Google launched a security improvement for the Gmail mobile applications for Android and iOS this week that adds client-side encryption support.
Client-side encryption gives users control over encryption keys and data; even Google can’t access the email body or attachments on its servers, thanks to the use of encryption. Gmail web-users have had access to client-side encryption since 2022, when it was launched by Google.
Gmail encrypts data that is in transit and at rest using “secure-by-design cryptographic libraries” according to Google. This encryption is available to all customers and automatic. It ensures that data is protected while it is in transit or stored on Google servers. Google retains control over that encryption.
The new client-side encryption capability extends encryption further. It is a local option, which means that the encryption and decryption of data happens on the user’s device and out of reach of Google and others.
Gmail users with access to it need to become active to enable this level of encryption in the Gmail client. The security feature needs to be enabled for each individual email, as it is turned off by default. There is no option to enable it permanently.
To secure an email using client-side encryption, Gmail users need to activate the lock icon next to the “To” field in the client and turn on the “Additional encryption” option displayed in the menu. The client indicates the use of client-side encryption with a blue shield icon in the interface.
Google explains: “To add client-side encryption to any message, click the lock icon and select additional encryption, and compose your message and add attachments as normal”.
A support page provides additional guidance for system administrators. Google explains that administrators “need to enable the Gmail API” and give it access to the organization. It is then necessary to upload an S/MIME certificate and “private key metadata” encrypted by the key service to Gmail. The messages can only be read by other members of the organization.
Client-side encryption is enabled for Google Workspace Enterprise Plus, Education Plus, and Education Standard customers. All other Google customers, including customers with personal accounts, do not get access to the feature.
Third-party tools such as OpenPGP may be used to encrypt data locally. The open source email client Thunderbird, for example, supports OpenPGP and Gmail.