ProtonMail now the maintainer of OpenPGPjs email encryption library

OpenPGPjs email encryption library

OpenPGPjs is the world’s most popular open source JavaScript PGP email encryption library and is used by millions of end users and hundreds of developers.


We are happy to announce that ProtonMail will become the primary maintainer of the OpenPGPjs project. We would like to thank Tankred Hase, formerly the co-founder of, for his many years of effort developing the project as the previous maintainer, and we wish him the best of luck in his future endeavors. OpenPGPjs is a core part of ProtonMail, and we look forward to continuing to improve and extend it with the rest of the OpenPGPjs community.

What is OpenPGPjs?

OpenPGPjs is an open source email encryption library which powers the ProtonMail web application. It is a JavaScript implementation of OpenPGP (RFC 4880) which is the standard implementation of PGP email encryption. ProtonMail’s secure email service is based upon PGP (Pretty Good Privacy) because it is the world’s most trusted and reliable email encryption protocol. Since it was first formulated in 1991, PGP has undergone extensive peer review and scrutiny which makes it a good choice for securing email data.

In addition to ProtonMail, OpenPGPjs is used by the Mailvelope browser extension, GlobalLeaks, and many other JavaScript PGP applications. Since originating from Recurity Labs in Berlin, OpenPGPjs has grown to become used by several million end users. We have been actively involved in improving OpenPGPjs for several years, mostly focusing our efforts on increasing performance. ProtonMail was a major contributor of code to the latest major version (2.x) of OpenPGPjs and thus was a natural choice to take over as primary maintainer of the project.

The future of email encryption with OpenPGPjs

Our primary mission at ProtonMail is the protection of privacy via widespread adoption of encrypted communications. We feel strongly that this requires a robust, performant, open-source PGP implementation in JavaScript, the language of the web. OpenPGPjs is that implementation, and we are committed to its continued development.

We are committed to open source cryptography and believe strongly that this is the only way to continue the development of ProtonMail’s encrypted email service. With OpenPGPjs as a base, we will soon be able to reach our goal of full PGP support within ProtonMail. We are committed to keeping the development of OpenPGPjs transparent and maintaining a high level of flexibility so it can be easily incorporated into other web projects that have a need for PGP encryption. To do this, we will need the continued support of the community, so we welcome pull requests and comments. We will also endeavor to provide a reasonable level of support to the OpenPGPjs developer community.

Going forward, we have a long list of additional improvements we would like to make to OpenPGPjs, and we will define a roadmap soon with the developer community. If you would like to participate, you can follow OpenPGPjs on Github and Twitter.


Best Regards,
The ProtonMail Team


Please consider supporting ProtonMail by upgrading to a Paid Account. Your support allows us to continue to develop ProtonMail encrypted email as free and open source software.

If you don’t have a free ProtonMail secure email account yet, you can get one here.

About the Author

Bart Butler

Bart is the CTO of Proton, the company behind ProtonMail and ProtonVPN. An expert in email encryption, Bart was previously a physicist at CERN working on the ATLAS experiment. He was also a postdoctoral researcher at Harvard and received his PhD in Physics from Stanford University.


Comments are closed.

17 comments on “ProtonMail now the maintainer of OpenPGPjs email encryption library

  • Hi,

    while I fully support the move to support open source projects by maintaining them, I would like to express my opinion on the whole JS-based setup: I would like to have the possibility to not use it at all. I already have a PGP-capable mailclient, which runs locally on my machine. The only thing that prevents me (and probably many of the >1000 supporters of the top feature request) from paying for Protonmail is: Please give us the posibility to use IMAP, with client side PGP. Those of us who like to have the webmail can still use it. But those of us who do not want to have their PGP keys anywhere except on their own machines, and already use it with non-protonmail addresses should be able to use protonmail with IMAP and their own clients. And this has to work with keys generated outside of protonmail, and without the need to save (even encrypted) copies of their keys with you. I trust you a lot, but not enough to hand over my private key to a big pile of javascript that I have to load over the internet every time I access my emails.

