
  • Regulatory Compliance: Meets high compliance standards required by various industries, ensuring that sensitive information remains protected under rigorous data protection regulations.

Basic setup steps for Google Workspace CSE

The following high-level steps illustrate the setup process for Google Workspace CSE:

  1. Set up your external encryption key service.
  2. Connect Google Workspace to your external key service.
  3. Connect Google Workspace to your identity provider.
  4. Turn on CSE for users.

Set up your external encryption key service

First, set up an encryption key service through one of the Google partner services (such as CryptoHub). This service controls the top-level encryption keys that protect your data.

Connect Google Workspace to your external key service

Next, specify the location of your external key service, so Google Workspace can connect CSE for supported apps to it.

Connect Google Workspace to your identity provider

For this step, you must connect to either a third-party IdP or Google identity by using either the Admin console or a .well-known file hosted on your server. Your IdP verifies the identity of users before allowing them to encrypt content or access encrypted content. Learn more 

This integration guide demonstrates using VirtuCrypt as the identity provider.

Turn on CSE for users

You can turn on CSE for any organizational units or groups in your organization. Note, however, that you must turn on CSE for only users that you want to create client-side encrypted content:

  • Google Drive: You need to turn on CSE only for users who need to create client-side encrypted documents, spreadsheets, and presentations or upload client-side encrypted files to Drive. You don't need to turn on CSE for users who only view and edit files shared with them.
  • Google Meet: You must turn on CSE only for users who need to host client-side encrypted meetings. You don't need to turn on CSE for other participants in meetings.

For details about turning on CSE for users, see Create client-side encryption policies.

Updated 21 Apr 2025
Did this page help you?
PREVIOUS
Appendix C: Configure Okta IdP
NEXT
Prerequisites
Docs powered by Archbee