Select Gmail users are getting expanded access to a beta test for new end-to-end encryption features from Google. Google Workspace Enterprise Plus, Education Plus and Education Standard can apply to join the beta test until January 20, 2023. “Using client-side encryption in Gmail ensures sensitive data in the email body and attachments are indecipherable to Google servers,” the company says, adding that customers will retain control over encryption keys. Users will be able to activate the additional encryption by clicking the padlock button in Gmail. Activating the extra security will disable features like emoji and signatures.

The new features let users individually decide who can access their data. “Client-side encryption is especially beneficial for organizations that store sensitive or regulated data, like intellectual property, healthcare records, or financial data,” Google spokesperson Ross Richendrfer told Gizmodo.

Google added client-side encryption, or CSE, to Google Drive in 2021 as part of an enterprise tools launch that let companies encrypt Google Docs and Sheets. It is also integrated with Google Meet, and is in beta for Google Calendar.

“Google Workspace already uses the latest cryptographic standards to encrypt all data at rest and in transit between our facilities,” Google said in an blog post that stressed client-side encryption as addressing “a broad range of data sovereignty and compliance needs.”

Google’s expanded encryption “follows end-to-end encryption coming to most of Apple’s iCloud services, with mail, contacts, and calendar being the odd ones out.” “Google one-ups Apple with end-to-end encryption for Gmail on the web,” beating its new advanced data protection, according to Macworld.

But the new features are not available to those with personal Gmail accounts, nor “users with Google Workspace Essentials, Business Starter, Business Standard, Business Plus, Enterprise Essentials, Education Fundamentals, Frontline, and Nonprofits, as well as legacy G Suite Basic and Business customers,” the company says in a blog post.

CSE, ZDNet explains, “is different from end-to-end encryption (E2EE) because clients use encryption keys that are generated and stored in a cloud-based key management service, so admins can control the keys and who has access to them. This way, the admin can revoke a user’s access to keys, even if that user generated them.”

“Given that the system currently relies on administrators using an API to upload certificates and encryption keys generated by an external management service, it’s probably best that it’s mostly being limited to companies with IT departments at this point,” writes The Verge, recommending PGP encryption within Gmail or a Proton Mail account for more user-friendly options.