Email encryption is something that should be more widespread but isn’t. With the amount of confidential info moving around via email, it makes sense to prioritize it. Now, Gmail is improving how it encrypts emails, but it’s not coming for you—for now, at least.
Google is implementing end-to-end encryption (E2EE) for Gmail. Currently, Gmail supports S/MIME for encryption, which works well enough for users with Google Workspace accounts but doesn’t really work for anyone outside of an organization within Google, whether that’s someone with a personal Gmail account or someone using another email provider. This new encryption method, which is being developed in-house, is made more secure and more scalable, and the company says that it will eventually get it working with personal Gmail accounts and emails sent to third-party providers such as Microsoft Outlook.
When an E2EE-enabled user sends an encrypted message to another Gmail user, the process is just like receiving any other email. The compose window will display a distinct blue banner indicating “New encrypted message,” but the recipient can read the email directly within Gmail without extra steps. If an encrypted email is sent to a user on a different platform, however, the recipient will first receive a notification email, with a link prompting them to view the secure message. Clicking the link requires you to re-authenticate your email account (e.g., log back into your Outlook or Yahoo account).
Once this is done, however, you’ll be moved into a sandboxed Gmail interface from which you can read and respond to the email following decryption. More “seamless” handling of these emails would require your email provider to actually adopt the encryption method so it can decrypt the emails client-side—through said sandbox, both ends of the encryption process are technically still being handled by Gmail, even if you’re not a Gmail user.
Related
What Is ProtonMail, and Why Is It More Private Than Gmail?
Secure email services like ProtonMail go the extra mile to protect your inbox and identity.
Google acknowledges that the link-based method for external recipients resembles file-sharing invitations (like for Google Docs), which could potentially be mimicked by phishing attacks. And it’s probably made even worse by the fact that you need to re-authenticate your email account. In an attempt to mitigate this, a warning is displayed above the link, advising recipients to proceed only if they trust the sender. The company compares this external sharing mechanism to how Workspace documents are shared outside an organization, letting IT administrators control access policies and prevent sensitive data from being stored on third-party servers if they don’t want to.
It’s also pretty similar to how encryption works for emails sent from Proton Mail to third-party email providers. If you want to send someone an encrypted email, you can agree on a password with the sender, who would then input it on their end for the email to be decrypted on a sandboxed Proton Mail instance.
This new E2EE capability also differs significantly from other Gmail features such as Confidential Mode. While Confidential Mode prevents recipients from forwarding, copying, printing, or downloading emails and allows senders to set expiration dates or require SMS passcodes, it does not provide end-to-end encryption.
Google says that the capability is rolling out in a beta stage for Workspace users within the same organization. It will then roll out to all Gmail users later on before finally opening it up for other email providers. It’s not clear if personal Gmail accounts will be able to send encrypted emails, but at the very least, they will be able to receive them.
Source: The Verge, The Register
