Monday 26 December 2022

Client-Side Encryption for Gmail

Google announced that the client-side encryption is in beta for Workspace and education customers. The purpose of this is to keep the emails secured, those emails which are sent with the help of the platform's web version. When people are very much concerned about data security and online privacy, Google released the update. If you want to secure your private data, then it will be a welcome gift.

The Google Workspace Enterprise Plus, Education Plus, and Education Standard customers are able to sign up for this until January 20, 2023. Hence, you need to know that the update is unavailable for personal Google Accounts.

How to Set Up Client-Side Encryption for Gmail (beta):

The client-side encryption beta allows the users to send and receive encrypted emails both within & outside of the domain. You should know that Gmail bodies and attachments encrypt inline images, whereas email headers along with the subject, timestamps, and recipients lists are not encrypted in Gmail.

If you have Google Workspace Enterprise Plus, Education Plus, or Education Standard, it is possible to apply for the Gmail CSE beta. Before applying, you should follow these steps to generate the account.

Set up Gmail CSE beta:

1. Prepare your account:

Ensure that your company uses Google Workspace Enterprise Plus, Education Plus, or Education Standard.

Step 1) Set up your environment:

Make a new GCP project enabling the Gmail API in Google cloud console:

  • Your first job is to generate a new GCP project. Make sure that you have noted down the Project ID. 
  • Now, Google makes the project accessible to non-public, pre-release Gmail API endpoints.
  • Head towards the Google API Console. Next, you should enable the API for a new project.
  • After that, move to the Service accounts page to generate a service account.
  • Finally, you should save your private file key to the local system for the service account. 

Grant your service account domain-wide access:

  • You should sign in to the Admin console of Google workspace using your super administrator account. 
  • After that, you need to move to Security. Then, you should go to Access and data control, API controls. After that you need to go to a Domain-wide delegation. 
  • You have to use the service account's client ID ( made at the time of setup) so that you can add a new API client. 
  • Finally, you needed to use the account for the OAuth scopes: gmail.settings.basic, gmail.settings.sharing, gmail.readonly.

Create the test group of users for Gmail CSE:

  • You need to first sign in to the Admin console of Google workspace. Then, you need to move to Directory and Groups. 
  • Next, you should tap on the Create group. 
  • Now, your task now is to add users separately to the test group to let them use the CSE beta of Gmail. Ensure that you are not adding groups. 
  • Note down the email address of the test group.

Step 2) Prepare your certificates:

Create S/MIME certificates: Ensure that there is a S/MIME certificate for every user who is in the group and who is going to test Gmail CSE. You should know that senders & recipients need certificates. Therefore, for S/MIME, you need to move to Gmail-trusted CA certificates. If you are willing to use the test certificate authority, you should indicate that uploading the certificate to the Admin console of Google workspace trusts the root CA.

You need to use the key service to wrap S/MIME private keys. Hence, you should read the steps which can be found in the documentation of the service provider and follow them.

Step 3) Configure your key service and IdP:

  • First, you should set up the external key service— only the primary key service, not the secondary one. 
  • After that, you need to link the workspace to the key service. 
  • Then, you should connect Workspace to IdP or Identify Provider.

2. Apply for the Gmail CSE beta:

Submit the Test Application of the CSE Beta once you are ready. Ensure that you add the essential email address, Project ID, and test group domain.

As soon as the application is received, you will get an email in your account when it is ready.

Now, you should try setting up the CSE beta for the users.

3. Set up Gmail CSE beta:

Once there is a notification saying that the account is ready, you should go through the steps so that you can set up the CSE beta.

1. Turn on Gmail CSE:

Use the super administrator account to sign in to your Admin console of Google.

Head towards Security thereafter and move to Client-side encryption.

Now, you should tap on Gmail.

Go to the left panel, and choose the group which you have submitted in the enrollment form of your Gmail CSE.

You have to manage the User access so that you can set this to On. Hence, up to twenty-four hours may be required to take effect. However, it happens very quickly.

In case you remove a user from the group or turn Gmail CSE off for the group, all previous client-side encrypted content will remain accessible.

2. Upload users' certificates and wrapped private keys to Google:

You may use the Gmail API to upload the S/MIME certificate of a user and wrap the private key with the service account private key file. All users need to make a key pair and an Identity with the help of the key pair.

The process needs up to 24 hours to make the certificates available in Gmail. Finally, you can use Gmail CSE.

4. Send and receive Gmail CSE Emails:

Ensure that the sender and recipients turn on CSE, and have valid certificates. If any recipient forgets to carry a valid certificate, the sender is unable to send the email.

Send an encrypted email:

  • Your first task is to tap on Compose in Gmail. 
  • After that, you must tap on Message security in the message's right corner. 
  • Now, you should tap on Turn on in Additional encryption. 
  • Next, your task is to add the subject, recipients, and message content. 
  • Tap on Send. Then, you should sign into the identity provider when prompted.

Receive encrypted email:

  • As soon as you get the CSE encrypted message, you can see "Encrypted message" under the name of the sender. 
  • Your first job is to open your encrypted message in your inbox. When prompted, your job is to sign in to the identity provider. 
  • Then, you may see the message decrypted automatically in the Gmail browser window.

Try out Gmail CSE features:

There are a few features that you should try in the account.

  • Send and receive encrypted messages within the organization 
  • Send emails to external recipients 
  • Share digital signatures with external recipients 
  • Include quoted emails in a thread 
  • Receive emails from other mail clients like Microsoft Outlook and Apple Mail. 
  • Attach a file 
  • Paste an image 
  • Forward messages 
  • Save encrypted drafts 
  • Undo send


Google Drive apps which are for iOS, Android, and desktop, compatible with client-side encryption. According to Google, the specification will be integrated into mobile apps for Meet and Calendar later. Google also said that the Client-side encryption secures the data and addresses a huge range of data sovereignty and compliance needs.

No comments:

Post a Comment

Note: only a member of this blog may post a comment.