Protect sensitive messages in Gmail with PIV/CAC smart cards and client-side encryption

Government, education, and enterprise organizations with rigorous compliance and data sovereignty requirements often have privacy and security top of mind. We built client-side encryption (CSE) in Google Workspace to provide customers with an additional layer of data confidentiality and protection beyond the encryption enabled by default. With CSE, emails, documents, calendar events, and meetings can be protected using encryption keys that customers control, making them the sole arbiter of their data and preventing access from third-parties, including Google and foreign governments. 

This year, we’ve made client-side encryption more widely available across Workspace. In February, we expanded CSE to include Gmail and Calendar, in addition to Google Drive, Docs, Slides, Sheets, and Meet. In August, we added more enhancements, including support of mobile apps and the ability to set CSE on by default. 

Now, we are extending CSE in Gmail to support hardware keys, such as PIV (Personal Identity Verification) and CAC (Common Access Card) smart cards, to help meet the needs of our public sector and enterprise customers. 

How does client-side encryption work with PIV/CAC smart cards?

CSE in Gmail was built with openness and interoperability in mind leveraging S/MIME, an IETF standard for sending encrypted messages over email. With CSE, customer data is encrypted on the client device before it is sent to Google servers, making it indecipherable to Google. The entire process happens in the browser or mobile app on the client device — without the need to install custom desktop applications or browser extensions. CSE uses a Key Access Control List Service (KACLS) that runs in a customer-controlled environment to perform cryptographic operations (technical details). Some organizations, however, already have existing mechanisms to control and manage their encryption keys, such as with PIV and CAC smart cards. For these organizations, smart cards may be preferred or required and can be deployed as an alternative to KACLS.

Starting today, organizations can allow their users to send and receive CSE-protected emails in Gmail from supported Windows devices and browsers, such as Google Chrome and Microsoft Edge, using their existing PIV/CAC smart cards. When users add their digital signature to an email or decrypt a CSE-protected email, they will be prompted to insert their smart card and enter their PIN. All of the encryption and decryption operations happen on client devices, using their existing hardware keys, and native Windows cryptographic libraries. 

“The Gmail team working to encrypt and secure communication using existing hardware keys, not just within our institution but across the U.S. government, makes it clear that Google understands our technical requirements and the importance of data confidentiality,” said Sean Baker, CTO, Uniformed Services University of the Health Sciences (USU), long time customers and change agents within the Military Health System. “This new capability will provide efficiency and collaboration gains to our organization while keeping our most sensitive data private, compliant, and under our sole control."

Getting started

Government, education, and enterprise organizations can now further enhance the confidentiality and protection of their sensitive data by leveraging their existing PIV and CAC smart cards with client-side encryption in Gmail. To learn more, read our deep dive blog post, watch the Cloud Next ‘23 breakout session, and check out the documentation.