    Giving us the possibility to use IMAP clients like thunderbird+enigmail with our own PGP keys fixes the top 5 requested features at once, and will most certainly lead to many more people subscribing for a paid plan.

    Thank you very much

      • How much will the new features roadmap (especially the top requested ones) be affected by this new huge workload ?
        Thank you

        • We believe it will be minimally impacted since prior to this announcement, we were already contributing a lot of code to OpenPGPjs

  • Just wanted to thank you guys the ProtonMail team, you are doing exceptional work, but with now being a maintainer of OPENPGPjs you will have more exposure to the internet.

  • Thank you PM
    I don’t quite understand what PGP with java script is, but a question I’ve had for a long time is:
    why do you force users to login with java script enabled? You would know this makes the attack service extremely broad. Surely at least give people a choice? it seems remarkeable un-democratic of you especially as you would know how dangerous it is. Many many people refuse to use anything that forces javascript – as it was once put ”it’s someone you don’t know, running code you don’t know, on your own computer’

    a tangential question:
    putting aside the fact that security is a big illusion (!) , as there is a possiblity of man in the middle attacks when accessing your log in page from a computer, checking digital certificate signing with an add on like certificate patrol is one step forward.
    can you advise what one should be doing/checking/looking for with the certificate, to assist authentication and confirmation of a clean connection?

      • Thanks for replying. It’s nice, but not really an answer as to why you insist on Java for desktop. It doesn’t change the fact Java is extremely dangerous, and people deserve the right to enjoy your service without being forced to submit to it.
        I mean, mobiles are extremely vulnerable and untrusted and many people avoid them especially because they are even WORSE. And why does it have to be either / or ? ‘use mobile for protonmail because our desktop service is utterly open to attack’ why not make BOTH reliable and trusted??

        If you want to expand your userbase, and have more paying users, and have the world using encrypted email – all of which we WANT for you – insisting upon Javascript is quite simply the opposite of your mission statement.
        It is shooting yourself, and us, in the foot.

        it’s a massive vulnerability an adversary will go straight for when targetting a protonmail user.
        It may even make dragnet surveillance possible for proton mail users.
        You tick every single box so far – you’ve gotten everything right – you have proved yourselves worthy and trusted on every front. you have street cred.

        And yet this. Java script. If I don’t know better I’d have to think it was deliberate

        • Would love to hear how you would do encryption in the browser without JavaScript (hint: it’s not possible).

          • Surely you are right, and that’s another reason for using a traditional email client natively written for our OS. I know you are working on that. Hope we can begin to test it soon. :)

  • As a recent initiate to the ultra-paranoid, I have to say that recent developments with open-source tor, memento tools, and now this takeover of openpgp, seem extremely sinister. At the very least, they have a bad “smell”. Flipping through your various pages just now, it’s clear that you are growth-oriented, young company. There’s nothing wrong with that of course, but that doesn’t give me a good feeling as far as your *long term* commitment to the principles on which these tools are based. I’ve been around too long, and seen too many ventures like this get taken over and ruined.
    My perspective might be cynical, but among the crypto-community, they’re far from extreme. I would love to hear a detailed response, perhaps in a separate blog post, in which you: A., acknowledge the concern that others have that your company might, in the future, because of economic pressures, overt infiltration, or whatever, find your priorities changing, B, acknowledge that its a *valid* concern, and C, describe steps you’re taking to mitigate the risk to the community (some sort of watchdog/ombudsman might be nice).

    • Open source is generally pretty resilient to this with built in safeguards. The code can always be forked. In fact, ProtonMail maintained for a long time a separate fork before we merged it back with upstream.

  • Could you give an explanation of the colour coding on the padlocks with the Android app.

    I see Grey, Blue and Green. Some are encrypted some are not.

    Would be useful to know before opening.

  • Hello! Is supporting for PGP / MIME also in your roadmap? And encrypting outgoing email with key form public keyserver or user loaded keys.
    And I’m interested in a corporate account, could you tell me the approximate date of release?

    • PGP support is coming. Corporate accounts are also coming. Corporate accounts will come first, in a few months time.