הדף שביקשתם לא זמין בשלב זה בשפה שלכם. אפשר לבחור בשפה אחרת בחלק התחתון של הדף. לחלופין, באמצעות תכונת התרגום המובנית של Google Chrome תוכלו לתרגם מיד כל דף אינטרנט אל שפה לבחירתכם.

Gmail only: Upload encryption keys for client-side encryption

Supported editions for this feature: Enterprise Plus; Education Standard and Education Plus. Compare your edition

To use Google Workspace Client-side encryption (CSE) for Gmail, you need to enable the Gmail API and give it access to your entire organization. Then, for each user, you need to use the Gmail API to upload an S/MIME (Secure/Multipurpose internet Mail Extensions) certificate (public key) and private key metadata to Gmail. If you're using an encryption key service, you'll also need to encrypt (or "wrap") users' private key metadata using your key service.

At any time, you can switch to a different key service by uploading new S/MIME certificates and private key metadata encrypted by your new service.

About S/MIME

S/MIME is a widely accepted, industry standard protocol for digitally signing and encrypting email messages to ensure message integrity and security. Gmail CSE relies on the S/MIME 3.2 IETF standard to send and receive secure MIME data. S/MIME requires email senders and recipients to have their X.509 certificates trusted by Gmail.

Note: Alternatively, you can use S/MIME without the additional layer of encryption and privacy that CSE provides. Use this alternative only if don't need to prevent Google servers from decrypting your data with CSE. For details, go to Turn on hosted S/MIME for message encryption.

Before you begin

Make sure you've completed the following steps:

  1. Choose a key service.
  2. Connect to your identity provider (IdP).
  3. Set up your external key service or hardware key encryption.
  4. Assign a key service or hardware key encryption  to organizational units or groups.

    If you're using multiple key services, make sure they're assigned to the appropriate organizational units or configuration groups. 

Set up the Gmail API

Note: Use of the APIs requires programming knowledge.

Expand section  |  Collapse all

Turn on Gmail CSE for users

Turn on CSE for Gmail for the organizational units or groups. For details, go to Turn client-side encryption on or off.

Note: For organizational units, you can set all email (compose, reply, and forward) to be encrypted by default. User can still turn off encryption if needed. Requires having the Assured Controls or Assured Controls Plus add-on. 

Set up CSE S/MIME certificates for users

After you've set up Gmail API and turned on Gmail CSE for users in the Admin console, you can set up CSE S/MIME certificates and private key metadata for your users. 

Expand section  |  Collapse all

To switch to another key service for Gmail CSE

If you want to switch to a different key service for Gmail CSE, repeat steps 2 and 3 under Set up Gmail CSE for users above, using your new key service to wrap the private keys.

Note: Uploading new certificates for users doesn't migrate content to the new key service. However, users can continue to access email encrypted with the previous certificates and private key metadata wrapped by the old key service.

Migrate messages to Gmail as client-side encrypted email

Now that Gmail CSE is set up, you can optionally import messages. For details, see Migrate messages to Gmail as client-side encrypted email.

האם המידע הועיל?

איך נוכל לשפר את המאמר?
11127078843511507694
true
חיפוש במרכז העזרה
true
true
true
true
true
73010
false
false
false
Search
Clear search
Close search
Main menu