All enterprise users of Gmail can now easily apply end-to-end encryption to their emails. Prior to today, this was a luxury reserved for big businesses with significant IT resources, but Google recognises that email attacks are on the rise across the board.
Starting today, Gmail users can send end-to-end encrypted emails to others within their organisation; in the coming weeks, they will also be able to send encrypted emails to Gmail inboxes outside their organisation, with support for all email inboxes expected later this year. To get early access for E2EE emails in Gmail, fill out Google’s Pre-General Availability Test Application.
How users and IT can use E2EE in Gmail
Emails sent with Gmail’s end-to-end encryption are extremely secure because only the sender has control over the encryption key, which is stored outside of Google’s infrastructure. Users can click the padlock by the Bcc button and press Turn On under the Additional Encryption’ option to apply it.
The security feature can be applied to emails sent to anyone, regardless of whether they are within the user’s organisation or even use Gmail. If the recipient does use Gmail, the email will be automatically decrypted in their inbox; if they don’t, they will be sent an invitation to open it in a restricted version of Gmail, which will require them to log in to a guest Google Workspace account.
IT teams can request that all external recipients, regardless of whether they use Gmail, must open encrypted emails in the restricted version of Gmail. This may be preferred at hyper security-conscious businesses, as it ensures that communications will not end up stored on third-party servers and devices. IT teams can also retroactively apply security policies or revoke access to emails, in this case.
If the recipient has Secure/Multipurpose Internet Mail Extensions (S/MIME) configured — the traditional, resource-intensive protocol for sending encrypted messages that Gmail’s new feature replaces — the email will be sent using it as normal.
SEE: Gmail vs Google Workspace: Key Differences for Users & Businesses
Gmail’s E2EE doesn’t require extensive IT resources
Google can provide end-to-end encryption without requiring businesses to have extensive IT resources, thanks to its cloud storage. The email is encrypted on the sender’s device before being stored in Google’s cloud, eliminating the need for a technical team to acquire and manage certificates. This process makes the message indecipherable to Google and other third parties, ensuring that data protection regulations such as HIPAA are met.
In addition, Google is rolling out a number of other security features:
- An end-to-end encryption default mode for teams handling sensitive data.
- Classification labels to help users recognise message sensitivity.
- Data loss prevention tools that enable automatic application of rules to manage and block messages based on their labels.
And, a new threat protection AI model has been introduced to enhance Gmail’s defences, using AI to detect spam and phishing attempts before they reach users.
How Gmail’s end-to-end encryption democratises high-security emails
End-to-end encryption is typically only accessible to regulated companies with large IT budgets. S/MIME requires technical staff to acquire and manage digital certificates — cryptographic keys used to authenticate the sender and encrypt the email — which eats away at their time. Certificates must also be exchanged before the encrypted messages, creating hassle for both the sender and recipient.
What’s more, this approach only works if both the sender and recipient have S/MIME implemented, which is only feasible if emails are sent to a small, predefined group of people who are guaranteed to have it set up.
There are other options than S/MIME for sending encrypted emails, but they come with their own problems. Encryption features offered by email providers require encryption keys to be shared, creating a security risk. Proprietary point solutions often require the recipient to download a third-party app or extension, which causes inconvenience, and their IT team may not allow it.
With Gmail’s end-to-end encryption, only the sender holds the encryption keys, no specialist IT personnel are required, and there’s no need to exchange certificates or use custom software.
