S/MIME is an easy, cost-effective way to level up encryption at your company

Joe Wilson
  • 7 min read

For most companies, the encryption provided by Gmail will be enough to keep the company secure, ensuring that their messages do not fall into the wrong hands. Google uses Transport Layer Security (TLS) to encrypt emails and to protect their privacy. It’s on by default and is used by most major email providers. When you send messages from one Gmail account to another, the content in those emails is encrypted with TLS. However, some operating systems and older providers do not use TLS. Also, if your company sends and receives sensitive data, like medical records, social security numbers, or proprietary information, you may need to level up the integrity and confidentiality of your email system.

What is S/MIME and why do I need it?

An easy, non-invasive way to add a higher level of encryption to your emails is to use Secure/Multipurpose Internet Mail Extensions (S/MIME). This feature is available on all Enterprise and some EDU Google Workspace editions. S/MIME increases the level of security within Gmail because it encrypts the content in your emails and verifies who the recipient is. The verification is done by way of a Public Key Infrastructure (PKI) certificate, which is needed to effectively use S/MIME. PKI certificates use public key infrastructure for authentication and encryption.

If your company is concerned about intellectual property, data leakage, HIPAA compliance, billing information, or sensitive data, then S/MIME is a solution that can alleviate some of your concerns.

Partnering together: Wursta and Digicert

Before you can purchase a certificate (which can be a hectic process) you need to be verified and prove you are who you say you are. This application and verification process is simplified through a company called Digicert.

Digicert is the largest PKI certificate provider in the world. They make it easy for companies to purchase PKI certificates, authenticate, and encrypt email messages. Digicert sets the gold standard for data integrity. They’ve issued over 2 billion device certificates and work with 89% of Fortune 500 companies. That is why, after researching other PKI certificate providers, Wursta chose to partner with Digicert.

How to install a Digicert (or any) PKI certificate

Let’s login to the admin console and install a certificate. After you’ve logged in, click into Apps > Google Workspace > Gmail.

Step 1: User settings

This is where we’ll need to start because the administrator of the organization will need a certificate. Then, in Step 4, we’ll upload an individual certificate. Each user will need his or her own certificate. The administrator certificate is needed to set up and configure the process as a whole and help with any troubleshooting, should issues arise.

In order for the emails I send to be encrypted with S/MIME, I need to have the certificate installed on my end first. I will need to have my recipient download the certificate as well (which we’ll get to later in Step 5) but I will be the only one who needs to purchase the certificate for it to effectively encrypt our messages.

Step 2: S/MIME setting

Turn on the feature to enable encryption for sending and receiving emails. If you do not see the option to turn this feature on, it is not available with your current Google Workspace edition.

Step 3: Upload certificate in Admin Console

Click the edit icon in the S/MIME section and a table should appear for you to view, add, edit, or delete current certificates. Upload your certificate by clicking the ADD button.

Step 4: Upload certificate in Gmail

Now, exit Admin Console and go to your Gmail application. Click the Settings Gear icon > See all settings > Accounts > edit info (Send mail as: section) and a new screen will pop up. You’ll see a section for Enhances encryption (S/MIME): and should be able to select the certificate you’d like to use or upload a new certificate. Be sure to save changes when you’re done.

Step 5: Send certificate to your recipient

Once you have your certificate uploaded, you can send a test email to your recipient with directions on how to download your certificate so the two of you can have an encrypted conversation. Have the recipient open the test email and click the triangle next to the to [Recipient Name] at the top above the message. (It should be their email since they are the recipient.) A window will drop down with more information about the email, including a green checkmark, verifying the sender email address. In this section, click Sender info to view a new screen with the Sender’s Digital Signature. Click Download certificates. The last step is for the recipient to upload the certificate to the recipient’s browser.

Step 6: verify certificate when sending an email

Finally, after everything is uploaded and your recipient has uploaded their certificate as well, you’ll be able to verify S/MIME is working when you send an email. Create a new message in Gmail and type your recipient’s email address into the To field. The grey lock to the right of the To field will turn green if the recipient has their certificate uploaded and S/MIME is active. The grey lock signals that TLS is active and a red lock notifies you that TLS is not active.

Use case: uploading certificates for multiple users

We’ve purchased and implemented certificates for many Wursta customers to ensure their data integrity. Recently, a customer had about 800 users that needed to upload certificates. Each would need to be manually updated, taking up an immense amount of time. A project of this size is a headache to communicate. And then you’d need to validate that everyone uploaded their certificates correctly.

The Wursta team created a process to automate the PKI certificate upload process. We pushed the certificate out to end-users using APIs. After it was uploaded to Admin Console, we were able to push it out to all of the customer’s staff, saving time and room for error.

S/MIME is available for Google Workspace Enterprise

S/MIME is a non-invasive way to ensure your company’s messages are protected. It has its pros and cons, but overall, it’s the quickest and easiest way to encrypt data.

Another common option is to use a third party and have users sign into that system to access sensitive messages or data. While this is a good option for some situations, like accessing a portal for patient-client interactions or to view lab test results, it can be time-consuming, inconvenient, and difficult to use. Do you want users signing in and out of different systems? Or can you share your data through email, with the added layer of security that S/MIME provides? Can you afford the financial and labor costs of implementing and managing a third party to communicate with your recipients? Or would buying and renewing certificates be a cheaper, more efficient option?

If you need assistance answering these questions or would like to discuss S/MIME further, let’s connect.