Cleanbox
Features Blog Pricing Developers
Sign in Start free trial
security how-to privacy

How to Encrypt Email in Gmail (Step by Step)

How to Encrypt Email in Gmail (Step by Step)

Gmail encrypts email in transit by default using TLS. But that is not the same as end-to-end encryption — Google can still read your messages, and TLS only protects the connection between servers, not the message itself. If you need actual message-level encryption in Gmail, you have several options depending on whether you use a free Gmail account or Google Workspace.

This guide walks through every encryption method available in Gmail, from the built-in options to third-party tools, so you can choose the right level of protection for your situation.

How Gmail encryption works by default

Every email sent between Gmail accounts is encrypted using TLS (Transport Layer Security) in transit. This means the data is protected while moving between Google’s servers and the recipient’s server. If the recipient’s email provider also supports TLS — which most major providers do — the entire journey is encrypted.

However, TLS has two important limitations:

  • Google can read your email. TLS protects the connection, not the message. Once the email arrives at Google’s servers, it is stored in a format Google can access. This is how Gmail displays targeted ads and performs spam scanning.
  • TLS is opportunistic. If the recipient’s server does not support TLS, Gmail may deliver the email unencrypted. You have no guarantee. For more on how TLS works in email, see our TLS email protection guide.

Gmail encryption options compared

MethodWho can use itEnd-to-end?Recipient needs setup?Cost
TLS (default)EveryoneNoNoFree
Confidential ModeEveryoneNoNoFree
S/MIMEGoogle Workspace (Enterprise)Yes (with compatible recipient)YesWorkspace subscription
Client-side encryption (CSE)Google Workspace (Enterprise Plus)YesYes (for external)Workspace subscription
Mailvelope (PGP)Everyone (browser extension)YesYesFree
FlowCrypt (PGP)Everyone (browser extension)YesOptionalFree / $10/mo

Method 1: Gmail Confidential Mode

Gmail’s built-in “Confidential Mode” is not encryption — it is access control. It lets you set an expiration date on emails, prevent forwarding and downloading, and optionally require a passcode (sent via SMS) to open the message.

How to send a confidential email in Gmail

  1. Open Gmail and click Compose
  2. Click the lock with clock icon at the bottom of the compose window (or click the three-dot menu and select “Confidential mode”)
  3. Set an expiration date (1 day, 1 week, 1 month, 3 months, or 5 years)
  4. Optionally require an SMS passcode — the recipient must verify via a code sent to their phone
  5. Click Save, then compose and send your email normally

What Confidential Mode actually does

  • The recipient cannot forward, copy, print, or download the email (though they can screenshot it)
  • The email disappears from their inbox after the expiration date
  • You can revoke access at any time before expiration
  • If SMS passcode is enabled, non-Gmail recipients must verify their identity

What Confidential Mode does NOT do

  • It does not encrypt the email content — Google can still read it
  • It does not prevent screenshots or photos of the screen
  • The email is still stored on Google’s servers in readable form
  • It is not a substitute for actual end-to-end encryption

Confidential Mode is useful for sensitive information where you want to limit the recipient’s ability to share it further. It is not useful if you need to prevent Google or third parties from accessing the content.

Method 2: S/MIME (Google Workspace only)

S/MIME (Secure/Multipurpose Internet Mail Extensions) provides real email encryption and digital signatures. It uses public key cryptography — you and the recipient each have a certificate, and messages are encrypted so only the intended recipient can decrypt them.

Requirements

  • Google Workspace Enterprise, Education Fundamentals, or Education Plus
  • S/MIME must be enabled by your Workspace administrator
  • Both sender and recipient need S/MIME certificates installed
  • Certificates must be from a trusted certificate authority

How to check if S/MIME is active

When composing an email in Gmail, look for a lock icon next to the recipient’s name. A green lock means S/MIME encryption is active. A gray lock means standard TLS. A red lock means no encryption.

S/MIME is the best option for organizations that need compliant, auditable email encryption. But it requires Workspace Enterprise and certificate management, making it impractical for personal Gmail users. For a deeper comparison of encryption standards, see our TLS vs PGP vs S/MIME comparison.

