Mailvelope is an extension for your browser (in Firefox it is called an "Add-On", in Chrome an "Extension") and it expands the functionality of your web-browser. Mailvelope offers email encryption with PGP for the Firefox and Chrome browsers.
One of the advantages of Mailvelope is the fact that you don't need to change your environment in order to introduce yourself to encrypted communication. If you've been using a webmail provider, you can send encrypted emails with the help of Mailvelope using the same provider and the same email address.
The provider's user interface in the browser now contains the additional Mailvelope component. This ensures that your sensitive information remains inaccessible to your webmail provider. Encryption as well as decryption are handled on your device (end-to-end) and your private key never leaves the device. This concept means your confidential emails remain encrypted on your provider's servers at all times and are readable only after you enter your private key's password.
Mailvelope provides a lot of flexibility. The extension works with a variety of webmail providers and websites which include Gmail, Yahoo, Outlook Live, Zoho and many more.
Since Mailvelope first became available in 2012, more and more webmail providers have tailored their services to support the Mailvelope API so that they can offer to their users easy-to-use email encryption. Especially seamless is the integration with German webmail providers WEB.DE, GMX and Posteo. Even the providers of the "De-Mail" project, 1&1 and Deutsche Telekom are technically cooperating with Mailvelope (and its API). These providers can therefore offer a better user experience through the basic features of Mailvelope.
Users who want to use Mailvelope in conjunction with these webmail providers should learn about the use of Mailvelope directly on the help pages of the relevant provider because the integration works differently in every case.
Help pages (email encryption with PGP/Mailvelope):
Pre-configured (authorized) providers:
Other authorized providers with API support:
Other providers and websites can always be added manually. See: How do I authorize a new domain to cooperate with Mailvelope?.
Because Mailvelope uses the OpenPGP standard, which is open and has been trusted as secure for many years, you can communicate not only with other Mailvelope users but with everyone who uses software compatible with the PGP standard.
Examples of compatible programs:
Using Mailvelope on mobile devices with the Android or iOS operating systems isn't possible at the moment because Mailvelope has been designed as a browser extension and the browsers in these mobile operating systems can't sufficiently support the Mailvelope extension right now. As an alternative for sending and receiving PGP encrypted emails on mobile devices there are email clients on Android and iOS which can support the OpenPGP Standard.
At the moment these include:
The key you created and use in Mailvelope can be exported without issue and can be imported into these programs so that on your device you can access the same email address and use the same key as with Mailvelope on your computer.
On its Help page the webmail provider Posteo.de offers a detailed guide on how to set up mobile PGP encryption on an Android phone with the help of the programs Squeaky Mail and PGP KeyRing.
Please remember that the use of PGP on your mobile device also carries additional security risks. In the case of high security risk, the mobile use of PGP is not recommended. This especially applies to Android devices which are often supplied very late or even not at all with current operating system updates.
Mailvelope was designed for very flexible use. If your webmail provider is not included in the list of authorized domains, it is usually still possible to activate Mailvelope on new websites. Also see the next question.
As detailed here, after installation many of the most used websites and email providers will already be enabled to work with Mailvelope. With the help of the following instructions Mailvelope can be configured for use on new websites.
Load the website you want to add to the list of authorized domains. Select the Mailvelope lock icon to open the main menu. Select "Options" and go to "List of Email Providers". A Mailvelope dialogue to add the new domain should open.
In most cases you can leave the fields "Status", "Domain pattern" and "API" unchanged. As soon as you select "OK" Mailvelope will save the entry in the list of authorized domains. Here the entry can be edited at all times. Reload the newly activated website in order to activate Mailvelope.
Mailvelope is enabled by default for all websites on the list of authorized domains. In order to deactivate a site select "Options" and then "List of Email Providers" from the sidebar. Select the relevant entry. Now both "Edit" and "Delete" options will appear. With the "Enable" option you can temporarily suspend the cooperation of Mailvelope with a website. Toggle the "Enable" switch to "0" and confirm with "OK". As an alternative you can also delete the website from the list completely.
