Address Verification with Trusted Keys

By default, ProtonMail distributes all of the cryptographic keys that are needed for communicating between users. This ensures that any ProtonMail user can seamlessly encrypt mail to any other ProtonMail user, with no possibility of data being intercepted.

This approach makes sure all internal ProtonMail communications are encrypted, but it puts trust in our servers to distribute the right keys. Using trusted keys, a user can enforce that specific keys be used to encrypt for each contact without allowing the server to change them. Trusted keys are also known as pinned keys.

To enable trusted keys:

  • Go to Contacts
  • Select the contact for which to enable trusted keys
  • Click on the “Advanced Settings” gear icon

Contact Details Advanced Settings Screenshot

This will display a modal that allows you to view all public keys that the server has for this user. To enable Trusted Keys click on the Trusted Keys toggle and select the public keys that you trust. Using the Set Primary button you can select which key to use for encryption to this user.

Contact Advanced Settings

When you trust keys, the keys are also used for digital signature verification to verify the sender’s identity when receiving communications from them.

You can check if the sender’s identity is verified by looking at the lock symbol in the From address.

End-to-end encrypted from verified ProtonMail user

If the verification fails this icon is shown:

Sender verification failed

In some cases, you have enabled trusted keys but the message does not show a checkmark or a warning icon. That means that the sender’s encryption was not set up with signing enabled. For ProtonMail users, this means the message was sent at a time when ProtonMail did not sign messages.

What will happen if you reset your password?

Your pinned keys are protected by a digital signature, which allows our clients to detect illegal modifications to your trusted keys. This signature is verified using your private keys. A consequence of this is that your contact signatures will fail to verify if you reset your password and thus lose access to the private keys used to sign your contacts.

If the digital signature on your trusted keys is invalid, it might mean that someone modified them or that you’ve recently reset your password. If you try to send a message to a recipient for which you have trusted keys, but the verification fails, you will be asked if you want to resign these keys. You can resign the keys manually at any time by saving the specific contact.

What will happen if the contact resets their password?

In case that your contact resets their password, they may no longer have access to the public keys of theirs that you have trusted. Therefore, you cannot send the contact an email using the trusted keys. In that case, before being able to send an email to that user, you will be asked if you want to trust their new primary key.