Wrap/Unwrap Google CSE for Gmail

Google Client-Side Encryption (CSE) for Gmail is a robust security feature that strengthens the confidentiality of sensitive or regulated data by providing an additional encryption layer.

The system is built around the concept of exclusive key custody, where the organization's external Key Management System (KMS) holds the encryption keys, ensuring Google never accesses the private keys or the message content.

The core functionality relies on the Wrap/Unwrap process:

  1. When sending an email, the KMS wraps (re-encrypts) the Data Encryption Key (DEK) for secure transmission.

  2. Upon receiving the mail, the KMS verifies the user and unwraps (decrypts) the DEK, allowing the client to automatically display the content. This client-side protection is essential for organizations that must meet strict regulatory compliance.

PreviousBest PracticesNextHow It Works

Last updated