Frequently Asked Questions

About Mailvelope

What is Mailvelope and how does it work?

Mailvelope is a browser extension (in Firefox it is called an "Add-On", in Chrome an "Extension") and it expands the functionality of your web-browser. Mailvelope offers email encryption with PGP for the Firefox and Chrome browsers.

One of the advantages of Mailvelope is that you don't need to change your familiar environment to get started with encrypted communication. If you've been using a webmail provider, you can also send encrypted emails with the help of Mailvelope using the same webmail provider and the same email address.

The additional Mailvelope component is superimposed to the provider's user interface in the browser. This ensures that your sensitive information remains inaccessible to your webmail provider. End-to-end encryption and decryption are handled on your computer and your private key never leaves your computer. Thanks to this concept, your confidential emails remain encrypted on your provider's servers at all times and are only readable on your computer once you have entered your private key's password.

Which webmail providers does Mailvelope support?

Mailvelope is designed for maximum flexibility and customizability. The extension works with a variety of webmail providers and websites including Gmail, Yahoo, Outlook Live, Zoho and many more.

Since Mailvelope first became available in 2012, more and more webmail providers have tailored their services to support the Mailvelope API so that they can offer to their users easy-to-use email encryption. The integration with German webmail providers WEB.DE, GMX and Posteo is especially seamless. The providers of the "De-Mail" project, 1&1 and Deutsche Telekom are also technically adapted to Mailvelope (and its API). These providers can therefore offer a better user experience through the basic features of Mailvelope.

Users who want to use Mailvelope in conjunction with these webmail providers should learn about how to use Mailvelope directly on the help pages of the relevant provider because the integration works differently in every case.

Help pages (email encryption with PGP/Mailvelope):

Pre-configured (authorized) providers:

Other authorized providers with API support:

Additional providers and websites can always be added manually. See: How do I authorize a new domain to work with Mailvelope?.

Can I only exchange encrypted emails with other Mailvelope users?

Because Mailvelope uses the OpenPGP standard, which is open and has been trusted as secure for many years, you can communicate not only with other Mailvelope users but with anyone who uses software compatible with the PGP standard.

Examples of compatible programs:

  • Enigmail for Thunderbird (macOS, Windows, GNU/Linux).
  • Gpg4win for Windows, for use with Outlook for example.
  • GPGtools for macOS in conjunction with their default mail application "Mail".

Can I also use Mailvelope on mobile devices?

Using Mailvelope on mobile devices with the Android or iOS operating systems isn't possible at the moment. Mailvelope has been designed as a browser extension and mobile browsers currently have restrictions that do not allow sufficient support of the Mailvelope extension. However, several email clients do support the OpenPGP standard for sending and receiving PGP encrypted emails on Android and iOS.

At the moment these include:



You can easily export and import your keys created and used in Mailvelope so that you can be reached with the same email address and keys on your mobile device as you would with Mailvelope on your computer. On its Help page, the webmail provider offers a detailed guide on how to set up mobile PGP encryption on an Android device with the help of the programs Squeaky Mail and PGP KeyRing.

Please remember that the use of PGP on your mobile device also carries additional security risks. In the case of high security risk, the mobile use of PGP is not recommended. This especially applies to Android devices which are often supplied very late or even not at all with current operating system updates.


My webmail provider isn't pre-configured (authorized) in Mailvelope. Can I still use Mailvelope?

Mailvelope was designed for very flexible use. If your webmail provider is not included in the list of authorized domains, it is usually still possible to activate Mailvelope on new websites. Also see the next question.

How do I authorize a new domain to work with Mailvelope?

As detailed under Which webmail providers does Mailvelope support?, after installation many of the most used websites and email providers will already be enabled to work with Mailvelope. With the help of the following instructions Mailvelope can be configured for use on new websites.

Load the website you want to add to the list of authorized domains. Select the Mailvelope lock icon to open the main menu. Select "Advanced options" and go to "Activate on the current tab". A Mailvelope dialogue to add the new domain should open.

In most cases you can leave the fields "Status", "Domain pattern" and "API" unchanged. Once you select "OK" Mailvelope will save the entry in the list of authorized domains. There, the entry can be edited at any time. Reload the newly activated website in order to activate Mailvelope.

