Enable hosted S/MIME for enhanced message security
This feature is only available with G Suite Enterprise.
You can enhance the integrity and confidentiality of your organization's email messages by enabling Secure/Multipurpose Internet Mail Extensions (S/MIME). For S/MIME encryption to work, each sender and recipient must have it enabled. They also need to exchange information, called keys, to uniquely identify each other.
You can make sure that certain messages can’t be sent or received unless they are S/MIME encrypted or S/MIME signed. You set this up when you create compliance and routing rules. Learn about enhancing message security with hosted S/MIME.
See the Hosted S/MIME FAQ for additional information about client support and enhanced encryption.
Step 1. Enable hosted S/MIME
First, you need to enable hosted S/MIME. Next, users upload a certificate to Gmail or the administrator uploads them programmatically. Then, users exchange keys to make it work.
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
- From the Admin console dashboard, go to AppsG SuiteGmail.
In the Organizations section, highlight your domain or organization you want to configure.
Scroll to the S/MIME setting.
Check the Enable S/MIME encryption for sending and receiving emails box.
Check the Allow users to upload their own certificates box to allow users to upload certificates.
Check the Allow SHA-1 globally (not recommended) box only if your domain or organization must use Secure Hash Algorithm 1 (SHA-1). Learn more about the SHA-1 option.
It can take up to an hour for hosted S/MIME to be enabled.
Important: If you disable hosted S/MIME, it can take awhile for the change to propagate to all user accounts. Messages sent during this time will not be encrypted.
2. Reload Gmail
After you enable hosted S/MIME, users need to reload Gmail to see the change. After reloading, a Lock appears on the Subject line of email messages. The color of the lock indicates the message's encryption level. If the message is encrypted with hosted S/MIME, the lock is green.
3. Upload certificates
To use hosted S/MIME encryption, certificates must be uploaded and added to Gmail. The S/MIME certificate must meet current cryptographic standards and use the Public-Key Cryptography Standards (PKCS) #12 archive file format. See this Internet Engineering Task Force document for information about PKCS #12.
Note: You can also use the Gmail S/MIME API to manage things like viewing, deleting, and setting default user keys.
4. Have users exchange keys
Your users need to exchange keys with email recipients by doing one of these options:
Send a S/MIME signed message to recipients. The email will be digitally signed and the signature will include your user's public key. The recipients will be able to use this public key to encrypt the emails that they send to your user.
Ask recipients to send them a message. When they receive the message, it’s signed with S/MIME. The key is automatically stored and available. From now on, messages sent to this recipient will be S/MIME-encrypted by default.
Some non-Gmail email clients may allow SHA-1 hashed signatures. By default, these signatures will appear as untrusted because SHA-1 is a phased out hash function. You should only select the Allow SHA-1 globally option if your organization communicates using the SHA-1 cryptographic hash function for S/MIME message security and you want these communications to appear as trusted. When this option is selected, Gmail will trust S/MIME certificates attached to inbound mail by entities using this phased out algorithm.