Google Is Rolling Out End-to-End Encryption for (Some) Gmail Users.
Gmail is one of the most popular, if not the most popular, email platforms in the world. But it’s not a favorite among privacy-conscious users. Google doesn’t offer end-to-end encryption (E2EE) for regular Gmail users, instead using the Transport Layer Security (TLS) protocol. This provides security during transmission , but doesn’t help once the message reaches its destination. While TLS is better than nothing, it doesn’t provide the same level of security as E2EE, which encrypts messages for everyone except the sender, recipients, and those with the decryption key. Therefore, privacy-conscious users often look to other options for their email needs, such as Proton Mail .
However, Google offers more advanced encryption for some users, namely those with Workspace work or school accounts. Secure/Multipurpose Internet Mail Extensions (S/MIME) is available, which, like E2EE, encrypts emails in transit and in the sender and recipient’s mailboxes. However, it has a drawback: Google also holds the decryption key. Theoretically, Google could decrypt your emails—or, if Google were successfully hacked, the attacker could use the key to decrypt them. This is where client-side encryption (CSE) comes in: the decryption key is held by the Google Workspace plan organizer, not Google, meaning decryption is only possible within the organization.
If your company has a Workspace plan, this is the encryption type you should use to maximize email security. But the main problem until now was that CSE was only available on desktop computers. While you could use encrypted Gmail on your computer, the Gmail mobile app didn’t support it on the go. According to Google, the only way to access CSE email on a mobile device was through additional apps and email portals.
Gmail on iOS and Android now supports end-to-end encryption (E2EE) via CSE.
Now everything is changing. On Thursday, Google announced the rollout of CSE support for the Gmail apps on iOS and Android. Going forward, you’ll be able to write and read end-to-end encrypted (E2EE) emails directly in Gmail, regardless of how you access the app. You’ll also be able to send end-to-end encrypted emails to anyone, even if they don’t have Gmail.
Google states that if the recipient has Gmail, they will simply be able to open the message in their inbox. If they have a different email address (e.g., Outlook, Yahoo, iCloud, Proton, etc.), they will still be able to read the message but will need to open it in their device’s browser. However, be careful when sending messages using CSE, as not all data sent is end-to-end encrypted. According to Google’s CSE help page , the message body will be fully encrypted, but the header, subject, timestamps, and recipients will not be additionally encrypted.
How to send messages with end-to-end encryption (E2EE) in Gmail
Your organization’s administrator must enable CSE for iOS and Android on their end before you’ll see this option in your app. After that, select “Compose,” then “Message Security” with the lock icon. Under “Advanced Encryption,” select “Enable.” Then compose your email as usual.