Address verification with trusted keys

ProtonMail distributes all of the cryptographic keys that are needed for communicating between users. This ensures that any ProtonMail user can seamlessly encrypt mail to any other ProtonMail user, with no possibility of data being intercepted.

This approach ensures that all internal ProtonMail communications are encrypted, but it requires our servers to distribute the right keys for your communication. If you would prefer to dictate which specific keys should be used to encrypt messages to each contact (without allowing the server to change them), you can use trusted keys.

To enable trusted keys:

  • Go to Contacts
  • Select the contact you want to enable trusted keys for
  • Click the Email Settings icon
  • Click on Show advanced PGP settings

This will display a list of all the public keys that the server has for this user. To make a key a trusted key, select Trust from the dropdown menu beneath Actions.

Trust fingerprint

When you trust keys, the keys are also used for digital signature verification to verify the sender’s identity when receiving communications from them.

You can check if the sender’s identity is verified by looking at the lock symbol in the From address.

Verified sender protonmail

What happens if you reset your password?

Your trusted keys are protected by a digital signature, which allows you to detect illegal modifications to your trusted keys. This signature is verified using your private keys. A consequence of this is that your contact signatures will fail to verify if you reset your password and thus lose access to the private keys used to sign your contacts.

If the digital signature on your trusted keys is invalid, it might mean that:

  • someone modified them
  • you’ve recently reset your password

If you try to send a message to a recipient for whom you have trusted keys, but the verification fails, you will be asked if you want to remove the key from your trusted keys for that contact.

What will happen if the contact resets their password?

If your contact resets their password, they may no longer have access to their own public keys that you have trusted using the method above, and you will not be able to send your contact an email using the trusted keys. Before being able to send an email to that user, you will be asked if you want to trust their new primary key.