How do I deactivate a domain from cooperating with Mailvelope?

Mailvelope is enabled by default for all websites on the list of authorized domains. In order to deactivate a site, select "Options" and then "Manage authorized domains" from the option. Select the relevant entry. Now both "Edit" and "Delete" will appear. With "Enabled", you can temporarily suspend the cooperation of Mailvelope with the website. Toggle the "Enabled" switch to "0" and confirm with "OK". As an alternative you can also delete the website from the list completely.

Can I also encrypt email attachments with Mailvelope?

Yes. Using Mailvelope's file encryption you can easily encrypt any file to send as an email attachment. In this case, the file is encrypted with the public key of the recipient in the same way as email encryption. The size of the file is currently limited to 50MB, as sending larger files is usually not supported by email providers.

Encrypting Files

Select the Mailvelope's lock icon in the toolbar to open the main menu and then select on "File Encryption". First, select on your computer the file that needs to be encrypted by selecting "+ Add". Select "Next" and choose the person(s) for whom the data will be encrypted. (Of course, you must have previously imported the public keys of these receivers into Mailvelope). After you select "Encrypt" the data will be encrypted for the chosen receivers. You can now save the data and then add it to your emails as attachments. Encrypted files can be selected individually and saved in the Download folder or all together by selecting "Save All".

Attention: Encrypting with Mailvelope changes the format of the file. Your files will temporarily receive the file extension for GnuPG encrypted files (.gpg) during the encryption process. This will be undone after decryption and the file will be restored to the format it originally had.

Decrypting Files

The steps for decrypting files are similar to those for encrypting files. Select "File Decryption" from the option menu. Next, choose files on a drive for decryption by selecting "+Add". After you enter the password for your private key, the files will be shown decrypted and can be downloaded to your local drive.

How can I sign messages and what purpose does it serve?

The signing of messages guarantees the authenticity of the message and thus ensures that it actually originates from the specified sender.

By selecting the "Options" button in the Mailvelope editor (while composing a new message) you can find options for signing a message. If the option "Sign message with key" is enabled, the message will first get signed by the chosen private key and then encrypted when you select "Encrypt".

With the "Sign all messages with default key" link you can navigate to the Mailvelope settings and permanently enable the signing of emails and select the default key as the key for signing.

You can also send your emails with only a signature. Attention: To do this you will need to choose a key for signing in the email options. Mailvelope will then create a PGP signature and will add it directly into the email text. Please note that in this case the email content will be forwarded unencrypted to the email provider.

How do I check the validity of signed messages?

If a message contains a signature and Mailvelope can determine the sender address, Mailvelope automatically checks it. In the upper right area of the decrypted message the message "Digitally signed" will be displayed. Clicking on the words "Digitally signed" displays a dialog containing the check result and further details of the signature.

Is a specific feature currently being supported or are there plans for future support?

If you have any suggestions, just send an email to We will happily consider them while planning future versions.

Extended features

Is it possible to use Mailvelope just as an encryption-program, independently from email?

The flexible concept of Mailvelope makes it adaptable for different usecases. It is possible to exchange PGP-encrypted files or texts, including any attachments, in means, other than e-mail. You can save and exchange encrypted files or message texts for eample on a USB stick or memory card. This would also be a nice way of avoiding metadata. It is also possible to store messages on websites or in cloud memories or to send them with messenger services.

In case of such use of Mailvelope go to "Main menu" -> "File encryption". Similar to the file encryption you can encrypt and decrypt texts and their attachments with the function "Text encryption" which can be found at the same place. Further instructions under: Can I also encrypt email attachments with Mailvelope?.

Why using GnuPG backend instead of OpenPGP.js?

From version 3.0 onwards, a locally installed GnuPG application (e.g. Ggp4win or GPGTools) can also be included in Mailvelope. For the option to be available in Mailvelope, there must be a properly installed implemention of GnuPG on your device.

Users can than choose whether they want OpenPGP.js or the locally installed GnuPG application to handle key management and encryption routines. Key management by GnuPG can increase the security of Mailvelope by protecting the private keys in case your browser gets compromised. The support of security tokens such as a smartcard is also possible. More about GnuPG integration and the possibilities of using hardware tokens can be found soon on our blog.


