Gmail’s end-to-end encryption is finally coming to your phone — but with a catch.

Google has started rolling out Gmail end-to-end encryption (E2EE) on the Android and iOS apps, letting eligible users send and read fully encrypted emails right inside the regular Gmail interface — no separate portal, plug-in, or extra app required. The idea is simple: for sensitive work emails, only you and the recipient should be able to read the content — not even Google.

There’s an important limitation, though: this isn’t a blanket privacy upgrade for every Gmail user. E2EE on mobile is tied to Gmail’s client-side encryption (CSE) and is available only to Google Workspace Enterprise Plus customers who also have the Assured Controls or Assured Controls Plus add-on, and whose admins have explicitly enabled it for Android and iOS from the Admin Console. So if you’re on a regular free Gmail account or even most standard Workspace plans, you won’t see this feature at all — at least for now.

From the user side, the experience is designed to feel almost identical to sending a normal email. In the Gmail mobile app, eligible users will see a lock icon while composing an email; tapping it lets them turn on additional encryption, after which they can type their message and attach files as usual. Behind the scenes, encryption and decryption happen on the client — meaning the keys are managed by the organization or an external key service, not by Google — which is what stops Google from being able to read the message content.

One of the biggest perks is that encrypted emails aren’t restricted to Gmail-to-Gmail conversations. Google says users with a Gmail E2EE license can send encrypted messages to any recipient, regardless of their email service or address. If the recipient is using the Gmail app, the email simply lands as a normal-looking thread in their inbox. If they’re not on Gmail, they can still open a secure page in their browser to read and reply, without installing any extra software.

For IT and security teams, this update is aimed squarely at organizations that handle highly sensitive or regulated data — think finance, healthcare, or government — and that need strict control over where encryption keys live and how data flows across borders. With Assured Controls, admins can enforce data residency and access policies while using E2EE, and still meet compliance requirements like SEC and CFTC record-keeping via dedicated export tools. It also means companies can adopt WhatsApp-style end-to-end protection for email, without abandoning Gmail’s familiar interface and admin tooling.

Rollout-wise, Google says the feature is available now for both Rapid Release and Scheduled Release domains, but again, only for the supported enterprise tiers and only after admins enable mobile CSE access. Once switched on, it should “just appear” for users in the Gmail app, making it much easier to send a fully encrypted message from a phone during travel, on-site visits, or remote work days.

In short, this is a big win for corporate privacy on mobile, but not the long-awaited universal encryption switch for everyday Gmail users. If your company is on Workspace Enterprise Plus with Assured Controls, your admin can start testing this right away; if not, you’ll still be waiting on basic Gmail while the most locked-down inboxes get even more secure.