Mailvelope

Frequently Asked Questions



About Mailvelope



What is Mailvelope and how does it work?

Mailvelope is an extension for your browser (in Firefox it is called an "Add-On", in Chrome an "Extension") and it expands the functionality of your web-browser. Mailvelope offers email encryption with PGP for the Firefox and Chrome browsers.

One of the advantages of Mailvelope is the fact that you don't need to change your environment in order to introduce yourself to encrypted communication. If you've been using a webmail provider, you can send encrypted emails with the help of Mailvelope using the same provider and the same email address.

The provider's user interface in the browser now contains the additional Mailvelope component. This ensures that your sensitive information remains inaccessible to your webmail provider. Encryption as well as decryption are handled on your device (end-to-end) and your private key never leaves the device. This concept means your confidential emails remain encrypted on your provider's servers at all times and are readable only after you enter your private key's password.



Which webmail providers does Mailvelope support?

Mailvelope provides a lot of flexibility. The extension works with a variety of webmail providers and websites which include Gmail, Yahoo, Outlook Live, Zoho and many more.

Since Mailvelope first became available in 2012, more and more webmail providers have tailored their services to support the Mailvelope API so that they can offer to their users easy-to-use email encryption. Especially seamless is the integration with German webmail providers WEB.DE, GMX and Posteo. Even the providers of the "De-Mail" project, 1&1 and Deutsche Telekom are technically cooperating with Mailvelope (and its API). These providers can therefore offer a better user experience through the basic features of Mailvelope.

Users who want to use Mailvelope in conjunction with these webmail providers should learn about the use of Mailvelope directly on the help pages of the relevant provider because the integration works differently in every case.

Help pages (email encryption with PGP/Mailvelope):

Pre-configured (authorized) providers:

Other authorized providers with API support:

Other providers and websites can always be added manually. See: How do I authorize a new domain to cooperate with Mailvelope?.



Can I only exchange encrypted emails with other Mailvelope users?

Because Mailvelope uses the OpenPGP standard, which is open and has been trusted as secure for many years, you can communicate not only with other Mailvelope users but with everyone who uses software compatible with the PGP standard.

Examples of compatible programs:

  • Enigmail for Thunderbird (macOS, Windows, GNU/Linux).
  • Gpg4win for Windows, for use with Outlook for example.
  • GPGtools for macOS in conjunction with their default mail application "Mail".


Can I use Mailvelope on mobile devices?

Using Mailvelope on mobile devices with the Android or iOS operating systems isn't possible at the moment because Mailvelope has been designed as a browser extension and the browsers in these mobile operating systems can't sufficiently support the Mailvelope extension right now. As an alternative for sending and receiving PGP encrypted emails on mobile devices there are email clients on Android and iOS which can support the OpenPGP Standard.

At the moment these include:

Android:

iOS:

The key you created and use in Mailvelope can be exported without issue and can be imported into these programs so that on your device you can access the same email address and use the same key as with Mailvelope on your computer.

On its Help page the webmail provider Posteo.de offers a detailed guide on how to set up mobile PGP encryption on an Android phone with the help of the programs Squeaky Mail and PGP KeyRing.

Please remember that the use of PGP on your mobile device also carries additional security risks. In the case of high security risk, the mobile use of PGP is not recommended. This especially applies to Android devices which are often supplied very late or even not at all with current operating system updates.





Features



My webmail provider isn't pre-configured (authorized) in Mailvelope. Can I still use Mailvelope?

Mailvelope was designed for very flexible use. If your webmail provider is not included in the list of authorized domains, it is usually still possible to activate Mailvelope on new websites. Also see the next question.



How do I authorize a new domain to cooperate with Mailvelope?

As detailed here, after installation many of the most used websites and email providers will already be enabled to work with Mailvelope. With the help of the following instructions Mailvelope can be configured for use on new websites.

Load the website you want to add to the list of authorized domains. Select the Mailvelope lock icon to open the main menu. Select "Options" and go to "List of Email Providers". A Mailvelope dialogue to add the new domain should open.

In most cases you can leave the fields "Status", "Domain pattern" and "API" unchanged. As soon as you select "OK" Mailvelope will save the entry in the list of authorized domains. Here the entry can be edited at all times. Reload the newly activated website in order to activate Mailvelope.



How do I deactivate a domain from cooperating with Mailvelope?

