This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
FAQ Log in to ask a question

Additional email encryption for Gmail

Dean_Mantz
Contributor

‎01-31-2024 09:03 AM

I am working on a state cybersecurity grant and would like to include the purchase/subscription for a service or tool to encrypt our Gmail messages beyond what Google already provides. What options would you folks recommend? Any besides Virtru and Mailvelope? 

Thanks in advance for any advice shared! 

Topics:
0 Kudos
Reply
14 REPLIES 14

brodgers
New Contributor III

‎01-31-2024 09:43 AM

We use Zix Advanced Email Encryption.  It becomes the outbound gateway for Gmail.  You can configure it to automatically encrypt if it catches items such as SSNs or bank accounts.  Encryption can be manually triggered by a subject line keyword.

0 Kudos
Reply

Dean_Mantz
Contributor
In response to brodgers

‎01-31-2024 12:42 PM

Thank you, @brodgers! I will look into Zix Advanced. 

Reply

Antonio
New Contributor

‎02-01-2024 01:08 AM

With Workspace Education Plus License you can sign and encrypt your messages of email with digital cetificate using S/MIME

https://apps.google.com/supportwidget/articlehome?hl=en&article_url=https%3A%2F%2Fsupport.google.com...

0 Kudos
Reply

Kim_Nilsson
Admin Moderator

‎02-01-2024 01:13 AM

Mailvelope is hardcore E2EE! I like! ❤️

But, it's more likely that the recipient has S/MIME.

Either way, both those methods require exchanging public keys before sending the first encrypted email.

Gmail's built-in Confidential Mode, or simply sharing a Document, does not require any such previous exchange.

That's also what some external services offer, a way to "send secure email" without prior arrangement with the recipient.

HOWEVER, none of that is defined as true E2EE, as that requires only you and the recipient holds the crypto keys, nobody else.

--
https://wheretofind.me/@NoSubstitute
Reply

JimmyR
New Contributor III

‎02-01-2024 05:45 AM

We are also using Zix Advanced Encryption for outbound.  Like what brodges said, encryption can be triggered based on keywords or other determined options that are available such as FERPA content.   If the recipient is also a Zix customer, we allow the message to be released to the recipient.  If they aren't a Zix customer, we keep our messages in the delivery portal so they are "contained" for lack of a better word.

0 Kudos
Reply

chrisb
Staff

‎02-01-2024 06:36 PM

I'm curious as to why you'd feel the need to do this.  Is the standard Gmail encryption not sufficient?

I believe in the Plus edition of WS there is also the option to allow the domain owner to hold their own key rather than use the one from Google

 


Google for Education
Sydney Australia
0 Kudos
Reply

Kim_Nilsson
Admin Moderator
In response to chrisb

‎02-02-2024 02:34 AM

Exactly, CSE (client side encryption) for Gmail isn't the same as Hosted S/MIME, which does mean that Google holds the keys, but is still better than not encrypting the email, since we trust Google.

CSE for Gmail moves the keys away from Google to a separate "system".

--
https://wheretofind.me/@NoSubstitute
0 Kudos
Reply

Dean_Mantz
Contributor
In response to chrisb

‎02-04-2024 09:19 AM

I am trying to cross my T's and dot my I's to make sure that confidential information is truly being transmitted securely and only accessible between the appropriate end users. 

0 Kudos
Reply

Kim_Nilsson
Admin Moderator

‎02-04-2024 11:38 PM

Not sending it via email is then your best option.

Only share via Drive, with time limited access.

--
https://wheretofind.me/@NoSubstitute
Reply

hanker
New Contributor III

‎02-05-2024 06:52 AM

Kim I love what you do, but I'd really love to pick the brains of a few of your staff and see if they really follow all the rules like you lay out 🙂

Reply

Kim_Nilsson
Admin Moderator
In response to hanker

‎02-05-2024 07:35 AM

Haha, things that I haven't locked down hard are always things rogue users can do, but I do my best to make sure that it's as easy as possible to do right, while also making it hard to do wrong. 🙂

--
https://wheretofind.me/@NoSubstitute
Reply

Ivan
New Contributor II

‎02-08-2024 09:09 AM

You can enforce TLS between certain domains (domains you share personal information with for example) as Google will use TLS if it can, but will still route your emails if it can't use TLS the entire path. If you go into Google Admin > Apps > Gmail > Compliance > Secure transport (TLS) compliance.

Here you can specify domains where TLS is required for email transport. If it can't establish TLS in the entire route between, the email drops. More info here: https://apps.google.com/supportwidget/articlehome?hl=en&article_url=https%3A%2F%2Fsupport.google.com...

Reply

Kim_Nilsson
Admin Moderator
In response to Ivan

‎02-12-2024 03:19 AM

Yup, in our O365 and Workspace we have done that for emails to/from the police, immigration service, and our national social-benefits department (Försäkringskassan).

--
https://wheretofind.me/@NoSubstitute
Reply

MattCraig
New Contributor

‎02-29-2024 10:01 AM

Nice thread. I'm researching enabling S/MIME here in Google Workspace. It looks like there is NO way to add the certificate for ALL users in a domain or OU.

Even if I 'Add' one here in the pic below, that is purely 'additional'? and the cert still has to be added user by user, either with GAM or in their Gmail settings. Am I understanding this correctly?

MattCraig_0-1709229561446.png

 

0 Kudos
Reply
  • © 2023 Google. All rights reserved.
  • Privacy Policy
  • Terms of Service
  • Community Guidelines