How It Works
Concept
Google CSE for Gmail (Client-side encryption) is a security feature designed to strengthen the confidentiality of sensitive or regulated data within your emails.
The core concept is:
Encryption Location: The encryption process is handled directly in your browser before the email content is transmitted or stored in Google's cloud.
Key Management System (KMS): KMS holds the exclusive of the encryption and decryption keys. This is managed through a Key Management System (KMS), which ensures that Google never accesses the private keys or the decrypted message content.
Encrypted Components: The additional encryption applies to the body of the email, including inline images and attachments.
Unencrypted Components: The email header, which includes the subject, timestamps, and recipients, is not subject to this additional encryption.
Availability: CSE is available for Work or school Gmail accounts, providing an extra layer of protection for sensitive communications. Messages using CSE are marked with a blue shield icon.
How It Works
Sending an Encrypted Email
Initiation: The sender composes a new email and explicitly turns on Additional encryption.
Verification: The user is required to sign in to verify their account before the message is sent.
Encryption: Google generates a Data Encryption Key (DEK), which is used to encrypt the email body, inline images, and attachments.
Key Wrapping (KMS Interaction): Google sends the DEK to your organization's external Key Management System (KMS) or Key Access Control List Service (KACLS). The KMS uses its master key to wrap (re-encrypt) the DEK.
Transmission: The encrypted message, along with the wrapped DEK, is transmitted and stored on Google's servers.
Receiving an Encrypted Email
Notification: The recipient receives the mail, which is marked with a blue shield icon and shows an "Encrypted message" notification.
Authentication: The receiver opens the email and must sign in to their identity provider to verify their account.
Key Unwrapping: The KMS verifies the user's access rights and uses the master key to unwrap (decrypt) the DEK.
Decryption: The client receives the unencrypted DEK and uses it to automatically decrypt the email content, which is then displayed in the Gmail browser window.
Advantages
Maximum Data Confidentiality: It is a security feature designed to strengthen the confidentiality of sensitive or regulated data within your emails, providing an "additional encryption" layer.
Exclusive Key Custody (KMS): Your organization, through the Key Management System (KMS), holds the exclusive of the encryption and decryption keys. This guarantees that Google never accesses the private keys or the decrypted message content.
Client-Side Protection: The encryption process takes place directly in your browser (client-side) before the email content is transmitted or stored in Google's cloud.
When To Use This
Google Client-side encryption (CSE) for Gmail is primarily used by organizations that require maximum control over their data and must comply with strict mandates. Use this feature when:
Meeting Regulatory Compliance: Your organization operates in a highly regulated industry, such as aerospace and defense, financial services, or government, and needs to meet specific compliance requirements for data protection.
Protecting Highly Sensitive Data: You are storing or transmitting extremely sensitive or regulated data, including healthcare records, financial data, or critical intellectual property (IP).
Requiring Exclusive Key Custody: Your organization needs to maintain exclusive control over the encryption and decryption keys (via the KMS), ensuring that Google cannot access the private keys or the decrypted content of your emails.
Strengthening Confidentiality: You need an extra layer of protection ("additional encryption") beyond Google’s default encryption for the body and attachments of specific messages.
Last updated