Gmail supports four different encryption systems plus third-party PGP tools, each with a different security model. Most people only need one or two. Picking the wrong one wastes money or — worse — gives you a false sense of security on emails that aren’t actually protected.

• TLS — Encrypts email in transit between mail servers. On by default. Doesn’t protect email at rest.
• Confidential mode — Google’s permission system that revokes access and requires authentication. Body is not encrypted from Google.
• S/MIME — Public-key encryption available in Google Workspace. End-to-end if you trust the certificate authorities.
• Client-side encryption (CSE) — Workspace Enterprise Plus and Education Plus. Keys live with you, not Google. The strongest option Google offers natively.
• Third-party PGP (FlowCrypt, Virtru) — Works on any Gmail account, including personal.

---

1. TLS — Default, But Not Really “Encryption”

Every email Gmail sends or receives uses Transport Layer Security (TLS) if the other server supports it. As of 2026, TLS coverage is essentially universal — the only servers without it are old self-hosted Postfix installations and some IoT devices.

TLS protects email between mail servers — Gmail to Outlook, Outlook to Apple Mail, etc. Once the message arrives in the recipient’s inbox, it sits decrypted in their mailbox. Google can read it; the recipient’s server can read it; admins on either side can read it.

Verify TLS for a specific message

1. Open the email in Gmail.
2. Click the three-dot menu in the top-right of the message.
3. Select Show original.
4. Look at the Received header lines for entries like:
   • Received: ... by mx.google.com with ESMTPS id ... (using TLSv1.3)
   • tls=TLS_AES_256_GCM_SHA384

If you see TLS in the headers, the message was encrypted in transit. If you don’t, the message moved over plain SMTP.

What TLS doesn’t protect

• The message at rest in your mailbox or the recipient’s mailbox.
• The message body from Google’s automated content scanning (which Google does for spam, phishing, and feature surfacing).
• Anything once it’s been delivered.

For most professional email, TLS is enough. For anything sensitive — legal, medical, financial — it isn’t.

---

2. Confidential Mode — Permissions, Not Encryption

Confidential mode is the Gmail feature most people reach for when they want to send “private” email. It’s a useful tool, but it’s not encryption in the traditional sense.

How it works

When you send a Confidential mode email, the recipient doesn’t get the message — they get a notification email containing a link. Clicking the link takes them to a Google-hosted viewer where they read the content after authenticating (Google login or SMS code). You can revoke access at any time.

Send a Confidential mode email

1. Click Compose.
2. In the bottom toolbar of the compose window, click the lock-and-clock icon (Toggle confidential mode).
3. In the dialog:
   • Expiration date — 1 day, 1 week, 1 month, 3 months, or 5 years.
   • Passcode — None (Google login required) or SMS (code sent to recipient’s phone, which you must provide).
4. Click Save.
5. Compose and Send.

What Confidential mode protects

• Recipients cannot forward, copy, print, or download the message body.
• You can revoke access after sending (Sent → open message → Remove access).
• After the expiration date, the link stops working.

What Confidential mode does NOT protect

• Google can still read the message. It’s stored on Google’s servers in a form Google’s keys can decrypt.
• Screenshots are trivial. Anyone with access can take a screenshot of the viewer.
• The notification email itself is not encrypted. Anyone who intercepts SMTP traffic can see who sent what to whom and when.
• Attachments follow the same rules. They’re stored on Google’s servers and accessed through the same viewer.

For sharing internal information that you want to be able to revoke access to later — board packets, draft contracts, pre-announcement details — Confidential mode is fine. For genuinely sensitive material that must be secret from Google, it isn’t enough.

---

3. S/MIME — End-to-End for Workspace

S/MIME (Secure/Multipurpose Internet Mail Extensions) is the same public-key encryption standard available in Outlook. Available in Google Workspace plans Enterprise, Education Standard / Plus, and certain Business plans with the right add-ons. Not available on personal Gmail accounts.

S/MIME provides:

• End-to-end encryption — only the recipient’s private key can decrypt the message body.
• Digital signatures — the recipient can verify the email actually came from you (and wasn’t altered).

