Four methods encrypt emails in Gmail: Confidential Mode (built-in), S/MIME (Workspace Enterprise), Client-Side Encryption (new E2EE), and third-party plugins like Mailvelope.
Gmail protects messages in transit with TLS, but that encryption doesn’t stop Google from reading your content. You need to know how to encrypt an email in Gmail so only your recipient reads it, and the right method depends entirely on your account type. Standard Gmail keeps the keys — true end-to-end encryption requires one of the four routes covered below.
Which Encryption Method Fits Your Gmail Account?
Your Gmail account type determines which encryption tools you can use. Personal accounts get Confidential Mode and can install third-party PGP plugins. Workspace Enterprise users have access to S/MIME and the newer Client-Side Encryption (CSE). Each method provides a different level of protection and requires different setup steps.
| Method | Account Required | Encryption Type |
|---|---|---|
| Confidential Mode (Google login passcode) | Any Gmail account | Not end-to-end (Google holds keys) |
| Confidential Mode (SMS passcode) | Any Gmail account | Not end-to-end (Google holds keys) |
| Hosted S/MIME (admin-managed) | Workspace Enterprise Standard, Plus, or Education Plus | End-to-end (both parties need certificates) |
| S/MIME (personal certificate upload) | Workspace Enterprise Standard, Plus, or Education Plus | End-to-end (both parties need certificates) |
| Client-Side Encryption (desktop) | Workspace with third-party key service, admin setup required | End-to-end (any recipient, no certs needed) |
| Client-Side Encryption (mobile) | Workspace with key service, admin setup required | End-to-end (added April 2026 for iOS and Android) |
| Mailvelope PGP browser extension | Any Gmail account, Chrome extension | End-to-end (self-managed keys) |
How Do You Use Confidential Mode?
Confidential Mode is available on every Gmail account with no setup required. It lets you set expiration dates, revoke access, and restrict forwarding or copying. It is not end-to-end encryption — Google can still access the message content if legally required. Use it when you need basic access control rather than true E2EE.
To send a message in Confidential Mode from a desktop browser:
- Click Compose to open a new message.
- Click the Toggle confidential mode icon — the lock with a clock in the bottom-right toolbar.
- Set an expiration date: 1 day, 1 week, 1 month, 3 months, or 5 years.
- Choose a passcode option: select “No SMS passcode” to use the recipient’s Google login, or “SMS passcode” to send a code via text — enter the recipient’s phone number, never your own.
- Click Save, then compose and send your email normally.
When successful, the recipient sees your message with the expiration and restrictions applied. A the lock icon appears in the sent message. Note that recipients can still take screenshots of confidential mode messages.
Setting Up S/MIME For Workspace Enterprise
S/MIME provides true end-to-end encryption but requires a Google Workspace Enterprise Standard, Enterprise Plus, or Education Plus plan with administrator setup. Both sender and recipient need valid S/MIME certificates for encryption to function.
What An Administrator Must Do First
An admin must enable S/MIME in the Google Admin console. Changes typically take about 24 hours to propagate.
- Sign in to the Google Admin console as a super administrator.
- Navigate to Menu > Apps > Google Workspace > Gmail > User settings.
- Select your domain or the relevant organizational unit.
- Find the S/MIME setting and check Enable S/MIME encryption for sending and receiving emails.
- Click Save and allow up to 24 hours for the change to take effect. After propagation, users reload Gmail to see the lock icon.
Steps For Each User After S/MIME Is Enabled
- Reload Gmail — a lock icon appears next to recipients who also have S/MIME enabled.
- Upload your S/MIME certificate: go to Settings > Accounts > Edit info > Upload a personal certificate.
- Exchange signed emails with recipients to share public keys before you can send fully encrypted messages.
A green lock icon on the sent message confirms successful encryption. If the recipient lacks S/MIME, they see a warning instead of the message content.
Enabling Client-Side Encryption
Client-Side Encryption (CSE) is Google’s newer E2EE standard, generally available since October 2025. Unlike S/MIME, CSE lets Workspace users send encrypted emails to any recipient — even people without a Gmail account or S/MIME certificate — because the recipient receives a secure link to view the content.