How to use Encrypted Forms with Mailvelope?

Mailvelope provides a way for web developers to define forms in a specific format so that the data can only be read by a selected recipient. The Mailvelope Browser extension takes care of the encryption and packages the form-data in a secure OpenPGP message.

A technical documentation for encrypted forms is available in Mailvelope Wiki.

What's Web Key Directory, and how can I use it?

At the beginning of an encrypted communication with OpenPGP, the public keys of the communication partners must be exchanged. By default, Mailvelope uses the Mailvelope key-server to simplify and partially automate this initial key exchange.

Web Key Directory is a new standardized procedure, which pursues a decentralized approach for this key exchange: The keys can be requested directly from the e-mail provider, if the latter supports this procedure. Further information can be found on GnuPG Wiki.

Key Management

What is the 'default' key in Mailvelope?

The first key you create with Mailvelope immediately after setup, automatically becomes your default key. In the key list, this key will therefore be marked with an orange "Default". If you want to change your default key, you will find the corresponding option when you select any key pair in the key list.

How can I import a PGP key into Mailvelope?

Select "Key Management" and then "Import Keys".

There are two options:

  • Import key as file: Choose a file (*.asc) with keys from your hard drive and import it into Mailvelope.
  • Import key as text: Copy all keys in text formant to the text field. Upon selecting "Import" all keys will be extracted from the text and will be transferred to the local keyring. Make sure that you include the -----BEGIN PGP PUBLIC KEY BLOCK----- and the -----END PGP PUBLIC KEY BLOCK-----

Import public keys for your communication partners automatically:

  • Keys in emails: Mailvelope automatically recognizes public keys received in emails if your email provider offers a preview of email attachments. Keys that have been recognized by Mailvelope are marked with a closed envelope symbol. Selecting the symbol opens an import dialogue and the key is automatically added to the keyring.
  • Keys on websites: Similarly, Mailvelope checks all sites for whose domains it has been authorized (to authorize: How do I authorize a new domain to cooperate with Mailvelope?) for any PGP keys they might contain. If you want to add one or more communication partners in Mailvelope whose keys have been published on websites, first authorize the relevant domain and then import all the keys that are automatically recognized by Mailvelope on this site.

How can I export my PGP key from Mailvelope?

With the option "Export" keys can be exported and sent or saved as backups. You can use this feature in order to publish your public key or to keep a copy of a public-private key pair in a safe place. Here you will find the most common use cases in detail. If you choose to export your key using the clipboard please make sure -----BEGIN PGP PUBLIC KEY BLOCK-----and -----END PGP PUBLIC KEY BLOCK----- are being included. If you use GnuPG for key management under Mailvelope, please note the last point of this FAQ question.

Export your public key:

Select "Key Management", then your default key and then the "Export" option. Choose "Public" and if requested, provide a filename. After you select "Save" your public key will be saved to your Download folder as a .asc file. This format is standardized and can be read by all PGP implementations. Alternatively you can copy your key to the clipboard from the "Key Details" window. Your public key can now be sent to your communication partner, uploaded to a key server or integrated into your website.

Save your own key pair:

Hover your mouse over your default key pair, which will be marked with an orange "Default", and select it. Go to the "Export" tab and choose the complete key pair by selecting "All". Input a file name. Upon selecting "Save" the key pair will be saved to your Downloads folder as a .asc file. As an alternative, you can copy your key to the clipboard from the "Key Details" window. Please note the security tips under Backup.

Backup of the complete keyring:

If you have multiple keyrings, first select the correct keyring from the left above the menu bar. On the Key Management screen, select "Export" from the upper left corner. You can save all public keys, all private keys or the entire keyring with all keys by choosing the option "All". Input a file name. Upon selecting "Save" the keyring will be saved to your Downloads folder as an .asc file. As an alternative, you can copy your keys to the clipboard from the "Keyring backup" window. If the saved keyring also includes private keys, please pay attention to the security tips under Backup.

Special use case: Use of the GnuPG keychain

If you use GnuPG for key management, please note that for security reasons Mailvelope only supports the export of public keys. If you want to export key pairs or private keys from GnuPG, use the functions of the respective software you use.

Key Server

What is the Mailvelope key server and how can I use it?

