Paubox blog: HIPAA compliant email - easy setup, no portals or passcodes

What is Gmail’s new end-to-end encryption service?

Written by Lilly Ohno | April 10, 2025

Google announced that they are offering end-to-end encrypted (E2EE) services via Client-Side Encryption to enterprise users. The feature is meant to ensure that only the recipient can read the contents of encrypted emails.

We’ll break down what this means.

 

What is Gmail’s E2EE?

Gmail’s end-to-end encryption encrypts an email on the sender’s device and only decrypts it on the recipient’s device. This means message content, attachments, and inline images are encrypted so even Google can’t access them.

While secure, Gmail's E2EE introduces friction for email recipients and is only available for certain tiers of Google Workspace.

 

Who can use Gmail's E2EE?

Enterprise users only. E2EE is available with Google Workspace Enterprise Plus, Education Standard, Education Plus, or Frontline Plus subscriptions.


These subscription types cannot get E2EE: Business Starter, Business Standard, Business Plus, and Gmail personal accounts.


 

What are the requirements to implement E2EE?


According to Google, setting up E2EE typically requires:

  • Enabling client-side encryption (CSE) for your domain
  • Managing encryption keys or connecting a key service provider
  • Optionally configuring S/MIME for external domains


What is the recipient experience for E2EE emails?

  • If the recipient is a Gmail user, the email is automatically decrypted in the inbox and messages appear normally inside Gmail.
  • If the recipient is not a Gmail user, recipients will be directed to a message portal. They must sign in with a Google account or a Google Guest Account to read the message. 

 

What are the limitations of Gmail's E2EE?

Although E2EE provides strong encryption, it comes with several trade-offs:

  • It's only available to specific enterprise-level tiers of Google Workspace
  • Non-Gmail recipients will have to log in to a portal to read messages
  • Subject lines, timestamps, and recipient information are not encrypted (only the message content, attachments, and inline images are encrypted)
  • There is a 5MB upload limit for attachments and inline images

 

The bottom line

End-to-end encryption is one way to secure data, but it isn’t the only way to meet HIPAA requirements. End-to-end encryption can make communication harder and introduce friction by requiring recipients to log in to a portal, verify their identity, or retrieve codes. Every extra step reduces the likelihood that the recipient will read or respond to the email.

Paubox takes a different approach. Paubox automatically encrypts emails in transit, so recipients receive and read encrypted emails like any other email in their inbox. This frictionless experience ensures HIPAA compliance while increasing open rates and engagement.


 
View full post