How to enable client-side encryption for Gmail

Updated on: 15 November 2023

Vilius Petkauskas
Deputy Editor

Google has rolled out client-side encryption for Gmail on several of its services.

The tech giant announced that Gmail client-side encryption (CSE) is now available for Google Workspace Enterprise Plus, Education Plus, and Education Standard customers.

The CSE feature ensures that data sent in an email, including attachments, will be unreadable and encrypted prior to arriving at Google’s servers.

“It gives organizations higher confidence that any third party, including Google and foreign governments, cannot access their confidential data,” Google said.

Make sure your admin enabled CSE
Click 'Compose' on Gmail
Find the lock symbol on the right side
Clicking on the symbol prompts security options
Find 'Additional Encryption'
Click 'Turn On'

The feature will be off by default; company admins must take steps to enable the new feature. To do that, admins need to access the CSE on the domain or Google Group level (Admin console > Security > Access and data control > Client-side encryption).

Detailed actions and necessary configuration changes admins should consider before enabling Gmail CSE are provided here.

Once admins enable the feature, end users crafting a news message should see a lock icon on the right side of the Recipient bar. Clicking the lock brings forward several security options. To add CSE, end users must click “turn on” in the Additional Encryption section.

While CSE adds a layer of security to email communications, it’s not the same as end-to-end encryption (E2EE). With E2EE, only the recipient can unscramble the message, as it is encrypted locally on the sender’s device.

Since Gmail CSE is aimed at corporate users, company admins could theoretically have the encryption tokens necessary to read the information sent with the encryption feature on.

According to Google, the Gmail CSE feature is not yet available for users with personal accounts and on Google Workspace Essentials, Business Starter, Business Standard, Business Plus, Enterprise Essentials, Education Fundamentals, Frontline, Nonprofits, or legacy G Suite Basic and Business.