Gmail encryption: how to encrypt & send secure email

How to encrypt & securely send Gmail email messages & attachments

This blog discusses the encryption used for Gmail email and why attachment security is not good enough for confidential documents.  We cover how to prevent forwarding, printing and sharing after an attachment has been downloaded and decrypted.

While some enterprises are phasing out email in favor of workplace chat, it remains a core way to share files inside and outside of organizations.  So how good is Gmail for email encryption and sending secure message attachments?

  What is Gmail encryption?

Gmail encryption is the protection of email messages and attachments via the use of TLS (Transport Layer Security) or optionally S/MIME (Secure MIME) for paid enterprise accounts.

• TLS encrypts the communications channel – data sent over the Internet is encrypted in transit, which prevents spoofing by a hacker.  As soon as a message is delivered to the mail server it is decrypted.
• S/MIME provides end-to-end encryption.  It individually encrypts emails – messages are encrypted in transit and at rest on the mail server.  Decryption occurs at the client’s inbox (private key must be present and valid).

  Is Gmail encrypted?

By default, all messages (both message text and attachments) you send using Gmail are encrypted while in transit (from device to server) as long as the receiving server supports TLS.  If the recipient is using a mail server that doesn’t support TLS then messages won’t be encrypted.

• For free Gmail accounts, TLS encryption is the only option.
• For companies using paid Google Workspace Enterprise accounts, S/MIME is available as an option.  This encrypts emails using user-specific keys so that messages are protected in transit and at rest.  Users can also digitally sign emails to verify their identity.  Just like TLS, S/MIME works only if both the sender and recipient are using a service that supports it.  It adds an extra layer of complexity – both parties must exchange keys in advance for the encryption to work, and potentially cost – if certificates are purchased through a CA (Certificate Authority).

So Gmail encryption only encrypts email messages and attachments under specific circumstances.  If you want to use Gmail encryption to prevent attachments that contain sensitive information from unauthorized access then you must use S/MIME.  If you want to prevent authorized users forwarding and sharing sensitive or confidential emails, then you must use confidential mode.  However this has fundamental flaws (which we cover below), one of the main ones being that restrictions are only enforced by the Gmail app and not by third-party email clients, so they won’t work with most business email systems.

  How to encrypt email in Gmail

1. If you are using a free Gmail account, just compose a message, add any attachments, and press send.  TLS encryption will be used if supported by the recipients mail server.
2. For paid Google Workspace Enterprise and Education accounts you have to configure TLS or configure S/MIME before you can send an encrypted email in Gmail.  Note that if you enforce TLS encryption and the recipient server does not support it, then outgoing messages won’t be delivered and incoming messages will be automatically rejected without any notification.

  How do I know if an email has been sent encrypted?

For free email accounts you have no idea.

For accounts with a Google Workspace subscription that supports S/MIME encryption a padlock icon is shown next to the recipient address when composing a new message.

• a grey padlock icon means that the message will be sent using TLS.
• a green padlock means that the message will be sent using S/MIME.
• a red padlock icon is displayed for unencrypted email.

  Can I send a secure email with an attachment in Gmail?

There are two main problems with the built-in Gmail attachment security:

1. Gmail attachments are not end to end encrypted when using TLS

   As a result, an attacker only needs to compromize a Gmail account to gain access to all of the attachments sent and received by that user.  And while you may think that two-factor authentication will save you from that fate, the recent spate of session hijacking attacks against the Google accounts of prominent YouTubers suggests otherwise.

2. There is no effort to prevent intentional sharing

   Once a user receives an attachment, there are no restrictions surrounding what they can do with it.  They can download it to their local PC and share it with anybody they like, which may be an issue if the attachment contains sensitive information.  This is true even if S/MIME is used.
   

The natural solution, then, is to encrypt your attachments before you send them using Gmail confidential mode.  Additionally if the file is sensitive or confidential, you’ll want to be able to track its use, expire it, and make sure it can’t be printed, copied or shared once decrypted.

  Gmail Confidential Mode

At first glance, Gmail’s Confidential Mode might look like the perfect solution for the problems Google has created.  The sender can set an expiration date, revoke access at any time (i.e. recall or unsend an email in Gmail), and enforce use of an SMS passcode to open emails.  It claims to stop accidental and unauthorized sharing while removing the option to forward, copy, print, or download messages or attachments.

