2 days ago
5
Strong encryption is the foundation of just about every security and privacy-related feature in the modern computing landscape.
Your smartphone is encrypted by default, so its contents are only available when you unlock it with biometrics or a PIN. Your Windows PC is encrypted with BitLocker, and your MacBook is encrypted with FileVault.
Also: How I got 15GB of Gmail storage for free - and without losing any files
Every webpage you visit is encrypted in transit, and you get a nasty error message if you go to a page that doesn't have the magic https leading off its URL. Your Signal chats are encrypted. If you're sending someone a contract in PDF form, you can easily encrypt it and keep its contents safe from prying eyes.
The one place where encryption isn't easily available is email. Sure, your inbox is encrypted at rest and in transit, but good luck if you want to protect a message so it can only be read by the person you're sending it to. Existing email encryption options are expensive, overly complex to administer, and clunky.
Also: The best VPN services (and how to choose the right one for you)
Google announced today that it wants to change all that, with a new feature for enterprise Gmail users that allows them to send end-to-end encrypted messages to any user, regardless of what email service they're using, with just a few clicks.
For Google Workspace admins, no extra setup is required. The feature is powered by client-side encryption, using keys under the organization's control and stored on enterprise servers and not in Google's cloud.
According to Google, the feature encrypts the contents of a message on the client before it's transmitted or stored to a Google Workspace server. That approach means each message is protected by zero-knowledge encryption and meets the alphabet soup of standards that highly regulated industries have to follow, such as ITAR, CJIS, TISAX, IRS 1075, or EAR.
And, of course, HIPAA.
If you've ever had to deal with a real estate transaction using encrypted mail, you're already aware that it's the very definition of a pain point. In a recent transaction with a mortgage lender, I had to use their encrypted system to share documents. The entire exchange was accomplished in a proprietary web-based interface that looked like it had been written in 2002. This system wasn't integrated with the bank's slick, modern website, so I had to create a separate password. Most annoyingly, the system delivered roughly three out of four messages I sent, but it didn't give me or my banker any feedback that the messages had vanished.
Also: Why Gmail is replacing SMS codes with QR codes - and what it means for you
In today's corporate environments, admins can set up secure messaging systems based on the S/MIME standard. That setup makes it relatively easy for folks within the organization to exchange secure messages, as long as the admin has assigned each user a certificate and hasn't allowed any of those certificates to expire. But email people outside the organization and you have to go through a dance of ensuring that the recipient has S/MIME enabled (most people don't) and then exchanging S/MIME certificates.
Less centralized options exist, of course, like Pretty Good Privacy (PGP), but those solutions just transfer the management burden to the end user.
It's no wonder that one long-term study at a large university found that only about one in 1,700 messages were encrypted.
Also: The best VPN services for iPhone and iPad (yes, you need to use one)
Google's vision is that end users can choose to encrypt a message by clicking a checkbox. What happens next depends on who's on the other end of the message. Here's how Google describes the process:
- When the recipient is a Gmail user (enterprise or personal), Gmail sends an E2EE email. The email is automatically decrypted in the recipient's inbox, and the recipient can use Gmail in a familiar way.
- When the recipient is not a Gmail user, Gmail sends them an invitation to view the E2EE email in a restricted version of Gmail. The recipient can then use a guest Google Workspace account to securely view and reply to the email.
- When the recipient has S/MIME configured, Gmail sends an E2EE email via S/MIME (just like it does today).
Enterprises can choose to force all external recipients, even those using a Gmail account, to use that "restricted" Gmail version. They also have a handful of extra options, including settings that can assign policies to force the use of encrypted mode, classification labels to help users understand when (and why) they've received an encrypted message, and data-loss prevention policies.
Are you excited yet? Maybe cool down a bit, at least for a while. So far, these features are available only for Google's premium customers, those who've paid for Google Workspace Enterprise Plus, Education Standard, or Education Plus plans, with the Assured Controls option.
If your company uses a plain-vanilla Business plan or you're a plebe with a free Gmail account, you'll need to wait. For how long? Well, that depends.
Also: After I learned this easy email trick, the clutter vanished from my inbox
The feature is rolling out today for enterprise and education customers. Google is rolling out support for E2EE mails in what it calls a "phased approach ... in beta, with the ability to send E2EE emails to Gmail users in your own organization." The ability to send E2EE emails to email inboxes outside the organization is coming later this year.
English (US) ·