Google is rolling out what it calls client-side encryption (CSE), giving users of its Workspace suite the ability to use their own encryption to protect their data before it reaches Google’s servers. The encryption key is then not available to the service provider.
When client-side encryption is enabled, the email body, attachments, and inline images are encrypted. The email header, subject, timestamps, and recipient lists, on the other hand, are not.
Google Workspace Enterprise Plus, Education Plus, or Education Standard customers have the option to request to participate in the Gmail CSE beta test through its new support page for this feature.
A method that differs from end-to-end encryption
This feature is not available to users with a personal Google account, nor to users of Google Workspace Essentials, Business Starter, Business Standard, Business Plus, Enterprise Essentials, Education Fundamentals, Frontline and Nonprofits, nor to former customers of G Suite Basic and Business.
Google explains that CSE is different from end-to-end encryption because customers use encryption keys that are generated and stored in a cloud-based key management service, so administrators can control keys and people who have access to it. Thus, the administrator can revoke a user’s access to the keys, even if that user generated them. With end-to-end encryption, administrators don’t have control over client keys and who can use them, and they can’t see what content users have encrypted.
Google has partnered with several key management service providers, including FlowCrypt, Fortanix, FutureX, Stormshield, Thales, and Virtru. Users cannot use Google as a key management partner to ensure that Google cannot access keys and decrypt user data.
Google servers do not have access to encryption keys
Google explains that introducing a CSE into Gmail for this subset of Workspace customers helps address a range of data sovereignty and compliance needs. As the company points out, client-side encryption is already available for Google Drive, Google Docs, Sheets and Slides, Google Meet, and Google Calendar (beta).
“Google Workspace already uses the latest cryptographic standards to encrypt all data at rest and in transit between our facilities. Client-side encryption helps strengthen the privacy of your data while helping to meet a wide range of data sovereignty and compliance needs,” reads the Workspace Updates blog.
Google further explains that with CSE on Workspace, “content encryption is handled in the customer’s browser before any data is transmitted or stored in Google’s cloud storage.” And, “this way, Google’s servers cannot access your encryption keys and decrypt your data. After configuring the CSE, you can choose which users can create client-side encrypted content and share it internally or externally.”
An option disabled by default
Google specifies that the CSE will be disabled by default. However, it can be enabled at the domain and group level. Once enabled, users can click the padlock icon to add the CSE to any message.
As a reminder, Apple also extended end-to-end encryption support for iCloud backups and in the Notes and Photos applications earlier this month. This extension, however, was aimed at all Apple users and not just customers in highly regulated industries.
Source: ZDNet.com