Mailvelope provides its own key server. It is available at A key server is a freely accessible database for the public keys of the PGP users. If you send an encrypted email to a communication partner but do not know their public key, you can use the key server to search for it. Moreover, you can store your public PGP key there for others to find easily. The Mailvelope key server has the advantage that all email addresses stored on it have already been verified via email, which is a good protection against potential identity theft.

Automatic key search

Mailvelope uses the key server in the background for some services. Every time you create a new key, you have the choice to upload your key to the key server automatically. On top of that, when you enter an email address in the editor when sending emails, Mailvelope searches for the corresponding public key on the key server.

You can also deactivate the automatic key search which is activated by default. In order to do this you will have to select "Options" -> "Key Server" and uncheck "Automatically lookup recipient keys".

Manual key upload or download

If you want to upload your key manually or even search for keys, you can use the web interface of the key server

Upload key to server (OpenPGP key upload)

Copy the public key you want to upload to the clipboard. Make sure that your selection includes - - - - BEGIN PGP PUBLIC KEY BLOCK---- and - - - - END PGP PUBLIC KEY BLOCK----. Paste it into the input field and select "Upload".

Search for keys on the key server (OpenPGP key lookup)

Enter the email address or the key ID (a key ID makes every PGP key uniquely identifiable). For example, the key IDs for your keys can be found in Key Management in the "Key ID" column. Finally, select "Search".

Remove a key from a key server (OpenPGP key removal)

Enter the email address of the key that you want to delete and select "Delete". Be sure to enter the email address keeping case sensitivity in mind. In some cases, the associated key may not be found otherwise! Attention: When attempting to delete a key from the key server you will receive an email with a link which has to be selected in order to complete the deletion.


How secure is Mailvelope?

Mailvelope provides end-to-end encryption, meaning the app ensures (within its set technical limits) that sensitive files and information can be sent from one device to another over a potentially unprotected channel such as an email.

Various threat scenarios have been tested during professional security audits: List of Mailvelope's audits.

According to analysis, Mailvelope offers a secure end-to-end-encryption. However, security while using Mailvelope is dependent on how secure your device is. We therefore recommend security measures such as regular updates of your browser and operating system as well as the use of sufficiently secure passwords (see also: How do I choose a secure password for my private key?).

Where are my keys stored?

The location where Mailvelope stores its keys depends on the selection you made under Options -> General -> OpenPGP Settings.

Default setting (OpenPGP.js)

Mailvelope stores the keys in the local memory of your browser. This is a file in the Chrome user data directory or the profile folder in Firefox. If you delete the temporary browser data, stored keys in Mailvelope will not affected. However, deleting the Mailvelope extension in Chrome or Firefox will also delete the keystore from your file system.

Key management by GnuPG

If you have selected GnuPG as your preferred backend for encryption in Options -> General -> OpenPGP Settings, the keys will be managed by your local GnuPG program (usually GPG4Win or GPGTools).

How are private keys protected? Can anyone who has access to my computer also access my private key?

Mailvelope stores and exports private keys only in their encrypted form. The private key is therefore always password protected. All steps that require a private key (such as decrypting or signing a message) always require both components: the private key and the password. Even after exporting a private key it remains encrypted and password protected at all times.

Mailvelope guarantees a high level of security for your private keys by default. You can further increase this security by selecting GnuPG as the preferred backend for encryption under Options -> General -> OpenPGP Settings.

Additional information:
  • The OpenPGP standard also allows private keys without a password, however, such keys are rarely used in practice. Using such keys with Mailvelope is not recommended.
  • In case an attacker ever gains access to the private key, it's ability to resist brute force attacks entirely depends on the complexity and length of the password. Please read the notes in the next section of this FAQ.
  • As an end-to-end-encryption software Mailvelope must be able to rely on secure endpoints. If one of the computers on both sides is insecure (e.g. due to missing updates of the operating system or browser), encryption is also potentially at risk. In addition to the usual protective measures, physical access to your computer by third parties should also be avoided.
  • GPG uses a similar security model for private keys: The "Keyring" is not encrypted in this case, only the individual parts of the key are. Any user with local access rights can copy the private key from the file system. However, their password is required to access or use a single private key.
  • By default, the Chrome and Firefox browsers automatically send usage statistics and crash reports to Google or Firefox. These functions should be deactivated because in case of a bug it is possible that stored content, which could also include private keys, could be sent to them. We therefore recommend that you disable "Automatically send usage statistics and crash reports to Google" in Chrome settings. In Firefox you can find the corresponding option under "Privacy & Security" -> "Firefox Data Collection and Use".