Mailvelope is enabled by default for all websites on the list of authorized domains. In order to deactivate a site select "Options" and then "List of Email Providers" from the sidebar. Select the relevant entry. Now both "Edit" and "Delete" options will appear. With the "Enable" option you can temporarily suspend the cooperation of Mailvelope with a website. Toggle the "Enable" switch to "0" and confirm with "OK". As an alternative you can also delete the website from the list completely.



Can I also encrypt email attachments with Mailvelope?

Yes. Using Mailvelope's file encryption you can easily encrypt any file to send as an email attachment. In this case, the file is encrypted with the public key of the recipient in the same way as email encryption. The size of the file is currently limited to 50MB because sending larger files is usually not supported by the email providers.

Encrypting Files

Select Mailvelope's lock icon in the toolbar to open the main menu and then select "File Encryption". Choose the file from your device that needs to be encrypted by selecting "Add". Select "Next" and choose the person(s) for whom the data will be encrypted. (Of course, you must have previously imported the public keys of these receivers into Mailvelope). After you select "Encrypt" the data will be encrypted for the chosen receivers. You can now save the data and then add them to your emails as attachments. The encrypted files can be selected individually and is saved in the Download folder or together by selecting "Save All".

Attention: Encrypting with Mailvelope changes the format of the file. Your files will temporarily receive the file extension for GnuPG encrypted files (.gpg) during the encryption process. This will be undone after decryption and the file will be retored to the format it originally had.

Decrypting Files

The steps for decrypting files are similar to those for encrypting files. Select "File Decryption" from the sidebar. Next, choose files on the hard disk for decryption by selecting "Add". After you enter the password for your private key, the files will be shown decrypted and can be downloaded to the hard disk.



How can I sign messages and what purpose does it serve?

The signing of messages guarantees the authenticity of the message and thus ensures that it actually originates from the specified sender.

By selecting the "Options" button in the Mailvelope editor (while composing a new message) you can find options for signing a message. If the option "Sign message with key" is active the message will first get signed by the chosen private key and then encrypted if you select "Encrypt".

With the "Sign all messages with primary key" link you can navigate to the Mailvelope settings and permanently enable the signing of emails and select the primary key as the key for signing.

You can also send your emails with only a signature. Attention: To do this you will need to choose a key for signing in the email options. Mailvelope will then create a PGP signature and will add it directly into the email text. Please note that in this case the email content will be forwarded unencrypted to the email provider.



How do I check the validity of signed messages?

If a message contains a signature and Mailvelope can determine the sender´s address, the message will automatically be validated by Mailvelope. In the upper right corner of the decrypted message a notification will appear displaying the text "Sign digitally". If you click on "Sign digitally" a dialogue will appear which contains the check result and other details about the signature. If a message contains a signature and Mailvelope can determine the sender address, Mailvelope automatically checks it. In the upper right area of the decrypted message the message "Digitally signed" will be displayed. Clicking on the words "Digital signed" displays a dialog containing the check result and further details of the signature.



Is a specific feature currently being supported or are there plans for future support?

If you have any suggestions, just send an email to support@mailvelope.com. We will happily consider them while planning future versions.



Key Management



What is your main key in Mailvelope?

The first key you create with Mailvelope immediately after setup automatically becomes your primary key. In the key list, the main key which will be marked with an orange "Primary". If you want to change your primary key, you will find the corresponding option when you select any key pair in the key list.



How can I import a PGP key into Mailvelope?

Select "Key Management" and then "Import Keys".

There are two options:

  • Import key as file: Choose a file (*.asc) with keys from your hard drive and import it into Mailvelope.
  • Import key as text: Copy all keys in text formant to the text field. Upon selecting "Import" all keys will be extracted from the text and will be transferred to the local keyring. Make sure that you include the -----BEGIN PGP PUBLIC KEY BLOCK----- and the -----END PGP PUBLIC KEY BLOCK-----

Import public keys for your communication partners automatically:

  • Keys in emails: Mailvelope automatically recognizes public keys received in emails if your email provider offers a preview of email attachments. Keys that have been recognized by Mailvelope are marked with a symbol. Selecting the symbol opens an import dialogue and the key is automatically added to the keyring.
  • Keys on websites: Similarly, Mailvelope checks all sites for whose domains it has been activated (to activate: How do I authorize a new domain to cooperate with Mailvelope?) for any PGP keys they might contain. If you want to add one or more communication partners in Mailvelope whose keys have been published on websites, first activate the relevant domain and then import all the keys that are on the website and are automatically recognized by Mailvelope.


