Gmail is often praised for its convenience and seamless integration with Google Apps (now known as G Suite), but its security features are equally impressive. Native encryption, and extensive administrative controls allow businesses and users to secure Gmail, reducing risks from hackers as well as malicious insiders. Gmail encryption does have its limits, but can be easily strengthened with an additional layer of client-side encryption, via third-party add-ons.
Default Gmail encryption protects emails as much as possible. Google encrypts emails both when they’re stored (data at rest) and when they’re being sent (data in motion). Like most security-conscious providers, Google uses Transport Layer Security (TLS) to encrypt emails in transit. But TLS depends on both the sender’s and recipient’s email provider, so it won’t work in some situations.
To help prevent unencrypted emails from being exposed, Google recently began warning users when TLS won’t work; an open red padlock symbol signifies that a message you’ve received hasn’t been encrypted, or a message you’re about to send probably won’t be. In addition to promoting user security, this has pressured some email vendors into adopting TLS.
Google for Work users can require TLS, preventing their email from sending or accepting messages that can’t be secured with Gmail encryption. From the Google Admin console Dashboard, go to Apps > Google Apps > Gmail > Advanced settings. Then, highlight your domain under “Organizations.” You’ll be able to require TLS for all inbound messages, all outbound messages, both, or just certain domains and email addresses.
An additional Gmail encryption plugin can make you more secure. TLS is a type of point-to-point encryption; when you send a Gmail encrypted email, your browser contacts Google’s server and creates a secure connection. The message is encrypted, sent to the server and decrypted. The server repeats the process with the next server, until it reaches your recipient’s server.
If both parties use Gmail encryption, the risk of your message being compromised is very low. However, if your recipient’s email service doesn’t use TLS, messages won’t be encrypted. Even if both parties use TLS, the message could pass through a hacked or improperly configured server outside of Google’s network, allowing a 3rd party to decipher and read it.
Having one company control your data and encryption keys also poses inherent risks, such as mandatory disclosure or a malicious insider accessing your emails. These risks can be eliminated by adding a 3rd-party Gmail encryption plugin.
Not all Google email encryption plugins are equally secure. The advantages of native Gmail encryption are that it’s automatic, and works with most recipients. Your email encryption add-on should have comparable ease of use and even better interoperability.
Look for a provider that has one-click encryption, and can send encrypted emails to any recipient — even if they don’t have encryption installed. Easy setup is also important; encryption should work as a browser add-on, and install quickly, with little to no configuration.
Your Gmail encryption plugin should also address the weaknesses in TLS. Choose client-side encryption that protects emails and attachments, rather than the connection between servers. Client-side encrypted emails stay encrypted until your intended recipient opens them. Even if a hacker intercepts a secure message in transit, they won’t be able to read it.
Unfortunately, many secure Google encryption plugins can’t prevent insider threats. If your email encryption provider has access to both your keys and your data, someone inside that company could access your data. Look for a provider that stores your keys, but lets Google handle the actual encrypted email. That way, they’ll be unable to decrypt your messages — or hand them over to government agencies.
However, even if your email encryption provider has strong policies against disclosing your keys, it’s theoretically possible that a government agency could force them to do so, then access your account through Google. Organizations with strict security and compliance needs should choose a provider that offers Hardware-Backed Encryption Key Management (HEKM). This allows users to store their own keys in any container-hosting platform or secure hardware device, preventing unauthorized decryption without sacrificing convenience.
Finally, your secure email plugin should support Google Apps encryption as well. Google Apps uses TLS, which means it has many of the same vulnerabilities as Gmail encryption. Client-side encryption that works with both Gmail and Google Apps can protect your files and documents, along with emails and attachments.
Reinforcing native Gmail encryption with strong, data-centric encryption eliminates risks, and ensures that no thirds parties have access to your content — not hackers, Google or even your third party provider.