🔑 Key Takeaways
- Personal Gmail has no real encryption; Confidential Mode fails HIPAA since Google reads the body.
- Hosted S/MIME needs Workspace Enterprise Plus at $30 per seat plus a per-user cert every year.
- Confidential Mode blocks Gmail-to-Gmail forwarding but leaves the body fully readable to Google.
- PGP add-ons like Mailvelope encrypt in the browser but fail on mobile and need keys on both sides.
- Gateway services layer on any Gmail plan through DNS, include the BAA, and cost $5-$15 per mailbox.
Gmail exposes different encryption controls depending on the account plan. Personal @gmail.com accounts have almost nothing. Google Workspace tenants have Confidential Mode on every plan and hosted S/MIME on Enterprise Plus.
The right method depends on what the sender needs to protect and who the recipient is. This guide walks through each option in order of increasing security. For compliance workflows, dedicated encrypted email services that layer on top of Gmail are usually the shortest path.
Each section covers steps and limitations. Skip to the section that matches your Gmail plan and your compliance requirement.
What Gmail encryption options actually exist
Gmail supports four different encryption paths, and each targets a different scenario. Knowing the differences prevents wasted effort on a method that does not meet the actual requirement.
- TLS between mail servers, enabled by default on every Gmail account.
- Confidential Mode, available on every Gmail account but not real encryption.
- Hosted S/MIME, available only on Google Workspace Enterprise Plus.
- Third-party PGP add-ons like Mailvelope, available on any account.
- Gateway-based encryption services, available on any account through DNS routing.
TLS is baseline. Confidential Mode is a restriction feature, not encryption. Hosted S/MIME is the strongest Google-native option. Add-ons and gateways are the third-party options that work on any plan.
The sibling article how to encrypt email covers the same paths in a provider-neutral way for comparison.
How to use Gmail Confidential Mode
Confidential Mode is the option most Gmail users find first. It is available on every plan and appears as a lock icon in the compose window.
Click the lock icon at the bottom of the compose window. A dialog opens with two settings. Set an expiration date from one day to five years, and choose whether the recipient needs an SMS code to open the message.
Send the message as normal. Gmail-to-Gmail recipients see the message with forward, copy, and download disabled. Non-Gmail recipients receive a link to view the message on Google’s servers.
Confidential Mode reduces accidental forwarding on well-behaved clients. It does not encrypt the message body, and Google can still read the content. HIPAA, CMMC, and GDPR auditors do not accept it as encryption.
Use Confidential Mode for casual privacy on messages that do not carry regulated data. Anything else needs a stronger option.

Setting up hosted S/MIME on Google Workspace Enterprise Plus
Hosted S/MIME is the only Google-native option that meets healthcare compliance. It requires Enterprise Plus, admin configuration, and a per-user certificate from a trusted certificate authority.
- Sign in to the Google Admin console with a super admin account.
- Go to Apps, Google Workspace, Gmail, User settings.
- Select the organizational unit and enable S/MIME encryption for outgoing email.
- Each user uploads their personal S/MIME certificate in Gmail settings under Accounts and Import, then S/MIME settings.
- Compose a test message to a colleague with an installed certificate to verify the lock icon appears.
Once configured, Gmail shows a green lock icon next to recipients whose certificates are known and encrypts automatically. Recipients without certificates fall back to standard TLS delivery, which is why S/MIME alone is rarely enough for a full compliance program.
The Google Workspace S/MIME setup documentation covers the certificate policies and enforcement options. For the Outlook side of the same standard, see how to encrypt a response email in Outlook.
Adding PGP encryption through Mailvelope
Mailvelope is a browser extension that adds PGP support to Gmail without requiring any Google plan upgrade. It works with personal Gmail accounts and any Workspace tier.
Install Mailvelope from the Chrome or Firefox extension store. On first run, the extension generates a PGP key pair in the browser and stores the private key locally.
Share the public key with correspondents through a keyserver, a direct exchange, or as an attachment on a signed message. Both sides need each other’s public keys before encryption works.
Composing in Gmail then shows a Mailvelope button. Clicking it opens a secure editor window inside the browser. The message is encrypted locally before being pasted into the Gmail compose window, so Google never sees plain text.
PGP fits technical audiences. It does not fit patients or referring providers who will not install a PGP client. For healthcare, gateway-based services are more practical.
A four-person mental health practice on Google Workspace Business Starter at $6 per user per month wants HIPAA-compliant encrypted email for session summaries. Upgrading four seats to Enterprise Plus at $30 each would raise the monthly bill by $96 just for encryption. Instead, the practice signs up for a gateway service at $10 per mailbox, adds one DNS record, and keeps Gmail as the compose interface. Total added cost is $40 per month, BAA included, no certificate management, no plan upgrade.
