Google wants to simplify end-to-end encryption in Gmail

Google celebrated the birthday of its email service Gmail on Tuesday and announced that enterprise users can now send end-to-end encrypted emails in a simplified manner. And not just to users from their organization, but to everyone. Initially, this is still a beta test. However, this should soon be expanded and move on to the final stages of development.

In a blog post on Google Workspace, two Google product managers discuss the new features. End-to-end encryption (E2EE) has so far been complex and consumes a lot of resources in IT departments, which have to deal with S/MIME, setup and key management, for example. Google now wants to simplify E2EE significantly and lowered the hurdles. As a result, enterprise users can now send fully encrypted emails to all recipients, be they other Gmail users or those with external email providers, with just a few clicks.

Maintaining and simplifying security

Despite the reduced effort, security remains intact, the authors explain. The new function is being distributed in phases as a beta test. Initially, it will be possible to send E2EE emails to other users in your organization. This will be followed in a few weeks by the option to send end-to-end encrypted emails to any Gmail user. Later in the year, users will finally be able to send emails with E2EE to any recipient.

According to Google, companies want to send E2EE emails but have few resources to implement them. S/MIME is a standardized protocol for this, but requires the purchase and management of certificates and assigning them to individual users. End users would also have to find out if recipients have S/MIME configured and then exchange certificates with them – error-prone and frustrating, the Google employees write. Alternatives to S/MIME such as proprietary solutions from mail providers would also be complicated, require key exchanges and so on.

Google's solution should be much simpler. With just a few clicks, Google encrypts the emails, no matter who they are sent to, without key exchange or additional software. The keys remain under the control of the users and are not available to the Google servers; however, the IT department does not have to worry about S/MIME configuration or certificate management either.

If a recipient uses Gmail, Gmail sends an E2EE email. It is automatically decrypted in the recipient's inbox. If a recipient does not use Gmail, Gmail sends an invitation to read the E2EE email in a restricted version of Gmail; recipients can use a Google Workspace guest account to securely view and reply to the email. If recipients have configured S/MIME, Gmail will send the email using S/MIME.

IT departments can also specify that all external recipients must use the restricted version of Gmail to ensure that organizational data is not stored on third-party servers and devices. Google also wants to improve data protection by allowing security policies to be applied at any time, as well as the revocation of access authorization – no matter how long ago the mail was sent.

The implementation is based on Google's client-side encryption (CSE), which allows organizations to encrypt data on clients before it is transmitted or stored on Google's cloud storage. They cannot be decrypted by Google or other third parties.

Around two years ago, an update for Google's Authenticator was also supposed to deliver E2EE. However, it did not.

(dmk)