Yes. Using Mailvelope's file encryption you can easily encrypt any file to send as an email attachment. In this case, the file is encrypted with the public key of the recipient in the same way as email encryption. The size of the file is currently limited to 50MB because sending larger files is usually not supported by the email providers.
Select Mailvelope's lock icon in the toolbar to open the main menu and then select "File Encryption". Choose the file from your device that needs to be encrypted by selecting "Add". Select "Next" and choose the person(s) for whom the data will be encrypted. (Of course, you must have previously imported the public keys of these receivers into Mailvelope). After you select "Encrypt" the data will be encrypted for the chosen receivers. You can now save the data and then add them to your emails as attachments. The encrypted files can be selected individually and is saved in the Download folder or together by selecting "Save All".
Attention: Encrypting with Mailvelope changes the format of the file. Your files will temporarily receive the file extension for GnuPG encrypted files (.gpg) during the encryption process. This will be undone after decryption and the file will be retored to the format it originally had.
The steps for decrypting files are similar to those for encrypting files. Select "File Decryption" from the sidebar. Next, choose files on the hard disk for decryption by selecting "Add". After you enter the password for your private key, the files will be shown decrypted and can be downloaded to the hard disk.
The signing of messages guarantees the authenticity of the message and thus ensures that it actually originates from the specified sender.
By selecting the "Options" button in the Mailvelope editor (while composing a new message) you can find options for signing a message. If the option "Sign message with key" is active the message will first get signed by the chosen private key and then encrypted if you select "Encrypt".
With the "Sign all messages with primary key" link you can navigate to the Mailvelope settings and permanently enable the signing of emails and select the primary key as the key for signing.
You can also send your emails with only a signature. Attention: To do this you will need to choose a key for signing in the email options. Mailvelope will then create a PGP signature and will add it directly into the email text. Please note that in this case the email content will be forwarded unencrypted to the email provider.
If a message contains a signature and Mailvelope can determine the sender´s address, the message will automatically be validated by Mailvelope. In the upper right corner of the decrypted message a notification will appear displaying the text "Sign digitally". If you click on "Sign digitally" a dialogue will appear which contains the check result and other details about the signature. If a message contains a signature and Mailvelope can determine the sender address, Mailvelope automatically checks it. In the upper right area of the decrypted message the message "Digitally signed" will be displayed. Clicking on the words "Digital signed" displays a dialog containing the check result and further details of the signature.
If you have any suggestions, just send an email to firstname.lastname@example.org. We will happily consider them while planning future versions.
The first key you create with Mailvelope immediately after setup automatically becomes your primary key. In the key list, the main key which will be marked with an orange "Primary". If you want to change your primary key, you will find the corresponding option when you select any key pair in the key list.
Select "Key Management" and then "Import Keys".
There are two options:
-----BEGIN PGP PUBLIC KEY BLOCK-----and the
-----END PGP PUBLIC KEY BLOCK-----
Import public keys for your communication partners automatically:
With the option "Export" keys can be exported and sent or saved as back-ups. You can use this feature in order to publish your public key or to keep a copy of a public-private key pair in a safe place. Here you will find the most common use cases in detail. If you choose to export your key using the clipboard please make sure
-----BEGIN PGP PUBLIC KEY BLOCK----- and
-----END PGP PUBLIC KEY BLOCK----- are being included.
Export your public key:
Select "Key Management", then your primary key and then select the "Export" option. Choose "Public" and if requested, provide a filename. After you select "Save" your public key will be saved to your Download folder as a
This format is standardized and can be read by all PGP implementations. Alternatively you can copy your key to the clipboard from the "Key Details" window. Your public key can now be sent to your communication partner, uploaded to a key server or integrated into your website.
