With Gmail client-side encryption beta, you can send and receive encrypted emails within your domain and outside of your domain.
- What's encrypted in Gmail
Email body and attachments, including inline images
- Not encrypted in Gmail
The header of the email, including subject, timestamps, and recipients lists
About Gmail CSE beta
Customers who have Google Workspace Enterprise Plus, Education Plus, or Education Standard can apply for the Gmail CSE beta.
Important: Before you apply, follow the steps below to prepare your account..
Set up Gmail CSE beta1. Prepare your account
Requirement: Your organization uses Google Workspace Enterprise Plus, Education Plus, or Education Standard
Step 1: Set up your environment
- In Google Cloud Console, create a new GCP project with the Gmail API enabled
- Create a new GCP project and make note of the Project ID. Google will grant the project access to non-public, pre-release Gmail API endpoints.
- Go the Google API Console and enable the Gmail API for the new project.
- Go to the Service accounts page and create a service account.
- Save the private key file for the service account to your local system.
- Grant your service account domain-wide access.
Learn more about domain-wide delegation
- Sign in to your Google Workspace Admin console with a super administrator account.
- Go to Security > Access and data control > API controls > Domain-wide delegation.
- Add a new API client using the client ID of the service account created during setup
Grant the account use of the OAuth scopes:
gmail.settings.basic, gmail.settings.sharing, gmail.readonly.
- Create the test group of users for Gmail CSE
- Sign in to our Google Workspace Admin console and go to Directory > Groups.
- Click Create group.
- Add individual users (not groups) to the test group so they can use Gmail CSE beta.
- Make a note of the test group's email address (such as, email@example.com).
Step 2: Prepare your certificates
- Generate S/MIME certificates.
You need a S/MIME certificate for each user in the group who will test Gmail CSE. Both senders and recipients require certificates. Go to CA certificates trusted by Gmail for S/MIME.
To use your own test certificate authority, you must explicitly indicate that the root CA is trusted by uploading its certificate to Google Workspace Admin console.
Wrap the S/MIME private keys using your key service. Follow the steps in your service provider’s documentation.
- Set up your external key service.
Note: You set up only a primary key service (no secondary key service) for Gmail users.
- Connect Google Workspace to your key service.
- Connect Google Workspace to your identity provider (IdP)
When you're ready, submit your Gmail CSE Beta Test Application.
Be sure to include your email address, Project ID, and test group domain.
After we receive your application, we'll email you when your account is ready. Then you can set up Gmail CSE beta for your users.
When you receive an notification that that your account is ready, follow these steps to set up Gmail CSE beta.
1. Turn on Gmail CSE for your users
- Sign in to the Google Admin console with a super administrator account.
- Go to Security > Client-side encryption.
- Click Gmail.
- In the left panel, select the group that you submitted in your Gmail CSE enrollment form.
- Set User access to On. It can take up to 24 hours for a new setting to take effect, although it usually happens much faster.
Note: If you remove a user from the group or you turn off Gmail CSE for the group, all of their existing client-side encrypted content remains encrypted and accessible.
2. Upload users' certificates and wrapped private keys to Google
You upload a user’s S/MIME certificate and wrapped private key using the Gmail API, with the service account private key file. For each user:
It can take up to 24 hours for certificates to be available in Gmail, although it usually happens much faster. Then you're ready to use Gmail CSE.
Requirement: The sender and all recipients must have CSE turned on and valid certificates. If any recipients are missing a valid certificate, the sender can't send the email.
Send encrypted email
- In Gmail, click Compose.
- On the right corner of message, click Message security
- In the section, Additional encryption, click Turn on.
- Add your recipients, subject, and message content as usual.
- Click Send. If prompted, sign in to your identity provider.
Receive encrypted email
When you receive a CSE encrypted message, you'll see "Encrypted message" below the sender's name.
Open the encrypted message in your inbox. If prompted, sign in to your identity provider.
The message is automatically decrypted in your Gmail browser window.
Some tasks and features to try in your account:
- Send and receive encrypted messages within your organization
- Send emails to external recipients
- Share digital signatures with external recipients
- Include quoted emails in a thread
- Receive emails from other mail clients (for example, Microsoft Outlook and Apple Mail)
- Attach a file
- Paste an image
- Forward messages
- Save encrypted drafts
- Undo send