Click on the icon below to get transferred to the Chrome Web Store. Choose + Add to Chrome to install Mailvelope as an extension of your browser.
After installation a locker icon is displayed in the main Google Chrome toolbar, right of the address bar, which leads to Mailvelope's main menu.
OpenPGP and therefore Mailvelope uses public-key cryptography which means a key is split up in two parts: public and private key with different purposes:
Before one can send encrypted emails to a peer it is required to have the public key of this person. Therefore before a secure communication can happen between two partners it is required to exchange the public keys of each other. There are multiple ways how the public key can be distributed:
Public and private keys, as well as encrypted messages in OpenPGP are encoded in a certain text format that allows to exchange these entities or store them in text files.
For example a public key would look like as follows:
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: OpenPGP.js v.1.20121015
-----END PGP PUBLIC KEY BLOCK-----
We see encoded data surrounded by rows that mark the beginning and end of this key.
Click on Mailvelope's locker icon in the browser extension toolbar to open the main menu. Choose Options to navigate to the key ring with all your keys:
To use Mailvelope at least one key pair (consisting of public and private key) must be available. We can either generate a new key pair as explained in this section, or import an existing key pair as described below.
Click on Generate Key to open the key generation dialog:
Fill in all required information. After Submit the key generation process will start and the result can be viewed by navigating back to the key list with Display Keys
Existing keys can be imported in the Import Key dialog:
Paste any keys in text format as shown above in the section Message Formats into the textarea. Again, check Display Keys after successful import to view the result.
Key export functionality is used to extract keys in a text format. We can use this as the basis to publish public keys or to make a backup of a public-private-keypair in a secure place.
Key export is available in the Display Keys view. Select a key and press Export to view the dialog:
The following options are available:
Mailvelope extends the user interface of Webmail (e.g. Gmail™, Yahoo® Mail etc.) with controls that allow encryption and decryption of email.
Starting with Mailvelope v0.6 the default procedure is to compose and encrypt messages in an external editor.
The compose button is displayed in all mail compose areas of the mail provider and will launch Mailvelope's external editor.
Click on the compose button will open a new popup with a separate editor. This ensures that the mail creation and encryption process is completely isolated from the mail provider.
The mail can now be composed and afterwards we click on the encrypt button to display the encrypt dialog. Here we can choose the recipients resp. the person that should be allowed to decrypt the message and Add them to the list. The precondition is that we have imported already their public keys as described in Key Import.
The following text encodings are possible:
Click on Ok to encrypt the email. The email text will be replaced with the encrypted message.
The undo button will revert the content back to the unencrypted text and you can restart the process.
The final step is to copy the encrypted message back to the mail provider. A click on Transfer will do this and close the external editor.
Now the encrypted message can be sent as usual.
Mailvelope offers also a second mode where messages are encrypted directly on the mail provider page. See section Security on how this mode can be activated and what are the implications on the security level of Mailvelope.
Whenever Mailvelope detects an encrypted text in an email it marks it with an overlay as follows:
If we click with the mouse inside this area the password dialog opens.
Mailvelope tries to find the private key that is required to decrypt the message. And if the correct key is found in the key ring then corresponding User and Key ID are displayed.
After unlocking the key with the password the message is decrypted and directly shown in the marked area.
Mailvelope comes preconfigured to work with the following email services:
With its general approach it can be configured to work with any email provider. This can be done in the Preferences section of the Options view.
The watch list defines a set of web sites that are enhanced with the functionality provided by Mailvelope.
By default Mailvelope is active for all sites in the watch list. To deactivate one site click on Edit in the corresponding row and change the Active value. Confirm with Update.
Load the web site you want to add to the watch list in a browser tab (the active tab). Click on the locker icon in the browser extension toolbar to open the main menu. Choose Add page. The browser will open a new tab with Mailvelope's Options page and will add the web site to the watch list. Reload web site to activate Mailvelope.
Load the web site you want to remove from the watch list in a browser tab (the active tab). Click on the locker icon in the browser extension toolbar to open the main menu. Choose Remove page. The browser will open a new tab with Mailvelope's Options page and after confirmation will remove the web site from the watch list.
Mailvelope offers end-to-end encryption which means it must ensure that at no time secret data can leave the browser of the user.
Mailvelope's user interface consists of a set of isolated elements floating on top of the mail provider's UI elements. This tight integration improves usability, but requires also measurements to prevent any data leakage.
The security goals for Mailvelope are as follows. All data must be safe even if:
This attack scenario was thoroughly tested in a penetration test by Cure53 who also helped with the design of the security concepts used by Mailvelope v0.6
In this section we look at security from an end user perspective. Further information is also available in the security section of the FAQ. The described settings can be found in the following dialog.
The security token consists of a three character code and a color that is only known to the user. It is generated randomly in the installation process of Mailvelope and can be changed in the above settings to a custom pattern.
All dialog windows of Mailvelope (password entry, mail compose editor, mail decrypt popup) will display the security token and thereby clearly identifying their origin. A spoofed dialog can be identified by a missing or wrong security token. Mailvelope can not prevent certain manipulations but with this approach the user can always identify if something is wrong.
Two different modes to display the encrypted messages are available:
This offers the best usability. The encrypted messages are displayed inside an isolated sandbox that is not accessible by the mail provider.
A watermark shown in the background of the decrypted message has the same purpose as the security token concept: we can clearly identify that the displayed message is the one decrypted by Mailvelope.
For the watermark the characters of the security token are used, displayed in light gray.
This variant is vulnerable to clickjacking attacks which can be summarized as: Mailvelope can not guarantee that a click on a link in a decrypted message results in a navigation to a page that was intended by the author of the message. For most users this should be an acceptable risk. If in doubt use the following popup mode, which is immune against such attacks.
Decrypted messages are displayed in a separate modal popup.
Two different modes are available to compose the secure message:
The mail is composed in a separate popup window and only transferred in encrypted form back to the mail provider editor. In this variant the clear text of the message will never leave Mailvelope.
You compose your mail in the editor of the mail provider. That means before you encrypt the mail, the mail provider potentially has access to what you type. This comes often as a feature with the auto-save drafts function: the incomplete (and unencrypted) mail is stored every few seconds on the server. This variant might make sense for your special use case, but be aware that this violates the concept of client-side encryption as the unencrypted message or parts of it can leave your browser.
Mailvelope can cache passwords for private keys in local memory. You can activate the cache in the security settings or on the password dialog. Passwords have only a lifetime which can be adjusted in the settings and are deleted at the latest when you close the browser window.