Save your own key pair:
Hover your mouse over your primary key pair, which will be marked with the word "Primary", and select it. Go to the "Export" tab and choose the complete key pair by selecting "All". Input a file name. Upon selecting "Save" the key pair will be saved to your Downloads folder as a
.asc file. As an alternative, you can copy your key to the clipboard from the "Key Details" window. Please note the security tips under Backup.
Backup of the complete keyring:
If you have multiple keyrings, first select the correct keyring from the left above the menu bar. On the Key Management screen, select "Export" from the upper left corner. You can save all public keys, all private keys or the entire keyring with all keys by choosing the option "All". Input a file name. Upon selecting "Save" the keyring will be saved to your Downloads folder as an
.asc file. As an alternative, you can copy your keys to the clipboard from the "Keyring backup" window. If the saved keyring also includes private keys, please pay attention to the security tips under Backup.
Mailvelope provides its own key server. It is available at https://keys.mailvelope.com. A key server is a freely accessible database for the public keys of the PGP users. If you send an encrypted email to a communication partner but do not know their public key, you can use the key server to search for it. Moreover, you can store your public PGP key there for others to find easily. The Mailvelope key server has the advantage that all email addresses stored on it have already been verified via email, which is a good protection against potential identity theft.
Automatic key search
Mailvelope uses the key server in the background for some services. Every time you create a new key, you have the choice to upload your key to the key server automatically. On top of that, when you enter an email address in the editor when sending emails, Mailvelope searches for the corresponding public key on the key server.
You can also deactivate the automatic key search which is activated by default. In order to do this you will have to select "Options" -> "Key Server" and uncheck "Automatically lookup recipient keys".
Manual key upload or download
If you want to upload your key manually or even search for keys, you can use the web interface of the key server https://keys.mailvelope.com/ui.html.
Upload key to server (OpenPGP key upload)
Copy the public key you want to upload to the clipboard. Make sure that your selection includes - - - - BEGIN PGP PUBLIC KEY BLOCK---- and - - - - END PGP PUBLIC KEY BLOCK----. Paste it into the input field and select "Upload".
Search for keys on the key server (OpenPGP key lookup)
Enter the email address or the key ID (a key ID makes every PGP key uniquely identifiable). For example, the key IDs for your keys can be found in Key Management in the "Key ID" column. Finally, select "Search".
Remove a key from a key server (OpenPGP key removal)
Enter the email address of the key that you want to delete and select "Delete". Be sure to enter the email address keeping case sensitivity in mind. In some cases, the associated key may not be found otherwise! Attention: When attempting to delete a key from the key server you will receive an email with a link which has to be selected in order to complete the deletion.
Mailvelope provides end-to-end encryption, meaning the app ensures (within its set technical limits) that sensitive files and information can be sent from one device to another over a potentially unprotected channel such as an email.
Various threat scenarios have been tested during professional security audits: List of Mailvelope's audits.
According to analysis, Mailvelope offers a secure end-to-end-encryption. However, security while using Mailvelope is dependent on how secure your device is. We therefore recommend security measures such as regular updates of your browser and operating system as well as the use of sufficiently secure passwords (see also: How do I choose a secure password for my private key?).
Mailvelope stores the keys in the local memory of your browser. This is a file in the Chrome user data directory or the profile folder in Firefox. If you delete the temporary browser data, stored keys in Mailvelope will not affected. However, deleting the Mailvelope extension in Chrome or Firefox will also delete the keystore from your file system.
Mailvelope stores and exports private keys only in their encrypted form. The private key is therefore always password protected. All steps that require a private key (such as decrypting or signing a message) always require both components: the private key and the password. Even after exporting a private key it remains encrypted and password protected at all times.
A strong password should be chosen to protect your data, even in the case that someone gets hold of your private key and attempts a so-called "brute force" attack. In such an attack, a variety of passwords are checked in a very short time in order to find the right one. In the end the success of your encryption is a matter of the length of your password on one hand and on the other hand, the randomness (entropy) of your combination.