How encryption methods on Gmail compare across scenarios
The right method depends on the plan, the recipient, and the compliance requirement. A side-by-side view helps narrow the choice.
| Method | Works on personal Gmail | Meets HIPAA | Recipient friction | Setup effort |
|---|---|---|---|---|
| TLS baseline | Yes | No, alone | None | None |
| Confidential Mode | Yes | No | Low | None |
| Hosted S/MIME | No, Workspace Enterprise Plus only | Yes | High, needs recipient certificate | High, admin plus per user |
| PGP via Mailvelope | Yes | Sometimes, depends on documentation | Very high, needs PGP client | Medium |
| Gateway service | Yes, through Workspace routing | Yes | Low, portal fallback | Low, DNS record |
Confidential Mode fits casual privacy. Hosted S/MIME fits large Workspace tenants that already pay for Enterprise Plus. Gateway services fit everyone else, especially small healthcare practices.
The sibling article how to encrypt an email in Outlook 365 covers the same comparison from the Microsoft side.
Encrypting Gmail attachments without changing the message
Sometimes only the attachment carries sensitive data and the message body is fine to send in plain text. Password-protecting the attachment is a common workaround.
- Compress the file using 7-Zip, WinRAR, or Windows built-in compression with AES-256 encryption enabled.
- Set a strong password of 12 characters or more with mixed case, numbers, and symbols.
- Attach the encrypted archive to the Gmail message.
- Share the password over a phone call, SMS, or in-person conversation.
Gmail does not scan the contents of an encrypted archive, so the file travels through Google’s servers as opaque data. The recipient extracts the archive with the shared password.
This method is not HIPAA compliant on its own. It produces no audit trail, and the password channel is often insecure. It fits one-off file transfers between organizations without a shared encryption service. Related coverage in how to encrypt a PDF in emails covers the same territory.

Routing Gmail through a gateway service
Gateway services encrypt outbound Gmail messages by routing mail through their own servers before delivery. Setup takes minutes and does not require a Workspace upgrade.
The practice signs up with the vendor and receives an SPF record and often a DKIM key. The domain administrator adds both to the DNS zone.
Outbound mail from Gmail then routes through the vendor’s gateway, which applies encryption before releasing the message. Recipients read the message either in their normal inbox with TLS enforcement or through a portal fallback if their server does not support the encryption standard.
End users see no change in Gmail. Staff compose and send from the same interface, and the encryption happens invisibly at the server. Vendors like Mailhippo follow this pattern and include the Business Associate Agreement in the base plan.
Related coverage in encrypted emails in Outlook shows the same model applied to the Microsoft side.
Verifying that a Gmail message went out encrypted
An encrypted send is only useful if the encryption held. Gmail provides two ways to verify.
Open the sent message and click the three-dot menu at the top right. Select Show Original. The header at the top of the resulting page displays the TLS status of the delivering connection under Received lines.
For hosted S/MIME messages, Gmail shows a green lock icon in the message header. Clicking the icon opens a panel with the certificate details of the encryption.
If the TLS field shows nothing or the lock icon is missing, the message either traveled without encryption or fell back to a lower tier. That is worth catching before the next send. Sibling coverage in how to view encrypted emails walks through the recipient-side verification.
Confidential Mode looks like encryption because the lock icon appears in the compose window, but Google still stores the message body in plain readable form. Auditors reject it as a HIPAA safeguard, and Google's BAA does not extend coverage to Confidential Mode content the same way it covers standard Gmail. If you handle PHI on Gmail, use hosted S/MIME, a gateway service, or a compliant secure email product.
Encrypting the same account across desktop and mobile
Encryption behavior varies by device. A method that works in the desktop browser may not work in the mobile Gmail app, which changes the compose experience for anyone who sends on the go.
Confidential Mode works on both desktop and mobile Gmail. The lock icon appears in the mobile compose window the same way it does on desktop.
Hosted S/MIME works on the mobile Gmail app if the certificate is installed on the device. iOS and Android both support S/MIME certificates in the system keychain.
PGP browser extensions do not work on mobile. Messages composed on the mobile app travel through Gmail unencrypted unless a gateway service handles the encryption at the server.
Gateway services work identically on desktop and mobile because the encryption happens at the server regardless of the client. That consistency is the reason healthcare practices default to gateway services rather than client-side methods.
