What’s changing
Gmail now allows users with hardware keys, such as PIV/CAC smartcards, to directly manage their digital signature and encryption certificates within Gmail settings. Prior to this update, admins needed to upload encryption keys for their users – now users can configure their own keys in Gmail, without needing an admin.
Gmail > Settings > Accounts > Encryption certificates
Additional details
While Workspace encrypts data at rest and in transit by using secure-by-design cryptographic libraries, client-side encryption ensures that you have sole control over encryption keys and access to your data. Client-side encryption ensures sensitive data in the email body and attachments are indecipherable to Google servers — you retain control over encryption keys and the identity service to access those keys. For more information, check out our original announcement and the Workspace blog.
Getting started
- Admins: In order for your users to add certificates from a hardware key, you must first enable and install the Workspace Hardware Keys application to user machines.
- End users: Visit the Help Center to learn more about using hardware keys for encryption.
Rollout pace
- Rapid and Scheduled Release domains: Available now.
Availability
- Available for Google Workspace Enterprise Plus customers with Assured Controls and Assured Controls Plus