Set up client-side encryption for Gmail (beta)

With Gmail client-side encryption beta, you can send and receive encrypted emails within your domain and outside of your domain. 

  • What's encrypted in Gmail
    Email body and attachments, including inline images
  • Not encrypted in Gmail
    The header of the email, including subject, timestamps, and recipients lists

About Gmail CSE beta

Customers who have Google Workspace Enterprise Plus, Education Plus, or Education Standard can apply for the Gmail CSE beta.

View the Gmail CSE Beta Test application

Important: Before you apply, follow the steps below to prepare your account..

Set up Gmail CSE beta 

Open all  |  Close all

1. Prepare your account

Requirement: Your organization uses Google Workspace Enterprise Plus, Education Plus, or Education Standard

Step 1: Set up your environment

  1. In Google Cloud Console, create a new GCP project with the Gmail API enabled
    1. Create a new GCP project and make note of the Project ID. Google will grant the project access to non-public, pre-release Gmail API endpoints.
    2. Go the Google API Console and enable the Gmail API for the new project.
    3. Go to the Service accounts page and create a service account.
    4. Save the private key file for the service account to your local system.
  2. Grant your service account domain-wide access.
    Learn more about domain-wide delegation
    1. Sign in to your Google Workspace Admin console with a super administrator account.
    2. Go to Security > Access and data control > API controls > Domain-wide delegation.
    3. Add a new API client using the client ID of the service account created during setup
    4. Grant the account use of the OAuth scopes:  gmail.settings.basic, gmail.settings.sharing, gmail.readonly.

  3. Create the test group of users for Gmail CSE
    1. Sign in to our Google Workspace Admin console and go to Directory > Groups.
    2. Click Create group.
    3. Add individual users (not groups) to the test group so they can use Gmail CSE beta.  
    4. Make a note of the test group's email address (such as, 

Step 2: Prepare your certificates

  1. Generate S/MIME certificates.

You need a S/MIME certificate for each user in the group who will test Gmail CSE. Both senders and recipients require certificates. Go to CA certificates trusted by Gmail for S/MIME.

To use your own test certificate authority, you must explicitly indicate that the root CA is trusted by uploading its certificate to Google Workspace Admin console.

  1. Wrap the S/MIME private keys using your key service. Follow the steps in your service provider’s documentation.

Step 3: Configure your key service and IdP

  1. Set up your external key service.
    Note: You set up only a primary key service (no secondary key service) for Gmail users.
  2. Connect Google Workspace to your key service.
  3. Connect Google Workspace to your identity provider (IdP)
2. Apply for the Gmail CSE beta

When you're ready, submit your Gmail CSE Beta Test Application.

Be sure to include your email address, Project ID,  and test group domain. 

After we receive your application, we'll email you when your account is ready. Then you can set up Gmail CSE beta for your users. 

3. Set up Gmail CSE beta for users

When you receive an notification that that your account is ready, follow these steps to set up Gmail CSE beta.

1. Turn on Gmail CSE for your users

  1. Sign in to the Google Admin console with a super administrator account.
  2. Go to Security > Client-side encryption.
  3. Click Gmail.
  4. In the left panel, select the group that you submitted in your Gmail CSE enrollment form.
  5. Set User access to On. It can take up to 24 hours for a new setting to take effect, although it usually happens much faster.

Note: If you remove a user from the group or you turn off Gmail CSE for the group, all of their existing client-side encrypted content remains encrypted and accessible.

2. Upload users' certificates and wrapped private keys to Google

You upload a user’s S/MIME certificate and wrapped private key using the Gmail API, with the service account private key file. For each user:

  1. Create a keypair
  2. Create an Identity using that keypair.

It can take up to 24 hours for certificates to be available in Gmail, although it usually happens much faster. Then you're ready to use Gmail CSE.

4. Send and receive Gmail CSE emails

Requirement: The sender and all recipients must have CSE turned on and valid certificates. If any recipients are missing a valid certificate, the sender can't send the email. 

Send encrypted email

  1. In Gmail, click Compose.
  2. On the right corner of message, click Message security""
  3. In the section, Additional encryption, click Turn on. 

  1. Add your recipients, subject, and message content as usual.
  2. Click Send. If prompted, sign in to your identity provider. 

Receive encrypted email

When you receive a CSE encrypted message, you'll see "Encrypted message" below the sender's name.

Open the encrypted message in your inbox. If prompted, sign in to your identity provider.

The message is automatically decrypted in your Gmail browser window.

Try out Gmail CSE features 

Some tasks and features to try in your account: 

  • Send and receive encrypted messages within your organization
  • Send emails to external recipients 
  • Share digital signatures with external recipients
  • Include quoted emails in a thread 
  • Receive emails from other mail clients (for example, Microsoft Outlook and Apple Mail)
  • Attach a file
  • Paste an image
  • Forward messages
  • Save encrypted drafts
  • Undo send
Was this helpful?
How can we improve it?

Need more help?

Sign in for additional support options to quickly solve your issue

Clear search
Close search
Google apps
Main menu
Search Help Center