You can create a good password by combining letters, both upper and lower case, numbers and special characters. This kind of password is usually very hard to remember. Another option would be to think of a picture or a scene which you could describe with four or five words. Written together these words could be your password. A short and fun introduction to this can be found at https://xkcd.com/936/.
Export the keys you want to back up following the instructions in How can I export my PGP keys from Mailvelope?.
If you want to secure a private key, you should note some security tips. Even if your private key is still encrypted after the export and still needs to be unlocked using your password, it should not be left unprotected on any disk.
If your security threats are high, the file should be kept off of the internet on a safe offline storage. We recommend that you back up your private key on a USB drive or key (if it has added hardware or software password protection, it should be safe). Keep it in a safe place.
Unfortunately Mailvelope cannot recover your password for you. The key pair can then no longer be used and any messages sent to you using this key can no longer be decrypted. You will need to delete your old key (this can also be done on the Mailvelope key server if it has been uploaded). Create a new key pair and inform your communication partners as soon as possible of the change of your public key.
When using Mailvelope in conjunction with WEB.DE and GMX recovery of your password is possible through a so-called "recovery code". For more information about this option, please see WEB.DE and GMX: I need to enter a "recovery code". Where do I get it from? From Mailvelope?.
With Mailvelope it isn't possible to change the password for your private key. If you want to change your private key's password, depending on your operating system you can use common PGP encryption software that offers this service. On macOS for example, you can use GPGTools. For Windows, Gpg4win would cover this need. Other programs can be found under Can I only exchange encrypted emails with other Mailvelope users? Install one of these programs and import your private key. Follow the instructions of the said software in order to change your private key's password. After a successful change you can export the key again and import it into Mailvelope.
These permissions are needed for Mailvelope to work properly for the following reasons:
Because Mailvelope is open source software verified by many different websites, you can be confident that these permissions won't be abused by Mailvelope.
GMX and WEB.DE ask their users for a recovery code if they have lost the password for their private key, the private key itself has been lost or if Mailvelope is to be set up on a second device. This is a feature that is only offered by these email providers. When you set up the email encryption function, a 26-character code is generated which should be printed so that it can be used to activate the recovery feature in case your key or password are lost.
If you still have your private PGP key and password, you can print a new recovery code here:
(Attention: You should be careful with this copy.)
If you have lost/forgotten your private key or your password and you haven't printed your recovery code, your encrypted communication cannot be recovered. The PGP function of your GMX or WEB.DE accounts will have to be restarted. This can be done neither by you nor by Mailvelope, but must instead be requested through the GMX and WEB.DE hotline:
GMX Hotline: https://hilfe.gmx.net/kontakt/kontakt.html
WEB.DE Hotline: https://hilfe.web.de/kontakt/kontakt.html
Mailvelope has been designed as a browser extension and therefore needs a clean "software base" in order to function as intended. In the case of malfunctions, check to see if you are working with an outdated operating system or if you have to update your browser to the latest available version. If you still experience issues, you can try one of the following options:
This may be the case in the following situation: The PGP application of your communication partner has encrypted the email in PGP/MIME format and your webmail provider doesn't show a preview of the attachments by default. In this case Mailvelope can not access the encrypted data due to technical reasons and therefore can't offer automatic decryption.
-----BEGIN PGP PUBLIC KEY BLOCK-----and the
-----END PGP PUBLIC KEY BLOCK-----. Next, select "Encryption" in the Mailvelope main menu and then choose "Text Decryption" from the sidebar. Paste the text from the clipboard into the decryption window and confirm by selecting "Decrypt". As soon as you see the decrypted content from your email, you can copy it from the window and use it elsewhere.
Before you send a bug report, please always restart your browser and check if the problem persists. Often browser issues, and not Mailvelope itself, are responsible for malfunctions. If you are using an older version of your browser or operating system, please update and check is the problem persists.