Learn about Gmail Client-side encryption

Google Workspace uses the latest cryptographic standards to encrypt all data at rest and in transit between its facilities. In addition, Gmail uses TLS (Transport Layer Security) for communication with other email service providers. With Gmail Client-side encryption (CSE), you can strengthen the confidentiality of your sensitive or regulated data content by having the encryption handled in your browser before any data is transmitted or stored in Google's cloud-based storage. This provides a uniform protection to your messages until it is received by the intended recipients.

Before you start

You can add additional encryption to emails with these Google Workspace editions:

  • Enterprise Plus
  • Education Plus
  • Education Standard

If you don't see the feature, you may need to contact your Google Workspace administrator.

Information with additional encryption

When CSE is turned on:

  • The body of the email, including inline images and attachments, will have additional encryption.
  • The header of the email, including subject, timestamps, and recipients, will not have additional encryption.

Note: Your admin may have set your messages to default to having client side encryption turned on by default. If your recipient does not support S/MIME, you can always disable CSE.

Send emails with CSE within your domain


  • Before you start drafting an email, decide if you want to add additional encryption. You can add additional encryption while drafting an email, but if you do so, your draft will be deleted and a new draft will be opened.
  • After drafting an email, you can turn off additional encryption if it's no longer needed. Make sure the draft doesn't contain any sensitive information before removing the additional encryption.
  1. In Gmail, click Compose.
  2. On the right corner of the message, click Message security .
  3. Under "Additional encryption," click Turn on.
  4. Add your recipients, subject, and message content.
  5. Click Send.
  6. If prompted, sign in to your identity provider.

Send emails with CSE to an external domain

Before you can send emails with CSE to a recipient outside your domain, exchange digital signatures first.


  • Emails with a digital signature include your certificate and public key, which the recipient can use to encrypt the emails that they send to you.
  • Make sure the recipient sends a signed email in return when you exchange digital signatures. When a recipient sends a signed email, the key is automatically stored, and additional encryption is now available when communicating with the recipient.
  • You only have to exchange digital signatures once for each contact.
  • If you or your contact update the certificates, you’ll need to exchange digital signatures again.
  1. In Gmail, click Compose.
  2. On the right corner of the message, click Message security .
    • Make sure that additional encryption is not turned on yet.
  3. Click Digital signature and then Sign message
    • To view and download the certificate, click View signature.
  4. Send your signed message to the recipient.
  5. To confirm that the recipient received the email with the digital signature, ask them to send a signed message in return.

After you exchange digital signatures, CSE is available, and you can add additional encryption when communicating with the contact.

Read a CSE encrypted email

When you receive a CSE encrypted message, you'll see "Encrypted message" below the sender's name. To read the message:

  1. In Gmail, open the email.
  2. If prompted, sign in to your identity provider.
  3. The message will be automatically decrypted in your Gmail browser window.

Attachment size limit

When additional encryption is turned on, there is a 5 MB upload limit for attachments and inline images.

Blocked file types

When you turn on CSE and you receive an email with an attachment, you'll find a warning message that encrypted emails can’t be scanned for viruses. Unless you're sure that the email is safe, be careful with attachments. Attachments with certain file types are automatically blocked.

These file types are blocked by Gmail:

.ade, .adp, .apk, .appx, .appxbundle, .bat, .cab, .chm, .cmd, .com, .cpl, .diagcab, .diagcfg, .diagpack, .dll, .dmg, .ex, .ex_, .exe, .hta, .img, .ins, .iso, .isp, .jar, .jnlp, .js, .jse, .lib, .lnk, .mde, .msc, .msi, .msix, .msixbundle, .msp, .mst, .nsh, .pif, .ps1, .scr, .sct, .shb, .sys, .vb, .vbe, .vbs, .vhd, .vxd, .wsc, .wsf, .wsh, .xll

Feature restrictions

When additional encryption is turned on, these features are not available:

  • Confidential mode
  • Email layouts
  • Multi-send mode
  • Proposing meeting times
  • Pop-out and full-screen compose
  • Sending to Groups as recipients
  • Email signatures
  • Emojis
  • Print

Encryption protocol

Additional encryption relies on the S/MIME 3.2 IETF standard to send and receive secure MIME data. S/MIME requires email senders and recipients to have their X.509 certificates trusted by Gmail. S/MIME encryption is used in coordination with S/MIME digital signatures ensuring email integrity.
Clear search
Close search
Google apps
Main menu
Search Help Center