Admin setup (one-time)

1. Sign in to admin.google.com.
2. Go to Apps → Google Workspace → Gmail → User settings.
3. Find S/MIME and turn on Enable S/MIME encryption for sending and receiving emails.
4. Decide how users obtain certificates:
   • Allow users to upload their own (cheapest; users get certificates from a CA themselves).
   • Provision via your CA integration (best for managed environments).
5. Click Save.

User setup

Each user must upload their own S/MIME certificate:

1. Get an S/MIME certificate from a Certificate Authority (DigiCert, Sectigo, GlobalSign, or your internal PKI).
2. In Gmail, click the gear icon → See all settings.
3. Go to Accounts and Import.
4. Click Upload your personal S/MIME certificate.
5. Browse to your .pfx or .p12 file and enter the password.
6. Save.

Send an S/MIME-encrypted message

1. Click Compose.
2. Type the recipient’s email address.
3. Look for the lock icon to the right of the recipient name. It indicates the encryption level Gmail can use:
   • Green lock — S/MIME encryption available (both sides have certificates).
   • Gray lock — TLS only.
   • Red lock — No encryption available at all (rare).
4. To force a higher encryption level, click the lock and choose your minimum requirement.
5. Compose and Send.

Limitations

• Both sender and recipient need certificates — and have exchanged public keys (usually via a previously signed message).
• Mobile support is limited. Gmail iOS/Android can read S/MIME messages but composing encrypted ones is best done on desktop.
• Subject lines are not encrypted. Anyone scanning network traffic still sees the subject.
• You’re trusting the CA. If the certificate authority is compromised or coerced, the encryption can be undermined.

---

4. Client-Side Encryption (CSE) — Strongest Native Option

Client-side encryption is Google’s answer to the criticism that S/MIME and Confidential mode still leave Google holding decryption keys. With CSE, the encryption keys live with an external key management service (KMS) you control, and Google’s servers cannot decrypt the message.

Available in:

• Workspace Enterprise Plus
• Education Standard and Education Plus
• Some Frontline plans

CSE supports Gmail, Drive, Docs, Sheets, Slides, Meet, and Calendar. It is not available on personal Gmail or Workspace Business plans.

Admin setup

1. Sign in to admin.google.com.
2. Go to Security → Access and data control → Client-side encryption.
3. Connect to an external key service. Google supports:
   • Thales CipherTrust
   • Fortanix Data Security Manager
   • Stormshield Data Security
   • Virtru Private Keystore
   • Self-hosted KACLS (Key Access Control List Service) endpoint
4. Connect to an identity provider for separate authentication to the KMS (typically Okta, Ping Identity, Microsoft Entra, or your own IdP).
5. Enable CSE for specific organizational units — usually starting with a small pilot OU.

User experience

Once enabled, users see a shield icon in the Gmail compose toolbar:

1. Click Compose.
2. Click the shield icon in the bottom toolbar (Add encryption).
3. Confirm authentication with your IdP if prompted.
4. Compose the message normally.
5. Send.

The recipient must also be on a Workspace tenant with CSE enabled (or use the Virtru viewer for external access). The message body is encrypted on the sender’s device with a key the recipient is authorized to access — Google’s servers see only ciphertext.

Why CSE is the strongest option

• Google cannot decrypt the message. Not for legal requests, not for spam scanning, not for anything.
• Keys live with you. You can revoke access by revoking the key.
• Compliant with regulations that require key sovereignty (HIPAA, ITAR, CJIS, certain GDPR scenarios).

The catch: setup is real work, the licenses are expensive, and there’s a per-user KMS cost on top of Workspace fees. CSE makes sense for regulated industries and high-security organizations. For most teams, S/MIME is the right tradeoff.

---

5. Third-Party PGP Tools (Personal Gmail and Workspace Business)

If you’re on personal Gmail or a Workspace plan that doesn’t include S/MIME or CSE, third-party tools fill the gap.

FlowCrypt (open-source, PGP-based)

FlowCrypt is a Chrome and Firefox extension that adds PGP encryption directly into the Gmail compose window. Free for personal use; paid plans for teams.

1. Install the FlowCrypt extension from the Chrome Web Store.
2. Open Gmail and follow the setup wizard — generate a new PGP key pair or import an existing one.
3. When composing, click the Encrypt button FlowCrypt adds to the toolbar.
4. The recipient either has FlowCrypt (or another PGP client) and decrypts the message normally, or receives a link to a FlowCrypt-hosted viewer with a password you share separately.

