Supported editions for this feature: Enterprise Plus; Education Standard and Education Plus. Compare your edition
To use Google Workspace Client-side encryption (CSE) for Gmail, you need to enable the Gmail API and give it access to your entire organization. Then, for each user, you need to use the Gmail API to upload an S/MIME (Secure/Multipurpose internet Mail Extensions) certificate (public key) and private key metadata to Gmail. If you're using an encryption key service, you'll also need to encrypt (or "wrap") users' private key metadata using your key service.
At any time, you can switch to a different key service by uploading new S/MIME certificates and private key metadata encrypted by your new service.
About S/MIME
S/MIME is a widely accepted, industry standard protocol for digitally signing and encrypting email messages to ensure message integrity and security. Gmail CSE relies on the S/MIME 3.2 IETF standard to send and receive secure MIME data. S/MIME requires email senders and recipients to have their X.509 certificates trusted by Gmail.
Note: Alternatively, you can use S/MIME without the additional layer of encryption and privacy that CSE provides. Use this alternative only if don't need to prevent Google servers from decrypting your data with CSE. For details, go to Turn on hosted S/MIME for message encryption.
Before you begin
Make sure you've completed the following steps:
- Choose a key service.
- Connect to your identity provider (IdP).
- Set up your external key service or hardware key encryption.
- Assign a key service or hardware key encryption to organizational units or groups.
If you're using multiple key services, make sure they're assigned to the appropriate organizational units or configuration groups.
Set up the Gmail API
Note: Use of the APIs requires programming knowledge.
Turn on Gmail CSE for users
Turn on CSE for Gmail for the organizational units or groups. For details, go to Turn client-side encryption on or off.
Note: For organizational units, you can set all email (compose, reply, and forward) to be encrypted by default. User can still turn off encryption if needed. Requires having the Assured Controls or Assured Controls Plus add-on.
Set up CSE S/MIME certificates for users
After you've set up Gmail API and turned on Gmail CSE for users in the Admin console, you can set up CSE S/MIME certificates and private key metadata for your users.
To switch to another key service for Gmail CSE
If you want to switch to a different key service for Gmail CSE, repeat steps 2 and 3 under Set up Gmail CSE for users above, using your new key service to wrap the private keys.
Note: Uploading new certificates for users doesn't migrate content to the new key service. However, users can continue to access email encrypted with the previous certificates and private key metadata wrapped by the old key service.
Migrate messages to Gmail as client-side encrypted email
Now that Gmail CSE is set up, you can optionally import messages. For details, see Migrate messages to Gmail as client-side encrypted email.