How can I export my PGP key from Mailvelope?

With the option "Export" keys can be exported and sent or saved as back-ups. You can use this feature in order to publish your public key or to keep a copy of a public-private key pair in a safe place. Here you will find the most common use cases in detail. If you choose to export your key using the clipboard please make sure -----BEGIN PGP PUBLIC KEY BLOCK----- and -----END PGP PUBLIC KEY BLOCK----- are being included.

Export your public key:

Select "Key Management", then your primary key and then select the "Export" option. Choose "Public" and if requested, provide a filename. After you select "Save" your public key will be saved to your Download folder as a .asc file. This format is standardized and can be read by all PGP implementations. Alternatively you can copy your key to the clipboard from the "Key Details" window. Your public key can now be sent to your communication partner, uploaded to a key server or integrated into your website.

Save your own key pair:

Hover your mouse over your primary key pair, which will be marked with the word "Primary", and select it. Go to the "Export" tab and choose the complete key pair by selecting "All". Input a file name. Upon selecting "Save" the key pair will be saved to your Downloads folder as a .asc file. As an alternative, you can copy your key to the clipboard from the "Key Details" window. Please note the security tips under Backup.

Backup of the complete keyring:

If you have multiple keyrings, first select the correct keyring from the left above the menu bar. On the Key Management screen, select "Export" from the upper left corner. You can save all public keys, all private keys or the entire keyring with all keys by choosing the option "All". Input a file name. Upon selecting "Save" the keyring will be saved to your Downloads folder as an .asc file. As an alternative, you can copy your keys to the clipboard from the "Keyring backup" window. If the saved keyring also includes private keys, please pay attention to the security tips under Backup.



Key Server



What is the Mailvelope key server and how can I use it?

Mailvelope provides its own key server. It is available at https://keys.mailvelope.com. A key server is a freely accessible database for the public keys of the PGP users. If you send an encrypted email to a communication partner but do not know their public key, you can use the key server to search for it. Moreover, you can store your public PGP key there for others to find easily. The Mailvelope key server has the advantage that all email addresses stored on it have already been verified via email, which is a good protection against potential identity theft.

Automatic key search

Mailvelope uses the key server in the background for some services. Every time you create a new key, you have the choice to upload your key to the key server automatically. On top of that, when you enter an email address in the editor when sending emails, Mailvelope searches for the corresponding public key on the key server.

You can also deactivate the automatic key search which is activated by default. In order to do this you will have to select "Options" -> "Key Server" and uncheck "Automatically lookup recipient keys".

Manual key upload or download

If you want to upload your key manually or even search for keys, you can use the web interface of the key server https://keys.mailvelope.com/ui.html.

Upload key to server (OpenPGP key upload)

Copy the public key you want to upload to the clipboard. Make sure that your selection includes - - - - BEGIN PGP PUBLIC KEY BLOCK---- and - - - - END PGP PUBLIC KEY BLOCK----. Paste it into the input field and select "Upload".

Search for keys on the key server (OpenPGP key lookup)

Enter the email address or the key ID (a key ID makes every PGP key uniquely identifiable). For example, the key IDs for your keys can be found in Key Management in the "Key ID" column. Finally, select "Search".

Remove a key from a key server (OpenPGP key removal)

Enter the email address of the key that you want to delete and select "Delete". Be sure to enter the email address keeping case sensitivity in mind. In some cases, the associated key may not be found otherwise! Attention: When attempting to delete a key from the key server you will receive an email with a link which has to be selected in order to complete the deletion.





Security



How secure is Mailvelope?

Mailvelope provides end-to-end encryption, meaning the app ensures (within its set technical limits) that sensitive files and information can be sent from one device to another over a potentially unprotected channel such as an email.

Various threat scenarios have been tested during professional security audits: List of Mailvelope's audits.

According to analysis, Mailvelope offers a secure end-to-end-encryption. However, security while using Mailvelope is dependent on how secure your device is. We therefore recommend security measures such as regular updates of your browser and operating system as well as the use of sufficiently secure passwords (see also: How do I choose a secure password for my private key?).



Where are my keys stored?

Mailvelope stores the keys in the local memory of your browser. This is a file in the Chrome user data directory or the profile folder in Firefox. If you delete the temporary browser data, stored keys in Mailvelope will not affected. However, deleting the Mailvelope extension in Chrome or Firefox will also delete the keystore from your file system.



How are private keys protected? Can anyone who has access to my computer also access my private key?

