Hardware Key Certificate Management for client-side encryption in Gmail

Hardware Key Certificate Management for client-side encryption in Gmail
Monday, June 30, 2025

What’s changing
Gmail now allows users with hardware keys, such as PIV/CAC smartcards, to directly manage their digital signature and encryption certificates within Gmail settings. Prior to this update, admins needed to upload encryption keys for their users – now users can configure their own keys in Gmail, without needing an admin.

Additional details
While Workspace encrypts data at rest and in transit by using secure-by-design cryptographic libraries, client-side encryption ensures that you have sole control over encryption keys and access to your data. Client-side encryption ensures sensitive data in the email body and attachments are indecipherable to Google servers — you retain control over encryption keys and the identity service to access those keys. For more information, check out our original announcement and the Workspace blog.

Getting started

• Admins: In order for your users to add certificates from a hardware key, you must first enable and install the Workspace Hardware Keys application to user machines.
• End users: Visit the Help Center to learn more about using hardware keys for encryption.

Rollout pace

• Rapid and Scheduled Release domains: Available now.

Availability

• Available for Google Workspace Enterprise Plus customers with Assured Controls and Assured Controls Plus