On Friday Google announced that its encryption client side for Gmail is in beta for Workspace and Education customers as part of its efforts to protect email sent using the browser version of the platform (if you don’t know, even on the phone you can not use the application and use any browsers).
This news of the “boosting” of Google’s popular email platform comes at a time when concerns about online privacy and data security are at an all-time high, making it a welcome change for users who value protecting their personal data.
To this end, Google Workspace Enterprise Plus, Education Plus and Education Standard customers can request beta membership until January 20, 2023, however, this service is not available (at least for now) for personal Google Accounts.
What is this Gmail encryption “boost” about?
“Using client-side encryption in Gmail ensures that sensitive data in the email body and attachments are undecryptable by Google’s servers“, has stated the company in one post. “Customers retain control over encryption keys and the identity service to access those keys“.
It’s important to know that the latest protections offered by Gmail are different from end-to-end encryption (used for example by WhatsApp).
There Client-side encryptionas the name implies, is a way to protect data at rest and it allows organizations to encrypt data on Google services with your own encryption keys; therefore the data is decrypted on the client side using keys generated and managed by a key management service, which is hosted in a cloud service.
Google opt-in feature requires administrators to configure a cryptographic key service through one of the company’s partners, offered by Flowcrypt, Fortanix, Futurex, Stormshield, Thales or Virtru, or alternatively, create your own service using its side Crypto API client; outside of Gmail, in the Google world, something similar is already applied for Play Store developers.
This means that the data is therefore protected from unauthorized access, even by the server or by the various service providers; however, the organization or administrator has control over the keys and can to monitor encrypted user files or revoke a user’s access to keys, even if they were generated by the user.
On the other hand, end-to-end encryption (E2EE) is a communication method in which information is encrypted on the sender’s device and can only be decrypted on the recipient’s device with a key known only to the sender and recipient.
That said, the new option, currently limited to the web browser, allows users to send and receive encrypted emails both inside and outside their domains, so the encryption “covers” what is written on the Gmail email and email attachments, including inline images, but this function it will not encrypt the lists of objects and recipients.
But Gmail isn’t the only Google service with client-side encryption turned on — the tech giant has enabled the same feature for Google Drive last year and Google Meet at the beginning of August; a similar test was also done for Google Calendar and ended on November 11, 2022.
It’s worth noting that the Google Drive desktop, Android, and iOS apps also support client-side encryption — Google said the feature will be integrated into the mobile apps for Meet and Calendar in future versions of both apps.
“Client-side encryption helps strengthen data privacy while helping to address a broad range of data sovereignty and compliance needs“, finally added the Mountain View company.
#Gmail #Google #increases #security #client #side