Hosted S/MIME by Google provides enhanced security for Gmail in the enterprise

Now that Google is shooting to be their own CA, couldn&#x27;t they mass-generate S&#x2F;MIME certificates for all their users?<p>Even if the sender and receiver is Google-hosted, they could still encrypt mail, so it&#x27;s encrypted at rest if it&#x27;s copied from a user&#x27;s gmail account to their local mail via pop&#x2F;imap? And, since Google would be generating the private key, they could also decrypt it server-side in their secure environment, do whatever scanning for advertising&#x2F;spam classification, and still deliver the same product?<p>As other users have pointed out, if you&#x27;re trying to protect against an adversarial Google, you&#x27;ve already lost by using gmail. If you&#x27;re going to trust them with message composition software, and transport, just go in whole-hog.<p>As far as I can tell, Google seems to have their security ducks in a row, and take this stuff seriously. Deployed correctly this could be another &quot;raising the bar&quot; event on email security, and help mitigate against servers still not requiring tls&#x2F;ssl on port 25.

FYI, this is only supported by the G Suite Enterprise tier, Business and Basic do not have S&#x2F;MIME support.

&gt; To use hosted S&#x2F;MIME, companies need to upload their own certificates (with private keys) to Gmail, which can be done by end users via Gmail settings or by admins in bulk via the Gmail API.<p>So this is just to give the illusion of privacy and security then?

&gt; end users have to manually install certificates to their email applications<p>This really is a problem that could be reduced. For instance there is no easy way to copy the S&#x2F;Mime certificate from my macbook to my iPhone

I wonder if Google is starting to get worried about services such as ProtonMail.