What An Administrator Must Set Up
CSE requires a third-party key management service and Identity Provider (IdP) integration, configured by an administrator.
- Sign in to the Google Admin console as a super administrator.
- Configure a supported encryption key service (options include FlowCrypt, Fortanix, FutureX, Stormshield, Thales, and Utimaco).
- Integrate the key service and an Identity Provider with Workspace.
- Assign the key service to the relevant organizational units.
- Go to Apps > Google Workspace > Gmail > User settings and check Allow users to send and receive emails using client-side encryption.
How To Send A CSE-Encrypted Email
- Click Compose in Gmail.
- Click the padlock icon next to the Cc/Bcc fields in the compose window.
- Select Turn on to enable encryption for this specific message.
- Compose and send — the recipient receives a secure link to view the encrypted content. A the padlock icon appears locked on the sent message.
Installing A PGP Plugin For Personal Accounts
Personal Gmail users who need true end-to-end encryption without a Workspace plan can use third-party browser plugins that add PGP encryption to the compose window. Mailvelope is the most widely used open-source option.
- Install the Mailvelope extension from the Chrome Web Store.
- Create a PGP key pair using Mailvelope’s built-in tool or import one from GnuPG.
- Open Gmail and click Compose — Mailvelope adds an encrypt button to the draft window.
- Click Encrypt and select the recipient’s public key from your keyring.
- Send the encrypted message. The recipient needs their corresponding private key to read it. A the message text appears garbled in the draft before sending — that confirms encryption is active.
This method works with any Gmail account, but both parties must manage PGP keys. Mailvelope processes message content outside Google’s servers, so the vendor’s security practices determine overall safety.
Common Encryption Mistakes And How To Avoid Them
A few recurring errors cause encrypted emails to fail or offer weaker protection than expected.
- Treating Confidential Mode as end-to-end encryption. Confidential Mode restricts forwarding and sets expiration dates but does not encrypt content on Google’s servers. Google can still access the message if legally required.
- Sending S/MIME to recipients who lack S/MIME. If the recipient’s email client doesn’t support S/MIME and they don’t have a certificate, they cannot read the message. Deselect encryption or use a fallback method for those contacts.
- Entering your own phone number for Confidential Mode SMS. The passcode is sent to whatever number you enter. Using your own number locks the recipient out — always enter the recipient’s phone number.
- Forgetting to upload a certificate for S/MIME. Both sender and recipient need valid S/MIME certificates uploaded in Gmail settings. Missing either side prevents encryption.
- Ignoring the 24-hour propagation delay. After an admin enables S/MIME or CSE in the Admin console, encryption doesn’t activate immediately. Users must wait roughly 24 hours for the change to reach all systems.
Quick Guide To Your Best Option
Pick the method that matches your account and your actual security need. Personal users who only want access control choose Confidential Mode. Personal users who need true E2EE install Mailvelope or another PGP plugin. Workspace Enterprise users whose admin has configured it can use S/MIME for certificate-based exchanges or CSE for keyless encryption to any recipient.
| Your Situation | Best Method | Why |
|---|---|---|
| Personal account, need basic expiry and revoke control | Confidential Mode | Built into every Gmail account, zero setup |
| Personal account, need true end-to-end encryption | Mailvelope PGP plugin | Works without a Workspace plan or admin |
| Enterprise, both parties have S/MIME certificates | Hosted S/MIME | Certificate-based E2EE with existing infrastructure |
| Enterprise, sending encrypted email to external contacts | Client-Side Encryption | CSE works for any recipient, no certificate required |
| Compliance obligation like HIPAA | S/MIME or CSE | Confidential Mode does not meet E2EE compliance standards |
| Need to revoke access after sending | Confidential Mode | Built-in revoke feature, no extra tools needed |
| Encrypt email from a mobile device | Client-Side Encryption on mobile | Supported on iOS and Android since April 2026 |
None of these methods add friction to daily email — once set up, sending an encrypted message is a single extra click. The right starting point is your account type, and the table above narrows the choice from there.
References & Sources
- Google Support. “Send messages with confidential mode.” Official steps for enabling and using Confidential Mode in Gmail on desktop.