Mailvelope stores and exports private keys only in their encrypted form. The private key is therefore always password protected. All steps that require a private key (such as decrypting or signing a message) always require both components: the private key and the password. Even after exporting a private key it remains encrypted and password protected at all times.

Additional information:
  • The OpenPGP standard also allows private keys without a password, however, such keys are rarely used in practice. Using such keys with Mailvelope is not recommended.
  • In case an attacker ever gains access to the private key, it's ability to resist brute force attacks entirely depends on the complexity and length of the password. Please read the notes in the next section of this FAQ.
  • As an end-to-end-encryption software Mailvelope must be able to rely on secure endpoints. If one of the computers on both sides is insecure (e.g. due to missing updates of the operating system or browser), encryption is also potentially at risk. In addition to the usual protective measures, physical access to your computer by third parties should also be avoided.
  • GPG uses a similar security model for private keys: The "Keyring" is not encrypted in this case, only the individual parts of the key are. Any user with local access rights can copy the private key from the file system. However, their password is required to access or use a single private key.
  • By default, the Chrome and Firefox browsers automatically send usage statistics and crash reports to Google or Firefox. These functions should be deactivated because in case of a bug it is possible that stored content, which could also include private keys, could be sent to them. We therefore recommend that you disable "Automatically send usage statistics and crash reports to Google" in Chrome settings. In Firefox you can find the corresponding option under "Privacy & Security" -> "Firefox Data Collection and Use".



How do I choose a secure password for my private key?

A strong password should be chosen to protect your data, even in the case that someone gets hold of your private key and attempts a so-called "brute force" attack. In such an attack, a variety of passwords are checked in a very short time in order to find the right one. In the end the success of your encryption is a matter of the length of your password on one hand and on the other hand, the randomness (entropy) of your combination.

You can create a good password by combining letters, both upper and lower case, numbers and special characters. This kind of password is usually very hard to remember. Another option would be to think of a picture or a scene which you could describe with four or five words. Written together these words could be your password. A short and fun introduction to this can be found at https://xkcd.com/936/.



How can I create a backup of my keys?

Export the keys you want to back up following the instructions in How can I export my PGP keys from Mailvelope?.

If you want to secure a private key, you should note some security tips. Even if your private key is still encrypted after the export and still needs to be unlocked using your password, it should not be left unprotected on any disk.

If your security threats are high, the file should be kept off of the internet on a safe offline storage. We recommend that you back up your private key on a USB drive or key (if it has added hardware or software password protection, it should be safe). Keep it in a safe place.



What do I do if I forget my password?

Unfortunately Mailvelope cannot recover your password for you. The key pair can then no longer be used and any messages sent to you using this key can no longer be decrypted. You will need to delete your old key (this can also be done on the Mailvelope key server if it has been uploaded). Create a new key pair and inform your communication partners as soon as possible of the change of your public key.

When using Mailvelope in conjunction with WEB.DE and GMX recovery of your password is possible through a so-called "recovery code". For more information about this option, please see WEB.DE and GMX: I need to enter a "recovery code". Where do I get it from? From Mailvelope?.



How can I change the password for my private key?

With Mailvelope it isn't possible to change the password for your private key. If you want to change your private key's password, depending on your operating system you can use common PGP encryption software that offers this service. On macOS for example, you can use GPGTools. For Windows, Gpg4win would cover this need. Other programs can be found under Can I only exchange encrypted emails with other Mailvelope users? Install one of these programs and import your private key. Follow the instructions of the said software in order to change your private key's password. After a successful change you can export the key again and import it into Mailvelope.



While installing the extension, the following permissions are requested: "This extension has access to: your information on all websites, your registration cards and your browser activities." Why is this necessary?

These permissions are needed for Mailvelope to work properly for the following reasons:

  • Mailvelope must be able to search the cooperating websites for PGP encrypted messages. For this Mailvelope needs the access to the data for these websites.
  • Mailvelope is pre-configured for the most important webmail providers, but can theoretically be extended and used with any website. Since Mailvelope cannot know which providers have been added, access to all websites is necessary to ensure their functionality.
  • Without this access Mailvelope wouldn't be able to add its controls to the user interfaces of activated collaborating websites.

Because Mailvelope is open source software verified by many different websites, you can be confident that these permissions won't be abused by Mailvelope.



Questions about Email Providers



WEB.DE and GMX: I need to enter a "recovery code". Where do I get it from? From Mailvelope?