Virtru (proprietary, easier UX)

Virtru wraps Gmail in a key-wrapping system that doesn’t require recipients to install anything. The sender installs the Virtru extension; recipients without Virtru read messages through a Virtru-hosted secure viewer.

• Better for sending to non-technical recipients.
• Adds a Virtru toggle in the compose window.
• Supports revoke-after-send, expiration, watermarking, and prevention of forwarding.
• Used heavily in healthcare, education, and government for HIPAA / FERPA / CJIS workflows.

Mailfence and ProtonMail (separate accounts, not Gmail extensions)

If you need true zero-knowledge email and don’t need to keep using Gmail, services like Mailfence and ProtonMail offer end-to-end encrypted accounts where the provider has no ability to decrypt your messages. They’re separate from Gmail entirely — you can’t encrypt a Gmail account with them.

---

6. Compliance Checklist by Scenario

Scenario	Right encryption choice
HIPAA-covered communications (US healthcare)	CSE (Workspace Enterprise Plus) or Virtru with a signed BAA
Attorney-client privileged email	CSE for sensitive matters; S/MIME for routine privilege; Confidential mode for low-stakes
Financial services (FINRA, SOX)	CSE for material nonpublic information; S/MIME for routine; archive everything
Government / CJIS / ITAR	CSE with a FedRAMP-authorized KMS
EU GDPR with key sovereignty requirements	CSE with a KMS hosted in the EU
General “I want this private from outsiders”	S/MIME if available; otherwise Confidential mode
General “I want this private from Google”	CSE or third-party PGP — Confidential mode does not meet this bar
Marketing or sales follow-up	TLS (default) is fine

---

7. Common Issues

“The lock icon next to the recipient is gray.” TLS is in use, but S/MIME isn’t possible — either you don’t have a certificate, the recipient doesn’t, or you haven’t exchanged signed messages yet. Send the recipient a digitally signed message first; their mail client will save your public key, and they can do the same for you.

“Confidential mode isn’t available.” Workspace admin has disabled it. Check with your admin, or send from a personal Gmail account if appropriate.

“The CSE shield icon isn’t appearing.” Confirm your account is in an OU that has CSE enabled, you’re authenticated with your IdP, and your Workspace plan includes CSE.

“The recipient’s email client doesn’t show my S/MIME signature.” Some clients (Apple Mail, Outlook, Thunderbird) handle S/MIME natively; others (mobile webmail clients) may show the signature as an attachment instead. Recipients need an S/MIME-aware client to verify signatures cleanly.

“How do I encrypt the subject line?” You can’t. Subject lines are part of the SMTP envelope and are never encrypted by S/MIME, Confidential mode, or CSE. Don’t put sensitive information in the subject.

---

Quick Reference

Method	Encryption type	Available on	Recipient experience
TLS	Server-to-server	All Gmail	Native (no indicator)
Confidential mode	Permission system + at-rest	All Gmail	Link → portal view
S/MIME	End-to-end (PKI-based)	Workspace Enterprise / Education / certain Business	Native if recipient also has S/MIME
Client-Side Encryption	End-to-end (external KMS)	Workspace Enterprise Plus / Education Plus / Frontline	Native if recipient is on CSE
FlowCrypt / Virtru	End-to-end (PGP / proprietary)	All Gmail	Native if installed; portal otherwise

---

Stop Sending Sensitive Replies in the First Place

Encryption protects email you’ve decided to send. Carly is an AI assistant that connects to 200+ apps, drafts and routes replies, and helps you avoid sending sensitive information to the wrong person by auto-checking against your CRM and contact data. Carly is $35/month.

More on Gmail: How to recall an email in Gmail · How to schedule an email in Gmail · How to create email templates in Gmail · How to set up email forwarding in Gmail · How to block emails in Gmail · How to set out of office in Gmail

Related Articles

Guides

How to Encrypt Email in Outlook (2026)

Apr 30, 2026

Guides

How to Back Up Gmail Emails (2026 Guide)

May 8, 2026

Guides

How to Create a Distribution List in Gmail (2026 Guide)

May 8, 2026