  Confidential mode and email security

Unfortunately, all is not as it first appears, as we have covered in detail in our blog on Gmail Confidential Mode.  The feature does not offer much additional protection:

1. Confidential mode controls are only enforced by the Gmail app and not by third-party clients, so they won’t work with most business email systems such as Outlook.
2. Users can copy & paste and print message text and attachments.
3. Emails and attachments are not private from Google or removed from the server.
4. A text message is generally not a secure way to do two-factor authentication as it is vulnerable to man-in-the-middle, phishing, social engineering, and malware-based attacks.

Overall, Confidential Mode does not stop intentional sharing and it cannot effectively expire or recall attachments.

  Other ways to send encrypted email in Gmail

Though Google has talked about improving email encryption and Gmail attachment security for a long time, there has been no real action.  There is still no native end to end encryption for attachments for free Gmail accounts, and you can’t control what users can do with attachments.  This has led to various third parties providing enhanced encryption services – email encryption solutions, file encryption software and add-ons that aim to close this gap.  Unfortunately, most probably won’t provide the level of protection you require.

  PGP file encryption

One of the most common ways to protect file attachments is through PGP file encryption.  Just like S/MIME, files are encrypted with a public key (known to everyone) and decrypted with a private key (known only to the recipient).

Files can only be decrypted by those with a valid private key, which users are encouraged to never share, and is stored in a password protected keystore on their local PC.  This is great at protecting the files in transit and at rest and ensures that if an attacker gains access to the email account they won’t be able to view the files.

Unfortunately, that’s all you get.  PGP doesn’t solve the second problem with Gmail attachments: intentional sharing. Once a user has decrypted the file, PGP encryption provides no additional protection and cannot control what the user does with the plaintext document.  The user can also give their private key to somebody else to allow them to open any document intended for that recipient.  Naturally, because private keys are exposed to the user, they can also be phished, but this is uncommon.

  Mailvelope

Mailvelope is an open-source browser add-on that enables easy PGP encryption for Gmail email messages and attachments.  It is free for non-business users.  It is important to realize that it offers no additional protection against intentional sharing – once the attachment is decrypted the user can do what they want with it.

There are many similar solutions out there such as ProtonMail that also provide end-to-end email and attachment encryption for Gmail messages.

  WinZip

WinZip lets you add password protection to zip files which can contain multiple files so you don’t have to secure and send individual attachments.  You also get the benefits of file compression to save on attachment size.  The downside of this approach however is that the sender has to give the recipient(s) the password to decrypt the zip file before they can open it.  Ideally it would not be sent using email since it could be compromised.

  PDF password protection

If you are just sending PDF files as Gmail attachments then PDF password protection might have crossed your mind especially since you can add permissions to restrict use.

We have written in detail about why PDF password protection is not secure before, but here’s the short version:

• The open password, which prevents access to the document, is much less secure than using a public key for encryption, particularly when it is short or not randomly generated.  Simple passwords of up to 10 characters can be brute-forced in minutes or hours.
• The permissions password, which is supposed to stop editing, printing, etc. takes seconds to remove due to major flaws in the Adobe security handler.  This allows any user who can open the document to print and edit it.

Overall, password-based file security introduces a lot of management headaches for not much gain. You have to not just ensure that every authorized user knows the password to each document but make sure users transmit and store them securely.  They are practically useless in a business environment.

  Secure cloud storage and download links

Secure cloud storage systems or a secure dataroom solution can be an attractive proposition for some businesses, as some provide additional document controls to restrict how files can be used (print and download permissions, personalized watermarks for tracking and identification, and expiry).

You upload files to an online secure cloud server, add restrictions and user accounts and select who can access them.  Rather than adding an attachment to a Gmail email you just insert a link to the files instead.  This has the added benefit of not having to worry about attachment file size limits, with Google Docs sharing particularly appealing due to its tight Gmail integration.

When the recipient clicks on the link they usually login to a portal to view it in their browser.  Some systems even provide a Gmail encryption plugin that enables you to protect and upload files from within Gmail rather than logging on to the portal, but this does not really add much.

So, this all sounds good on paper but, there are limitations to the amount of security you can deliver through a browser.  See Are data rooms secure enough to share your sensitive data?

