Skip to main content
How to encrypt your emails (Google Workspace)
Updated over a year ago

Step 1: Enable hosted S/MIME

The following steps describe how to enable S/MIME and optionally use the advanced controls on S/MIME trusted certificates to upload and manage root certificates.

  1. Sign in to your Google Admin console (Sign in using an administrator account)

  2. In the Admin console, go to Menu > Apps > Google Workspace > Gmail > User settings.

  3. On the left, under Organizations, select the domain or organization you want to configure.
    Important: If you’re configuring advanced controls on S/MIME to upload and manage root certificates, you must select to enable SMIME at the top-level organization, typically your domain.

  4. Scroll to the S/MIME setting and check the Enable S/MIME encryption for sending and receiving emails box.

  5. (Optional) If you want to let users upload certificates, check the Allow users to upload their own certificates box.

  6. (Optional additional controls) If you want to upload and manage root certificates, use the S/MIME trusted certificates controls:

    1. Next to Accept these additional Root Certificates for specific domains, click Add.

    2. Click Upload Root Certificate.

    3. Browse to select the certificate file and click Open. You should see a verification message for the certificate that includes the subject name and expiration date. If there’s a problem with the certificate, an error message appears.

    4. Under Encryption level, select the encryption level to use with this certificate.

    5. Under Address list, enter at least one domain that will use the root certificate when communicating. Domain names can include wildcards that adhere to the RFC standard. Separate multiple domains with commas.

    6. Click Save.

    7. Repeat for additional certificate chains.

  7. Check the Allow SHA-1 globally (not recommended) box only if your domain or organization must use Secure Hash Algorithm 1 (SHA-1).

  8. Click Save.

Changes can take up to 24 hours but typically happen more quickly. Learn more Messages sent during this time—as well as when you disable and re-enable S/MIME—are not encrypted.

Step 2: Have users reload Gmail

After you enable hosted S/MIME, have users reload Gmail to see the change. After reloading, a Lock icon appears in the Subject line of email messages. If the message is encrypted with hosted S/MIME, the lock is green.

Step 3: Upload certificates

To use hosted S/MIME encryption, S/MIME end-user certificates must be uploaded to Gmail. The certificate should meet current cryptographic standards and use the Public-Key Cryptography Standards (PKCS) #12 (a transfer syntax for personal identity information) archive file format. See this Internet Engineering Task Force document for information about PKCS #12.

The list of trusted certificates provided and maintained by Google applies only to Gmail for S/MIME. The list of CAs are trusted solely at Google's discretion and Google retains the right to remove root CAs at will, with or without reason.

We recommend that admins upload certificates programmatically using the Gmail S/MIME API. You can also use the Gmail S/MIME API to manage things like viewing, deleting, and setting default user keys. Users you allow to upload certificates can do so in Gmail settings.

To upload a certificate in Gmail:

  1. From your Gmail inbox, choose Settings > Settings.

  2. Click the Accounts tab.

  3. In the Send mail as area, click Edit info.

    A message window appears with an enhanced encryption (S/MIME) option. (S/MIME and the Allow users to upload their own certificates option must be enabled in the Admin console for this option to appear.)

  4. Click Upload a personal certificate.

  5. Select the certificate and click Open. You'll be prompted to enter a password for the certificate.

  6. Enter the password and click Add certificate.

Step 4: Have users exchange keys

Your users need to exchange keys with email recipients in either of the following ways:

  • Send an S/MIME signed message to recipients. The email will be digitally signed, and the signature will include the user's public key. The recipients will be able to use this public key to encrypt the emails they send to your user.

  • Ask recipients to send them a message. When they receive the message, it’s signed with S/MIME. The key is automatically stored and available. From this point forward, messages sent to this recipient are S/MIME-encrypted.

Did this answer your question?