Method 3: Client-Side Encryption (Google Workspace)

Google Workspace Enterprise Plus offers Client-Side Encryption (CSE), which encrypts email content in your browser before it reaches Google’s servers. Google literally cannot read CSE-encrypted emails because they never have the decryption keys — your organization manages them through an external key service.

CSE is Google’s answer to organizations that need to use Gmail but cannot allow Google to access message content for regulatory or compliance reasons. It is only available on Workspace Enterprise Plus and requires significant IT setup.

Method 4: PGP with Mailvelope (free, any Gmail account)

For personal Gmail users who want real end-to-end encryption, PGP (Pretty Good Privacy) via a browser extension is the most accessible option.

Setting up Mailvelope with Gmail

  1. Install the Mailvelope browser extension (available for Chrome, Firefox, and Edge)
  2. Open Mailvelope and generate a PGP key pair (public key + private key)
  3. Share your public key with people you want to exchange encrypted emails with
  4. Import their public keys into Mailvelope
  5. When composing in Gmail, Mailvelope adds an encryption button. Click it to write and encrypt your message
  6. The recipient uses their Mailvelope (or any PGP client) to decrypt

The PGP trade-off

PGP provides genuine end-to-end encryption that even Google cannot break. The trade-off is usability: both sender and recipient must have PGP set up, key management is manual, and encrypted emails cannot be searched in Gmail. For most personal use, PGP is overkill. For journalists, activists, or anyone handling genuinely sensitive communications, it is the gold standard.

Method 5: FlowCrypt (PGP made easier)

FlowCrypt is another PGP browser extension that aims to make encryption more user-friendly than Mailvelope. Its standout feature: if the recipient does not have PGP, FlowCrypt can send the encrypted message as a password-protected link instead. The recipient enters the password to read the message — no PGP setup required on their end.

This makes FlowCrypt more practical for one-off encrypted emails where you cannot guarantee the recipient has PGP. The free tier covers personal use, and the paid plan ($10/mo) adds business features.

Which encryption method should you use?

Your situationBest method
Standard email, no special sensitivityTLS (default) — already enabled
Sending sensitive documents with access controlConfidential Mode
Organization with compliance requirementsS/MIME or CSE (Workspace)
Personal end-to-end encryptionMailvelope or FlowCrypt (PGP)
One-off encrypted email to non-technical recipientFlowCrypt (password-protected link)

Beyond encryption: protecting your email address

Encryption protects the content of your messages. But it does not protect your email address itself. Every time you give your address to a website, it can end up in a breach database, on a marketing list, or in the hands of spammers — and no amount of encryption prevents that.

This is where email aliases complement encryption. Instead of giving out your real Gmail address, you use a unique alias for each service. If that alias gets compromised, you disable it. Your real address — and the encrypted conversations attached to it — remain untouched.

Encryption and aliasing solve different problems. Encryption protects what you say. Aliases protect who you are. For complete email privacy, you want both.

Frequently asked questions

Does Gmail encrypt emails by default?

Yes, Gmail encrypts emails in transit using TLS. This protects the connection between servers but does not prevent Google from reading your messages. For end-to-end encryption, you need S/MIME, PGP, or a third-party tool.

Is Gmail Confidential Mode actually secure?

Confidential Mode adds access controls (expiration, no forwarding, SMS verification) but does not encrypt the email content. Google can still read it. It is useful for limiting what the recipient can do with the email, not for preventing third-party access.

Can I encrypt Gmail emails on my phone?

Gmail’s Confidential Mode works in the mobile app. For PGP encryption on mobile, apps like OpenKeychain (Android) or PGPro (iOS) can work alongside the Gmail app, but the integration is less seamless than on desktop.

Is Gmail secure enough for business email?

For most businesses, Gmail with TLS and strong account security (2FA, security keys) is adequate. For industries with strict compliance requirements (healthcare, finance, legal), you may need Workspace Enterprise with S/MIME or CSE. See our full analysis: Is Gmail secure enough for business?

Ready to take control of your inbox?

Start protecting your email with Cleanbox — free plan available, no credit card required.

Get started free