Overall, cloud storage systems with online viewing functionality provides some improvement over PGP encryption and default file encryption for Gmail attachments, but it’s not going to stop authorized users from intentionally sharing your documents.

  Locklizard Safeguard DRM

Locklizard Safeguard DRM uses a combination of encryption, transparent licensing, Digital Rights Management restrictions, and a secure viewer application to protect email attachments from being opened or shared with unauthorized users.  You protect your PDF files locally before you upload them to your email service, ensuring unencrypted files never leave your computer.

Once protected with Locklizard, your Gmail PDF attachments can only be opened by authorized users.  Nobody can edit, save, or copy from them and users can only print or screenshot them if you have authorized them to do so.  Rather than trying to prevent the files themselves from being shared, Locklizard locks documents to authorized devices that have a valid license file installed.  Decryption keys are securely and transparently transmitted to an encrypted keystore on the user’s device that cannot be transferred or viewed.

Protected documents can only be opened in the secure viewer application, which enforces the document restrictions as defined by the admin.  The application does not rely on or allow any third-party applications or plugins and does not use JavaScript.  It, therefore, does not matter how many times Google updates Gmail or which browser the person is using, and users can’t tamper with its controls.

You can expire documents after a certain date, number of prints, number of opens, etc., and you can also manually revoke documents regardless of where they are located and track prints, views, and opens.

   How to send secure email attachments in Gmail

Using Locklizard Safeguard to send secure attachments in Gmail is simple despite its advanced security.  The protection process takes less than a minute:

1. Right-click on your PDF and select “Make secure PDF”.
   
2. Open the “Document Access” tab and choose “Selected customers”.
   
3. Choose the DRM controls you want to enforce.
   
   Move through the tabs of Safeguard PDF Writer and add any DRM controls you want to add to your document.
4. Press the “Publish” button at the bottom of the dialog to protect the PDF file.  The PDF will be encrypted using AES 256-bit encryption and the DRM controls applied.
   
5. To grant a user access to it, log in to the Safeguard Admin portal.
   
6. Open the “Customers” tab and press “Add” in the sidebar.
   
7.  Enter the user information and click on the “Set Document Access” link in the “Manage Access” section.
   
8. Select your document and press “OK”.
   
9. Press the “Add” button on the customer account. Keep the “Email license” checkbox checked to have the license file emailed to the user’s email address that you have entered.  The user will be sent an email with their license key and instructions on how to download the secure PDF viewer software.  You can also choose to untick ‘Email license’ if you’d like to share this information with them via other means.

Note that once a user is in your admin system, you do not have to add them again or open the portal to add them to a document.  You can group documents into “publications” to push the permission to view a document out to different users as soon as the protected file is created.  This makes Safeguard Security quick and user-friendly.

  Gmail attachment tracking

Many solutions provide email attachment tracking, but they are of little use when users can easily create untracked copies.  This is where Locklizard Safeguard shines.  You can enable tracking for your Gmail PDF attachments by checking the relevant boxes when you encrypt your Gmail attachment with Safeguard Writer:

1. Right-click your PDF and select ‘Make secure PDF’.
   
2. In the ‘Printing and Viewing’ tab, tick ‘Allow Printing’ and ‘Log print requests’.
   
3. Publish your PDF.
   
4. Open the document record in your Safeguard admin portal to see when the PDF was viewed and/or printed.
   

  How to send expiring attachments in Gmail

Locklizard prevents users from making unprotected copies and encrypted files can only be opened in the viewer application.  As a result, expiry can be achieved by simply removing users’ ability to open a PDF once certain conditions are met.  This can be added quickly and easily in the Safeguard Writer application:

1. Right-click your PDF and select ‘Make secure PDF’.
   
2. Add an expiration date or a number of days after first open in the ‘Expiry & Validity’ tab.
   
   You may also want to make sure “verify document access” is set to “each time the document is opened” if you want to instantly revoke authorization to access the PDF before the expiry date or days occurs.
3. You can also expire access after a certain number of prints or views in the ‘Printing & Viewing’ tab.
   
   To expire after a certain number of prints, tick ‘No access after print copies depleted’.  Expiry after a number of views is possible by ticking ‘Limit number of views to:’ and entering the number of opens you want to allow.
4. Press the “Publish” button at the bottom of the dialog to protect the PDF.
   
