Google Workspace CSE for Gmail
Google Workspace has expanded its Client-Side Encryption (CSE) capabilities to Gmail, offering enhanced confidentiality and data integrity for commercial and public sector organizations. This expansion complements existing CSE functionalities available in Drive, Docs, Slides, Sheets, and Meet. The Gmail CSE is specifically designed to give customers full control over encryption keys, ensuring that data remains encrypted from the client side before it reaches the Google servers. This client-side encryption ensures that Google has no access to the decryption keys, thus enhancing privacy and security.
- Enhanced Data Protection: Encrypts email content on the client device before it is sent to Google servers, maintaining data confidentiality as Google does not possess the decryption keys.
- Seamless User Experience: Operates entirely within the browser without requiring additional desktop applications or browser extensions, preserving the native Gmail user interface and functionalities.
- Advanced Key Management: Uses the Key Access Control List Service (KACLS), a proprietary Google service that supports cryptographic operations across all essential Workspace applications. This service verifies user authentication and authorization before performing any cryptographic operations.
- Encryption Methodology: Uses envelope encryption, where data is encrypted using a Data Encryption Key (DEK) that is further secured by KACLS.
- Authentication and Authorization: Integrates with the customer's OpenID Connect (OIDC) Identity Provider (IdP) to authenticate end-users and manage access through JSON Web Tokens (JWT) that authorize specific operations.
- S/MIME Standard: Employs S/MIME, an open standard for email encryption, ensuring compatibility with most enterprise email clients and allowing secure communications across different providers without proprietary restrictions.
- Email Composition: When a user composes an email, the Gmail client encrypts the message with a DEK, which is then encrypted using the recipient’s public key. The DEK and the encrypted message are wrapped in an S/MIME format.
- Digital Signing and Encryption: The encrypted message is digitally signed by using keys managed by KACLS, ensuring that the sender’s identity is verifiable and the content has not been tampered with during transit.
- Receiving and Decrypting Emails: Upon receiving an encrypted email, Gmail verifies the digital signature against the sender’s S/MIME certificate, decrypts the DEK using KACLS, and renders the email content to the user.
- High Security Standards: In addition to standard TLS encryption for data in transit, Gmail CSE uses multiple security controls, including iframe origin isolation and Content Security Policy, to secure sensitive data within a secure container in the browser.
- Regulatory Compliance: Meets high compliance standards required by various industries, ensuring that sensitive information remains protected under rigorous data protection regulations.
The following high-level steps illustrate the set-up process for Google Workspace CSE:
First, set up an encryption key service through one of the Google partner services (such as CryptoHub). This service controls the top-level encryption keys that protect your data.
Next, specify the location of your external key service, so Google Workspace can connect CSE for supported apps to it.
For this step, you must connect to either a third-party IdP or Google identity, by using either the Admin console or a .well-known file hosted on your server. Your IdP verifies the identity of users before allowing them to encrypt content or access encrypted content. Learn more
This integration guide demonstrates using VirtuCrypt as the identity provider.
You can turn on CSE for any organizational units or groups in your organization. Note, however, that you must turn on CSE only for users that you want to create client-side encrypted content:
- Google Drive: You need to turn on CSE only for users who need to create client-side encrypted documents, spreadsheets, and presentations or upload client-side encrypted files to Drive. You don't need to turn on CSE for users who only view and edit files shared with them.
- Google Meet: You need to turn on CSE only for users who need to host client-side encrypted meetings. You don't need to turn on CSE for other participants in meetings.
For details about turning on CSE for users, see Create client-side encryption policies.
This section covers the various levels of requirements for CSE.
To set up Google Workspace Client-side encryption for your organization, you must be a Super Admin for Google Workspace.
- Users need a Google Workspace Enterprise Plus, Google Workspace for Education Plus, or Enterprise Essentials license to use CSE to:
- Create or upload files
- Host meetings
- Users can have any type of Google Workspace or Cloud Identity license to:
- To view, edit, or download an existing file encrypted with CSE
- Join a CSE meeting
- Users with a consumer Google Account (such as Gmail users) can't access CSE files or participate in CSE meetings.
- To view or edit encrypted files, users must use either the Google Chrome or Microsoft Edge browser.
- To join a CSE meeting, users must be invited or added during the meeting. Knocking isn't available for CSE meetings.
- Access to CSE files and meetings depends on your organization's CSE policies.
- During the beta, external users must have a Google Workspace license to access your content encrypted with CSE. Users with a consumer Google Account or a visitor account can't access files encrypted with CSE.
- External organizations must also set up CSE, either in the Admin console or with a .well-known file.
- Your external encryption service must allowlist the third-party IdP service used by the external domain or the individuals you want to use CSE. You can usually find the IdP service in their publicly available .well-known file, if they set up one. Otherwise, contact the Google Workspace admin of the external organization for their IdP details.