topic Re: Additional email encryption for Gmail in Peer-Peer Topics

Additional email encryption for Gmail

Dean_Mantz — Wed, 31 Jan 2024 17:03:36 GMT

I am working on a state cybersecurity grant and would like to include the purchase/subscription for a service or tool to encrypt our Gmail messages beyond what Google already provides. What options would you folks recommend? Any besides Virtru and Mailvelope?

Thanks in advance for any advice shared!

Re: Additional email encryption for Gmail

brodgers — Wed, 31 Jan 2024 17:43:51 GMT

We use Zix Advanced Email Encryption. It becomes the outbound gateway for Gmail. You can configure it to automatically encrypt if it catches items such as SSNs or bank accounts. Encryption can be manually triggered by a subject line keyword.

Re: Additional email encryption for Gmail

Dean_Mantz — Wed, 31 Jan 2024 20:42:26 GMT

Thank you, @brodgers! I will look into Zix Advanced.

Re: Additional email encryption for Gmail

Antonio — Thu, 01 Feb 2024 09:08:14 GMT

With Workspace Education Plus License you can sign and encrypt your messages of email with digital cetificate using S/MIME

https://apps.google.com/supportwidget/articlehome?hl=en&article_url=https%3A%2F%2Fsupport.google.com%2Fa%2Fanswer%2F6374496%3Fhl%3Den&assistant_id=generic-unu&product_context=6374496&product_name=UnuFlow&trigger_context=a

Re: Additional email encryption for Gmail

Kim_Nilsson — Thu, 01 Feb 2024 09:13:44 GMT

Mailvelope is hardcore E2EE! I like! ❤️

But, it's more likely that the recipient has S/MIME.

Either way, both those methods require exchanging public keys before sending the first encrypted email.

Gmail's built-in Confidential Mode, or simply sharing a Document, does not require any such previous exchange.

That's also what some external services offer, a way to "send secure email" without prior arrangement with the recipient.

HOWEVER, none of that is defined as true E2EE, as that requires only you and the recipient holds the crypto keys, nobody else.

Re: Additional email encryption for Gmail

JimmyR — Thu, 01 Feb 2024 13:45:09 GMT

We are also using Zix Advanced Encryption for outbound. Like what brodges said, encryption can be triggered based on keywords or other determined options that are available such as FERPA content. If the recipient is also a Zix customer, we allow the message to be released to the recipient. If they aren't a Zix customer, we keep our messages in the delivery portal so they are "contained" for lack of a better word.

Re: Additional email encryption for Gmail

chrisb — Fri, 02 Feb 2024 02:36:00 GMT

I'm curious as to why you'd feel the need to do this. Is the standard Gmail encryption not sufficient?

I believe in the Plus edition of WS there is also the option to allow the domain owner to hold their own key rather than use the one from Google

Re: Additional email encryption for Gmail

Kim_Nilsson — Fri, 02 Feb 2024 10:34:26 GMT

Exactly, CSE (client side encryption) for Gmail isn't the same as Hosted S/MIME, which does mean that Google holds the keys, but is still better than not encrypting the email, since we trust Google.

CSE for Gmail moves the keys away from Google to a separate "system".

Re: Additional email encryption for Gmail

Dean_Mantz — Sun, 04 Feb 2024 17:19:06 GMT

I am trying to cross my T's and dot my I's to make sure that confidential information is truly being transmitted securely and only accessible between the appropriate end users.

Re: Additional email encryption for Gmail

Kim_Nilsson — Mon, 05 Feb 2024 07:38:04 GMT

Not sending it via email is then your best option.

Only share via Drive, with time limited access.

Re: Additional email encryption for Gmail

hanker — Mon, 05 Feb 2024 14:52:50 GMT

Kim I love what you do, but I'd really love to pick the brains of a few of your staff and see if they really follow all the rules like you lay out 🙂

Re: Additional email encryption for Gmail

Kim_Nilsson — Mon, 05 Feb 2024 15:35:09 GMT

Haha, things that I haven't locked down hard are always things rogue users can do, but I do my best to make sure that it's as easy as possible to do right, while also making it hard to do wrong. 🙂

Re: Additional email encryption for Gmail

Ivan — Thu, 08 Feb 2024 17:09:38 GMT

You can enforce TLS between certain domains (domains you share personal information with for example) as Google will use TLS if it can, but will still route your emails if it can't use TLS the entire path. If you go into Google Admin > Apps > Gmail > Compliance > Secure transport (TLS) compliance.

Here you can specify domains where TLS is required for email transport. If it can't establish TLS in the entire route between, the email drops. More info here: https://apps.google.com/supportwidget/articlehome?hl=en&article_url=https%3A%2F%2Fsupport.google.com%2Fa%2Fanswer%2F2520500%3Fhl%3Den&assistant_id=generic-unu&product_context=2520500&product_name=UnuFlow&trigger_context=a

Re: Additional email encryption for Gmail

Kim_Nilsson — Mon, 12 Feb 2024 11:19:10 GMT

Yup, in our O365 and Workspace we have done that for emails to/from the police, immigration service, and our national social-benefits department (Försäkringskassan).

Re: Additional email encryption for Gmail

MattCraig — Thu, 29 Feb 2024 18:01:20 GMT

Nice thread. I'm researching enabling S/MIME here in Google Workspace. It looks like there is NO way to add the certificate for ALL users in a domain or OU.

Even if I 'Add' one here in the pic below, that is purely 'additional'? and the cert still has to be added user by user, either with GAM or in their Gmail settings. Am I understanding this correctly?