How do I choose a secure password for my private key?

A strong password should be chosen to protect your data, even in the case that someone gets hold of your private key and attempts a so-called "brute force" attack. In such an attack, a variety of passwords are checked in a very short time in order to find the right one. In the end the success of your encryption is a matter of the length of your password on one hand and on the other hand, the randomness (entropy) of your combination.

You can create a good password by combining letters, both upper and lower case, numbers and special characters. This kind of password is usually very hard to remember. Another option would be to think of a picture or a scene which you could describe with four or five words. Written together these words could be your password. A short and fun introduction to this can be found at

How can I create a backup of my keys?

Export the keys you want to back up following the instructions in How can I export my PGP keys from Mailvelope?.

If you want to secure a private key, you should note some security tips. Even if your private key is still encrypted after the export and still needs to be unlocked using your password, it should not be left unprotected on any disk.

If your security threats are high, the file should be kept off of the internet on a safe offline storage. We recommend that you back up your private key on a USB drive or key (if it has added hardware or software password protection, it should be safe). Keep it in a safe place.

What do I do if I forget my password?

Unfortunately Mailvelope cannot recover your password for you. The key pair can then no longer be used and any messages sent to you using this key can no longer be decrypted. You will need to delete your old key (this can also be done on the Mailvelope key server if it has been uploaded). Create a new key pair and inform your communication partners as soon as possible of the change of your public key.

When using Mailvelope in conjunction with WEB.DE and GMX recovery of your password is possible through a so-called "recovery code". For more information about this option, please see WEB.DE and GMX: I need to enter a "recovery code". Where do I get it from? From Mailvelope?.

How can I change the password for my private key?

With Mailvelope it isn't possible to change the password for your private key. If you want to change your private key's password, depending on your operating system you can use common PGP encryption software that offers this service. On macOS for example, you can use GPGTools. For Windows, Gpg4win would cover this need. Other programs can be found under Can I only exchange encrypted emails with other Mailvelope users? Install one of these programs and import your private key. Follow the instructions of the said software in order to change your private key's password. After a successful change you can export the key again and import it into Mailvelope.

While installing the extension, the following permissions are requested: "This extension has access to: your information on all websites, your registration cards and your browser activities." Why is this necessary?

These permissions are needed for Mailvelope to work properly for the following reasons:

  • Mailvelope must be able to search the cooperating websites for PGP encrypted messages. For this Mailvelope needs the access to the data for these websites.
  • Mailvelope is pre-configured for the most important webmail providers, but can theoretically be extended and used with any website. Since Mailvelope cannot know which providers have been added, access to all websites is necessary to ensure their functionality.
  • Without this access Mailvelope wouldn't be able to add its controls to the user interfaces of activated collaborating websites.

Because Mailvelope is open source software verified by many different websites, you can be confident that these permissions won't be abused by Mailvelope.

Questions about Email Providers

WEB.DE and GMX: I need to enter a "recovery code". Where do I get it from? From Mailvelope?

GMX and WEB.DE ask their users for a recovery code if they have lost the password for their private key, the private key itself has been lost or if Mailvelope is to be set up on a second device. This is a feature that is only offered by these email providers. When you set up the email encryption function, a 26-character code is generated which should be printed so that it can be used to activate the recovery feature in case your key or password are lost.

If you still have your private PGP key and password, you can print a new recovery code here:

(Attention: You should be careful with this copy.)

If you have lost/forgotten your private key or your password and you haven't printed your recovery code, your encrypted communication cannot be recovered. The PGP function of your GMX or WEB.DE accounts will have to be restarted. This can be done neither by you nor by Mailvelope, but must instead be requested through the GMX and WEB.DE hotline:

GMX Hotline:

WEB.DE Hotline:


What can I do if it looks like Mailvelope isn't working properly?