5. You can now attach the encrypted PDF to a Gmail message just like any other file.

   The best way to encrypt & send secure Gmail attachments

Though end-to-end encryption is a major marketing point for some email providers, encryption alone isn’t enough to protect email attachments.  If you want to send secure attachments in Gmail you need something that can maintain protection after the document has been sent and opened.  With Adobe’s PDF permission passwords useless and cloud storage solutions easy to compromise, the best way to send Gmail attachments securely is to convert to PDF and encrypt them with Locklizard.

Start sending secure attachments in Gmail today by taking a 15-day free trial of our PDF DRM software.

   FAQs

How do I send a secure email attachment?

You can use S/MIME, dedicated secure email apps, or file encryption applications to encrypt files that can then be attached to a Gmail message.  All provide a better level of encryption than TLS.  Bear in mind however that once the files have been decrypted, users can do what they want with them including sending them to others who may not be authorized to view them.  If you want control over the file once it has been decrypted (i.e. prevent forwarding, sharing, printing, etc.) then you must use a DRM solution to protect attachments.

How do I enable encryption in Gmail?

It is enabled by default.  Emails and attachments are encrypted as long as the receiving server supports TLS.

If you want to enable end-to-end encryption then you must purchase a business Enterprise account and enable S/MIME.

Does encrypting an email protect attachments?

Not necessarily.  TLS for example does not encrypt the email or the attachment itself – it just provides an encrypted connection between the client and server, encrypting the data in transit.  S/MIME however encrypts both message text and attachments.

Is Gmail end-to-end encrypted?

It depends on whether TLS or S/MIME is being used.  By default, Gmail uses TLS encryption (just the connection from your computer to the server is encrypted) so that Google can analyze emails and easily index them.  This means that Google and other mail services may be able to read your email.  You must use S/MIME (available only for paid enterprise accounts) if you want end-to-end encryption or third party secure email software.

Can I encrypt an email in Gmail?

Gmail emails are encrypted in transit only using TLS when the provider that the email is being delivered to also supports it.  Be aware that your email headers will not be encrypted if TLS is not supported, which could reveal to a snooper who an email is being sent to.  If you want to force the encryption of an email in Gmail (so that it is stored as an encrypted email) you should use S/MIME, PGP file encryption, or a secure email solution to encrypt your body text and any attachments.

How do I encrypt Gmail attachment?

Just like email message text, Gmail attachments are encrypted in transit using TLS (assuming the recipient mail server supports it).  If you want to encrypt a Gmail attachment to prevent unauthorized access then you have to use Gmail confidential mode, S/MIME, or a third-party app to encrypt Gmail attachments.  If you want to restrict use (prevent fowarding, sharing, copying, printing, etc.) after the attachment is decrypted, then you need to use DRM software.

How do I encrypt a PDF in Gmail?

You can’t encrypt a PDF natively in the Gmail email client (i.e. so that it is saved to disk as an encrypted file).  You can use a third-party file encryption solution or PDF application to encrypt a PDF.  We recommend a PDF DRM solution such as Locklizard Safeguard, as this will protect your documents when they are in transit, at rest and when in use.

Do I need a certificate for sending encrypted emails?

You need a certificate to send encrypted emails if you use S/MIME.  The certificate must be valid (i.e. has not been revoked or expired).

Is Gmail encryption HIPAA compliant?

Yes if you use S/MIME.  TLS encryption is not HIPAA compliant.

Can Gmail accept encrypted email from Outlook?

Yes, for both TLS and S/MIME.

How do you open an encrypted email in Gmail?

For TLS you don’t have to do anything since only the connection between client and server is encrypted rather than the email content.

For S/MIME, as long as you have configured it correctly and you have a valid private key then you don’t need to do anything – the message will automatically be decrypted.

Does Outlook have better attachment security than Gmail?

Outlook allows you to encrypt email attachments in transit and at rest, and keep them encrypted after they are downloaded if they are Microsoft 365 files.  However, PDF files or images can be downloaded without encryption. Overall, its attachment security is better only if you stay inside the Microsoft ecosystem (and MS Office file types), which may not be possible when working with external partners.