Google is making sending end-to-end encrypted emails easy
Sending end-to-end encrypted (E2EE) emails from Gmail enterprise accounts is about to become much easier than it is now, Google has announced on Tuesday.
The company will first make available this simplified capability to users who want to send E2EE emails to other Gmail users in their own organization, and will extend it in the coming weeks to include E2EE emails to external enterprise or personal Gmail inboxes.
Finally, later this year, they will be able to send E2EE emails to users who don’t use Gmail.
Gmail end-to-end encrypted emails from the users’ point of view
“End-to-end encrypted (E2EE) email was historically a privilege reserved for organizations with significant IT resources, due to the complexity of S/MIME and proprietary solutions,” Google Workspace product managers Johney Burke and Julien Duplant explained.
Until now, the process required managing and exchanging encryption keys before sending emails, required both recipients to have them, and sometimes required the use of specialized software.
Google has worked to simplify the procedure by taking advantage of client-side encryption in Google Workspace, and has cut it down to a few mouse clicks.
The sender simply has to turn on the Additional Encryption option after clicking on the lock icon in the email’s “To:” field, and see the email “turn into” an encrypted message (as proclaimed in the window title bar):
Additional Encryption (E2EE) option switched on (Source: Google)
Recipients with Gmail accounts will receive the email in their inbox, where it will be automatically decrypted. Non-Gmail users will receive an invitation to view and reply to the E2EE email in a restricted version of Gmail, where they will be able to use a guest Google Workspace account.
Finally, if the recipient has S/MIME configured, Gmail will proceed to use it.
Gmail E2EE from the admin’s point of view
To make the capability work as intended, enterprise admins who manage Google Accounts for an organization must first enable the Gmail API, upload users’ encryption keys, and turn on client-side encryption for them.
They will also be able to mandate that all external recipients use the restricted version of Gmail, so they can make sure the email/data isn’t stored on third-party servers and devices, and they can revoke access to email at any time.
Google is also introducing CSE (client-side encryption) default mode in Gmail, so admins can make E2EE messages a default setting in Gmail for teams that regularly deal with sensitive data (and should definitely use E2EE).