Compliance-driven encryption on a Gmail account
HIPAA, CMMC, and GDPR each require documented safeguards and audit trails that go beyond message-level encryption. A Gmail user meeting those frameworks needs more than a lock icon in the compose window.
HIPAA requires a signed Business Associate Agreement with the mail provider. Google offers a BAA on Workspace with specific settings enabled by the admin. Personal Gmail accounts have no BAA option.
CMMC requires FIPS 140-2 validated cryptographic modules for Controlled Unclassified Information. That standard rules out most consumer-grade browser extensions.
Gateway services designed for healthcare include the BAA, use FIPS-validated encryption, and produce the audit logs auditors ask for. The HHS sample BAA provisions are the reference for what the agreement should contain.
Practices coordinating email compliance with patient outreach can review their healthcare marketing agency engagement to keep both aligned.
Choosing the right method for your Gmail workflow
The right choice depends on the account plan, the recipient list, and the compliance requirement.
Personal users sending occasional sensitive messages can use Confidential Mode for basic access restriction or a PGP extension for real end-to-end encryption to technical peers.
Small businesses on Workspace Business Standard or below need either an upgrade to Enterprise Plus or a gateway service. The gateway is almost always cheaper and works with the existing plan.
Healthcare practices with HIPAA obligations need either Workspace Enterprise Plus with hosted S/MIME plus a signed BAA or a dedicated gateway service that includes the BAA in the base plan. Gateway services are the shorter path for most solo and small clinics.
Practices reviewing email decisions alongside their broader digital footprint can pair the choice with a look at their healthcare website security features to align intake forms and portal links with the same compliance standards as the mailbox.
Frequently Asked Questions
Not with real encryption. Personal @gmail.com accounts do not include S/MIME, Purview-style message encryption, or any other message-level control that meets HIPAA. Confidential Mode is available but does not encrypt the message body. The three real options are upgrading to Google Workspace Enterprise Plus for hosted S/MIME, installing a PGP browser extension like Mailvelope that encrypts inside the browser before Google sees the message, or routing the account through a dedicated encryption gateway that adds encryption at the DNS layer.
Confidential Mode restricts the actions a recipient can take on a message. It prevents forwarding, copying, and downloading on Gmail clients, and it can add an expiration date. It does not encrypt the message body. Google can still read the content, and non-Gmail recipients receive a link to view the message on Google’s servers rather than the message itself. HIPAA and CMMC do not accept Confidential Mode as an encryption control. Practices sending patient information need actual encryption, not access restriction.
Hosted S/MIME is included only on Google Workspace Enterprise Plus, which typically runs $30 per user per month. The certificates themselves are issued by a trusted certificate authority and cost $20 to $60 per user per year on top of the Workspace subscription. That per-user cost is why many practices considering S/MIME on Google end up choosing a dedicated encryption gateway service instead. The gateway typically costs $5 to $15 per mailbox and works with any Workspace or personal Gmail plan.
Not directly. Mailvelope and similar PGP extensions run inside the desktop browser and encrypt messages before they leave the Gmail web interface. The mobile Gmail app does not load the extension, so messages composed on mobile travel unencrypted. Users who need mobile PGP either use a dedicated mobile mail client with built-in PGP support or restrict encrypted composition to desktop. This limitation is another reason gateway-based services fit healthcare workflows better, since the encryption happens at the server regardless of device.
Yes. Compress the file using 7-Zip, WinRAR, or Windows built-in compression with AES-256 encryption enabled. Set a strong password of 12 characters or more, attach the encrypted archive to the Gmail message, and share the password over a separate channel like a phone call. This method works around Gmail’s lack of native encryption for the attachment itself. It is not HIPAA compliant on its own because it produces no audit trail, but it is a common workaround for one-off file transfers between organizations.
Yes, if the Outlook recipient also has an S/MIME certificate installed. S/MIME is an open standard, and Gmail with hosted S/MIME can encrypt to any recipient whose certificate it can retrieve. The Outlook side needs the certificate in its Windows certificate store to decrypt. If the Outlook recipient does not have a certificate, Gmail falls back to standard TLS delivery, and the message travels encrypted between servers but not end-to-end. This is why compliance workflows usually require a gateway-based service that does not depend on the recipient’s setup.
Open the sent message in Gmail, click the three-dot menu, and select Show Original. The header at the top displays the TLS status of the delivering connection under Received lines. For hosted S/MIME messages, Gmail shows a green lock icon in the sent view, and clicking the icon displays the encryption details including the certificate that signed the message. If the header shows no TLS or the icon is missing, the message either traveled unprotected or the encryption fell back to a lower tier than expected.








