Google CSE support for Google's end-to-end encrypted email
Caution
This feature is a technical preview for evaluation in non-production environments. A technical preview introduces new, limited functionality for customer feedback as we work on the feature. Details and functionality are subject to change. This includes API endpoints, UI elements, and CLI commands. We cannot guarantee that data created as part of a technical preview will be retained after the feature is finalized.
Google Workspace can use the Key ACL Service (KACLS) to encrypt and decrypt Gmail messages. Google's end-to-end encrypted email ("Send to anyone") allows enterprise Gmail users to send end-to-end encrypted messages to any email address, without needing to configure S/MIME certificates for users.
Note
This feature is released by Google in three separate phases: Alpha, Beta, and General Availability (GA). Each phase represents a different level of maturity, stability, and support.
Alpha: The Alpha release doesn't support external and guest recipeints.
Beta: The Beta release will support external Gmail domains but not guests. Additionally, the Beta release will support the following.
Setting up a guest Identity Provider (IdP) for external recipients.
Sending emails to other Workspace domains (Gmail).
Sending emails to @gmail.com consumer accounts.
Global availability (GA): GA will support guest recipients.
CipherTrust Manager version 2.20 and later supports Google's end-to-end encrypted email in beta and GA when it's released.
Before enabling this client-side encryption, complete the prerequisites.
Prerequisites
The prerequisites include the following.
Create an environment and enroll it with Google.
Enable Google Workspace CSE for intended Gmail users (senders and recipients).
Open the Google Admin console, http://admin.google.com.
Log on to the user domain as a super admin.
Navigate to CSE settings: Data > Compliance > Client-Side Encryption.
Scroll down to the Apps section and click the Gmail link.
Select an organizational unit or group for which you want to enable Gmail CSE.
Under User access, select ON.
Save the settings.
The Assured Controls or Assured Controls Plus add-on is required. End-to-end encrypted email is only available when hardware key encryption is not used.
Enable Send to anyone
To enable "Send to anyone" from the Google Admin console:
Open the Google Admin console.
Log on to the user domain as a super admin.
Navigate to Data > Compliance > Client-Side Encryption > Gmail.
Under Send to anyone, click the Edit icon.
Enable Allow users to send client-side encrypted messages to recipients who aren't using S/MIME.
Click Save.
Note
External recipients are granted guest accounts. These accounts:
Reside within a dedicated organizational unit (OU) or group.
Are fully owned by the customer's organization.
Must adhere to the customer's organization's policies.
Admin controls allow Gmail users to access their accounts.
To enable "Send to anyone" for external Gmail domains and guests on CCKM:
When creating a new KACLS endpoint or updating an existing one, ensure to set the value of
allow_guest_access
to true. Refer to Creating KACLS Endpoints and Updating a KACLS Endpoint for details.Set the value of the
authenticationAud
parameter to the Client ID of the Guest Identity Provider that has been configured in your Google Admin Console. Refer to Additional Configurations for Guest Access on Google Admin Console for details.