Mailvelope has been designed as a browser extension and therefore needs a clean "software base" in order to function as intended. In the case of malfunctions, check to see if you are working with an outdated operating system or if you have to update your browser to the latest available version. If you still experience issues, you can try one of the following options:


  • First try to disable all other currently installed browser extensions and then restart Firefox. Sometimes the installed extensions affect one another.
  • Firefox offers the service of cleaning up the used profile. Please follow the instructions in

Google Chrome:

  • First try to disable all other currently installed extensions and then restart Chrome. Sometimes the installed extensions affect one another.
  • If you find that other extensions are interfering with Mailvelope (this rarely happens in Chrome), you could create a special user profile for to use Mailvelope in which Mailvelope is the only extension installed.

What should I include in my bug report to Mailvelope?

Before you send a bug report, please always restart your browser and check if the problem persists. Often browser issues, and not Mailvelope itself, are responsible for malfunctions. If you are using an older version of your browser or operating system, please update and check is the problem persists.

In case the bug persists, please send us a bug report at: A bug report should at least contain the following information:
  • Short description of the problem
  • Type and version of the operating system
Google Chrome
  • Browser version - input about:version in the address bar.
  • If Mailvelope does not show an error message, you may find relevant information in the logs:
    • In the browser tab in which your webmail provider is open, select + + (Windows/Linux) or + + (Mac) and add the errors marked in red to the report.
    • In addition, open the extension page by inputting chrome:extensions in the address bar.
    • Activate developer mode at the top right corner of the page.
    • Select background.html in the "Mailvelope" entry on the page.
    • A new browser window will open. Make sure the Console tab is enabled and add any errors marked in red to the bug report.
  • Browser version, see find out version.
  • If Mailvelope does not show an error message, you may find relevant information in the logs:
    • Restart your browser.
    • Try to reproduce the problem.
    • Open the browser console with ++(for Mac: ++). Add the content of the console window to the bug report.

I have received an encrypted email, but I can only see two attachments. Mailvelope doesn't offer automatic decryption.

This may be the case in the following situation: The PGP application of your communication partner has encrypted the email in PGP/MIME format and your webmail provider doesn't show a preview of the attachments by default. In this case Mailvelope can not access the encrypted data due to technical reasons and therefore can't offer automatic decryption.


  • If this situation occurs often: It should be possible for your communication partner to switch from PGP/MIME to PGP/INLINE in future emails. This is the easiest way to fix the problem.
  • You can also decrypt both attachments manually with Mailvelope: First save the files to your computer by downloading them. Right click on the files, select "Open with" and select a simple text editor on your computer (for example, "Textedit" on MacOS or "Editor" on Windows). Now select the PGP code in the text editor and copy it to the clipboard. Make sure that you include the -----BEGIN PGP PUBLIC KEY BLOCK-----and the -----END PGP PUBLIC KEY BLOCK-----  in your copy. Next, select "Encryption" in the Mailvelope main menu and then choose "Text Decryption" from the sidebar. Paste the text from the clipboard into the decryption window and confirm by selecting "Decrypt". As soon as you see the decrypted content of your email, you can copy it and use it elsewhere.

Mailvelope reports error: "No private Key found for this message. Required key IDs:..."

This error occurs if you have received an encrypted message for which Mailvelope does not find the matching private key. If the public key, your communication partner encrypted the mail with, does not have a matching private "counterpart" on your side, Mailvelope can't decrypt the mail. If you're not familiar with PGP, we recommend reading our documentation for a short explanation of the basics of how mailvelope works, to better understand the principle of asymmetric encryption.

There are several reasons why private keys could be missing: For example, you exchanged the public keys with your communication partner first and later forgot the password of your private key. You then simply generated a new key and deleted the old one. In this case, you must pass the corresponding new public key to your communication partner again, so that future mails to you are not accidentally encrypted with the old public key and you end up receiveing this error message.

Also your communication partner may have used an outdated public key stored on Mailvelope-(or another)key-server, which you forgot to delete after changing your keys. Always remember that anyone who has outdated public keys, can write you at any time without receiving an error message. You will not be able to open these mails, because Mailvelope doesn't have the key to decrypt them.

Uninstalling Mailvelope

How can I uninstall Mailvelope?

Our special thanks to jagres and Asimina Papac from for making this translation possible!

The Mailvelope Team