Google is quietly reshaping how enterprise customers encrypt email. A new Gmail feature, now available in beta, introduces a streamlined toggle for applying client-side encryption (CSE) to emails. Rather than requiring certificate management or S/MIME setup, users can simply click a lock icon and select “additional encryption” when composing an email.
It’s a practical improvement for enterprise teams that deal with confidential data, and one that arrives as Google expands AI across its Workspace suite. As Gmail, Drive, and Sheets increasingly surface and summarize information before users ask for it, this new Gmail feature offers something different: visibility and control over what stays private.
Streamlined Security, Same Client-Side Architecture
This isn’t Google’s first foray into encrypted email. The underlying client-side encryption system for Gmail has been in place since its general availability in February 2023. What’s new is a more user-friendly path to securing message content.
Encrypted emails aren’t limited to internal users. When sent to recipients outside of Gmail or those not configured for S/MIME, Google routes the message through a secure Workspace-hosted portal. They’ll be prompted to sign into a guest Google Workspace account to view and reply to the email.
Once enabled by an admin, users can select “additional encryption” in the compose window. The body of the email, along with attachments and inline images, is encrypted in the user’s browser before being sent. Data is encrypted in the user’s browser before it is transmitted or stored, so Google servers can’t access the encryption keys or the encrypted data.
However, this isn’t end-to-end encryption in the strictest sense. Headers, subject lines, timestamps, and recipient lists remain unencrypted, allowing for standard routing and delivery. Importantly, administrators—via external key services—retain the ability to decrypt emails when authorized. This control enables compliance with legal holds and internal audits.
Enterprise Access and External Recipient Support
The simplified encryption toggle is only available through a new beta rollout and applies to users on Workspace Enterprise Plus, Education Plus, and Education Standard plans. Administrators must apply to access the feature and configure a compatible identity provider and key management system.
This compatibility expands use cases for organizations that need to correspond securely with clients or external partners.
Encryption in a Workspace Shaped by AI
The Gmail encryption update comes at a time when AI is becoming central to Google Workspace’s identity. In March, Gmail introduced an AI-powered search filter that prioritizes emails by engagement history, sender relevance, and previous queries—departing from traditional keyword sorting. Around the same time, Google Drive received “nudges” powered by Gemini AI that surface documents and generate automatic summaries based on user activity and collaboration.
These features speed up workflows—but they also raise privacy questions. How much content does Gemini need to scan to generate these recommendations? Google has emphasized that user data is not accessed for advertising or model training without consent, but as the AI layer grows more proactive, some organizations may want clearer boundaries around sensitive content.
The toggle, while small, could function as a visible checkpoint for privacy in a system that’s becoming increasingly predictive.
Administrative Control and Policy Integration
Client-side encryption integrates with existing Workspace security tools. Administrators manage encryption keys through external services and configure identity verification, maintaining control over data access policies.
For higher-assurance environments, Gmail encryption can be combined with Assured Controls and Assured Controls Plus, which restrict Google support staff access based on geographic and organizational rules. These features cater to industries with strict data residency or compliance requirements, such as finance or healthcare.
Google explains that “Assured Controls lets you define support access conditions for Google personnel,” offering additional layers of control alongside encryption. When combined, these tools give organizations more confidence in their ability to manage sensitive data without over-relying on vendor-side security guarantees.
Not a Feature Drop, But in the Same Spirit
Although the new encryption toggle isn’t formally part of Google’s “Feature Drop” program, it follows the same pattern. In early March 2025, Google’s first Workspace Feature Drop of the year included Gemini AI for data analysis in Sheets and video transcript search in Drive. This was followed by updates to Gmail and Drive nudges that showcase Google’s goal of more proactive productivity.
The toggle reflects another side of that evolution—not just about making workflows faster, but about making them safer. And while the core encryption capabilities have been available for more than a year, presenting them through an accessible toggle could nudge adoption among users who were put off by technical barriers.
Whether organizations embrace the toggle at scale may depend on how seamlessly it fits into existing processes—and how well it balances usability with the need for tighter privacy.
