Google adds client-side encryption to Gmail and Calendar. Should you care?

Google adds client-side encryption to Gmail and Calendar.  Should you care?


On Tuesday, Google made client-side encryption available to a limited set of Gmail and Calendar users in a move designed to give them more control over who sees sensitive communications and schedules.

Client-side encryption is a generic term for any type of encryption applied to data before it is sent from a user device to a server. With server-side encryption, in contrast, the client device sends the data to a central server, which then uses keys in its possession to encrypt it while it is being stored. This is what Google does today. (To be clear, the encrypted data is sent via HTTPS, but is decrypted as soon as Google receives it.)

Google’s client-side encryption is a middle ground between the two. Data is encrypted on the client device before it is sent (at HTTPS) to Google. The data can only be decrypted on an endpoint machine with the same key used by the sender. This provides an incremental advantage since the data will remain unreadable to any Google insiders or malicious hackers who manage to compromise Google’s servers.

Abbreviated as CSE, client-side encryption was already available for Google Drive, Docs, Slides, Sheets, and Meet for users of Google Workspace, which the company sells to businesses. Starting Tuesday, Google is rolling it out to Gmail and Calendar Workspace customers.

“Workspace already encrypts data at rest and in transit using well-designed cryptographic libraries,” wrote Ganesh Chilakapati, Google’s group product manager for Google Workspace, and Andy Wen, director of product management for Google Workspace security. “Client-side encryption takes this encryption capability to the next level by ensuring that customers have sole control over their encryption keys – and therefore full control over all access to their data.”

To say that Google’s CSE gives customers “individual control” over their encryption keys is probably an exaggeration. That’s because CSE keys can be managed with a handful of external cryptographic key services partnered with Google. Technically, that means these providers will have at least some control over the keys. Google gives CSE users the option to set up their own core service using the Google programming interface.

CSE differs significantly from the PGP (Pretty Good Privacy) email encryption that was popular with the security-minded a decade ago. That system offered true end-to-end encryption because the content could only be decrypted with a key in the recipient’s possession. The difficulty of managing a different key for each party eventually proved too narrow, especially at scale, so the use of PGP has largely been phased out and replaced by end-to-end encryption applications like Signal instead.

Here’s an overview of the Workspace data that CSE does and doesn’t protect:

Service Data encrypted on the client side Details that no client side encryption
Google Drive
  • Files created with Google Docs Editors (documents, spreadsheets, presentations)
  • Uploaded files, such as PDFs and Microsoft Office files
  • The title of the file
  • File metadata, such as owner, creator, and time last modified
  • Drive Labels (also known as Drive metadata)
  • Linked content outside of Docs or Drive (for example, a YouTube video linked from a Google doc)
  • User preferences, such as Docs header styles
  • Email body, including inline images
  • Attached filesNote: Attaching client-side encrypted Drive files is not yet supported
  • Email header, including subject, time stamps, and recipient lists
Google Calendar
  • Description of the event
  • Attached Drive files (if CSE for Drive is running)
  • Meet audio and video streams (if CSE for Meet is running)
Any content other than event descriptions, attachments and Meet details, for example:

  • The title of the event
  • Start and end times of events
  • List of attendees
  • Rooms reserved
  • Join by phone numbers
  • Link for Meet
Google Meet
  • Audio streams
  • Video streams (including screen sharing)
  • Any data other than audio and video streams

The middle ground that CSE is intended to occupy is aimed at organizations with strict compliance requirements mandated by law or contractual obligations. CSE gives these customers more control over the data stored by Google while making it easy for authorized users to decrypt for sharing and collaboration.

“Users can continue to collaborate with other essential apps in Google Workspace and IT and security teams can ensure that sensitive data remains compliant with regulations,” said a Tuesday post from Google. “As customers retain control of the encryption keys and the identity management service to access those keys, sensitive data is impossible to decipher for Google and other external entities.”

Last year, Google published this video designed to show what the user experience is like.

The solution to your digital dominance with Google Workspace.

The blue circle with the shield in the following images indicates that the content in the documents, calendars, or video chats is protected by CSE:

Of course, CSE only works if the software hasn’t changed. In the event that it is maliciously altered to store keys or copies of unencrypted data, all bets are off.

Overall, CSE incrementally improves the existing protections provided by Google. They may be useful to people and organizations with specific uses or needs, but it is unlikely that the masses will demand it anytime soon.

Leave a Reply

Your email address will not be published. Required fields are marked *