GMX and WEB.DE ask their users for a recovery code if they have lost the password for their private key, the private key itself has been lost or if Mailvelope is to be set up on a second device. This is a feature that is only offered by these email providers. When you set up the email encryption function, a 26-character code is generated which should be printed so that it can be used to activate the recovery feature in case your key or password are lost.

If you still have your private PGP key and password, you can print a new recovery code here:

https://hilfe.gmx.net/sicherheit/pgp/neuer-wiederherstellungsbeleg.html

https://hilfe.web.de/sicherheit/pgp/neuer-wiederherstellungsbeleg.html

(Attention: You should be careful with this copy.)

If you have lost/forgotten your private key or your password and you haven't printed your recovery code, your encrypted communication cannot be recovered. The PGP function of your GMX or WEB.DE accounts will have to be restarted. This can be done neither by you nor by Mailvelope, but must instead be requested through the GMX and WEB.DE hotline:

GMX Hotline: https://hilfe.gmx.net/kontakt/kontakt.html

WEB.DE Hotline: https://hilfe.web.de/kontakt/kontakt.html



Bugs



What can I do if it looks like Mailvelope isn't working properly?

Mailvelope has been designed as a browser extension and therefore needs a clean "software base" in order to function as intended. In the case of malfunctions, check to see if you are working with an outdated operating system or if you have to update your browser to the latest available version. If you still experience issues, you can try one of the following options:

Firefox:

  • First try to disable all other currently installed browser extensions and then restart Firefox. Sometimes the installed extensions affect one another.
  • Firefox offers the service of cleaning up the used profile. Please follow the instructions in https://support.mozilla.org/de/kb/firefox-bereinigen

Google Chrome:

  • First try to disable all other currently installed extensions and then restart Chrome. Sometimes the installed extensions affect one another.
  • If you find that other extensions are interfering with Mailvelope (this rarely happens in Chrome), you could create a special user profile for to use Mailvelope in which Mailvelope is the only extension installed.



I have received an encrypted email, but I can only see two attachments. Mailvelope doesn't offer automatic decryption.

This may be the case in the following situation: The PGP application of your communication partner has encrypted the email in PGP/MIME format and your webmail provider doesn't show a preview of the attachments by default. In this case Mailvelope can not access the encrypted data due to technical reasons and therefore can't offer automatic decryption.

Solution:

  • If this situation occurs often: It should be possible for your communication partner to switch from PGP/MIME to PGP/INLINE in future emails. This is the easiest way to fix the problem.
  • You can also decrypt both attachments manually with Mailvelope: First save the files to your computer by downloading them. Right click on the files, select "Open With" and select a simple text editor on your computer (for example, "Textedit" on MacOS or "Editor" on Windows). Now select the PGP code in the text editor and copy it to the clipboard. Make sure that you include in your copy the -----BEGIN PGP PUBLIC KEY BLOCK-----and the -----END PGP PUBLIC KEY BLOCK----- . Next, select "Encryption" in the Mailvelope main menu and then choose "Text Decryption" from the sidebar. Paste the text from the clipboard into the decryption window and confirm by selecting "Decrypt". As soon as you see the decrypted content from your email, you can copy it from the window and use it elsewhere.


What should I include in my bug report to Mailvelope?

Before you send a bug report, please always restart your browser and check if the problem persists. Often browser issues, and not Mailvelope itself, are responsible for malfunctions. If you are using an older version of your browser or operating system, please update and check is the problem persists.

In case the bug persists, please send us a bug report at: support@mailvelope.com A bug report should at least contain the following information:
  • Short description of the problem
  • Type and version of the operating system
Google Chrome
  • Browser version - input about:version in the address bar.
  • If Mailvelope does not show an error message, you may find relevant information in the logs:
    • In the browser tab in which your webmail provider is open, select + + (Windows/Linux) or + + (Mac) and add the errors marked in red to the report.
    • In addition, open the extension page by inputting chrome:extensions in the address bar.
    • Activate developer mode at the top right corner of the page.
    • Select background.html in the "Mailvelope" entry on the page.
    • A new browser window will open. Make sure the Console tab is enabled and add any errors marked in red to the bug report.
Firefox
  • Browser version, see find out version.
  • If Mailvelope does not show an error message, you may find relevant information in the logs:
    • Restart your browser.
    • Try to reproduce the problem.
    • Open the browser console with ++(for Mac: ++). Add the content of the console window to the bug report.




Uninstalling Mailvelope



How can I uninstall Mailvelope?