Google adds client-side encryption to Gmail and Calendar. Should you care?


On Tuesday, Google rolled out client-side encryption to a limited set of Gmail and Calendar users, in a move designed to give them more control over who sees sensitive communications and schedules.

Client-side encryption is a general term for any type of encryption applied to data before it is sent from a user device to a server. In contrast, with server-side encryption, the client device sends the data to a central server, which then uses keys in its possession to encrypt it while it is stored. That’s what Google is doing today. (To be clear, the data is sent encrypted over HTTPS, but is decrypted once Google receives it.)

Google’s client-side encryption occupies a middle ground between the two. Data is encrypted on the client device before being sent (via HTTPS) to Google. Data can only be decrypted on an endpoint machine with the same key used by the sender. This provides an incremental benefit as the data will remain unreadable to any malicious Google insiders or hackers who manage to compromise Google’s servers.

Abbreviated CSE, client-side encryption was already available for Google Drive, Docs, Slides, Sheets and Meet for Google Workspace users, which the company sells to businesses. Starting Tuesday, Google is rolling it out to Gmail and Calendar Workspace customers.

“Workspace already encrypts data at rest and in transit using secure, secure-by-design cryptographic libraries,” wrote Ganesh Chilakapati, Google’s team product manager for Google Workspace, and Andy Wen, director of product management for Google Workspace security. . “Client-side encryption takes this encryption capability to the next level, ensuring that customers have sole control over their encryption keys—and thus full control over all access to their data.”

It’s probably an exaggeration to say that Google’s PPA gives customers “sole control” of their encryption keys. This is because NPA keys are managed by a handful of third-party cryptographic key services that work with Google. Technically, this means that these providers will have at least some control over the keys. Google is giving NPA users the ability to create their own key service using a Google API.

CSE differs significantly from the PGP (Pretty Good Privacy) mail encryption that was popular with security-minded people a decade ago. This system offered true end-to-end encryption, as the content could only be decrypted with a key held by the recipient. The difficulty of managing a different key for each party eventually proved too unwieldy, especially at scale, so the use of PGP has largely died out and been replaced by end-to-end encryption applications like Signal.

Here’s an overview of the Workspace data that CSE does and doesn’t protect:

Service Data that is encrypted on the client side These data not encrypted on the client side
Google Drive
  • Files created with Google Docs (documents, spreadsheets, presentations)
  • Uploaded files, such as PDF and Microsoft Office files
  • File title
  • File metadata, such as owner, creator, and last modified time
  • Drive tags (also called Drive metadata)
  • Linked content outside of Docs or Drive (for example, a YouTube video linked from a Google Doc)
  • User preferences, such as Document header styles
  • Email body, including embedded images
  • Attached filesNote: Attaching encrypted Drive files on the client side is not yet supported
  • Email header, including subject, timestamp, and recipient lists
Google Calendar
  • Event description
  • Drive attachments (if PAD for Drive is enabled)
  • Meet audio and video streams (if Meet PA is enabled)
Any content other than the event description, attachments and Meet data, such as:

  • Event title
  • Event start and end times
  • List of participants
  • Room reservations
  • Sign up with phone numbers
  • Link to Meet
Google Meet
  • Audio streams
  • Video streams (including screen sharing)
  • Any data other than audio and video streams

The medium CSE it is intended to occupy is aimed at organizations with strict compliance requirements imposed by law or contractual obligations. APA gives these customers more control over the data Google stores while making it easier for authorized users to decrypt it for sharing and collaboration.

“Users can continue to collaborate in other core applications in Google Workspace, while IT and security teams can ensure that sensitive data remains compliant,” Google said in Tuesday’s post. “As customers retain control of the encryption keys and the identity management service to access those keys, sensitive data cannot be decrypted by Google and other external entities.”

Last year, Google released this video designed to show what the user experience is like.

Solving digital dominance with Google Workspace.

The blue circle with the shield in the images below indicates that the content in your documents, calendars, or video chats is protected by the UPA:

Of course, CSE only works if the software has not been modified. If it is maliciously modified to store keys or copies of unencrypted data, all bets are off.

Overall, the BPA provides an incremental improvement over the current protections available from Google. Individuals and organizations with specific uses or requirements may find them useful, but the masses are unlikely to clamor for it anytime soon.

Leave a Comment