How do I download my public and private keys?

ProtonMail uses PGP for end-to-end encryption. All users have two encryption keys, one public and one private. The public key can be shared with anyone and is used by your contacts to encrypt their messages to you. The private key is secret (you should never share it) and is used to decrypt incoming messages.

This article shows you how to generate, delete, download, and manage your keys. You can download your public and private keys from ProtonMail to send PGP encrypted emails to non-ProtonMail users or to use your keys in another PGP client.

Note: This is an advanced feature for technical users. Learn how to upload PGP keys to ProtonMail.

Generating keys

By default, ProtonMail generates a set of keys when you create an account and any time you create a new email address. When generating a key, you can choose between two different key types:

ECC Curve25519 (fastest, most modern)

RSA 4096-bit (slower, but increased compatibility with legacy software)

Selecting ECC Curve25519 encrypts and signs your emails using elliptic curve cryptography (ECC). It is fast, secure, and resistant to timing attacks. ProtonMail now uses ECC Curve25519 by default. 

RSA is an older encryption standard that we implement at its strongest possible setting (4096-bit). It is secure and offers increased compatibility with legacy software than the ECC algorithm, but is also slower.

Generating additional keys after address creation is recommended if your existing keys have been leaked or have an undesirable key size.

Note: Having multiple keys per email address increases your login time, since each key has to be loaded and decrypted. You can only generate up to 20 keys per email address. 

Deleting keys

You can delete non-primary keys to speed up loading times or free up space for new keys.

You can delete a key by clicking on the key dropdown menu and selecting Delete. Before deleting your key, we highly recommend you export it since your emails cannot be decrypted without it. The only way to decrypt your emails is to import the exported key. 

How to download your public key

There are two different ways to download your public key depending on how many you have and which one you need.

1. In the web app at, go to SettingsEncryption and keys and scroll down to Email encryption keys.

2. Choose the address for which you want to download the public key from the dropdown menu if it is not already selected.

3. Click Export to automatically export your Primary public key. Or, if you have multiple active public keys, you can click export next to the key you wish to download in the list below. Once you click Export, the file will automatically download in your browser.

Email encryption keys export button

4. You can also download your own public key or the key of a friend by using this link:

For the link to work, you need to replace [] with the ProtonMail email address of the appropriate account. You can also quickly share your key with friends by sending them that link with your email address in place of [].

Once you have placed your ProtonMail address in the link, you can send it to your friend, and with one click they can download your public key.

How to download your private key

1. In the web app at, go to SettingsEncryption and keys and scroll down to Email encryption keys.

2. Choose the address for which you want to download the private key from the dropdown menu if it is not already selected.

3. Click on the dropdown menu labeled Export and select Export private key to download your primary private key. Or select Export private key from the dropdown menu of a specific key if you have multiple key pairs.

Export private key button

4. A pop-up window will ask you to confirm that you wish to download your private key. You will then be asked to create a new password, which is used to secure your private key once it has been downloaded. 

Click Export when you are ready.

Make sure you keep this password safe, as you will need it to use this key!

Box to enter password to export your private key

After signing in again using your ProtonMail password, your key will be downloaded as a .asc file.

Key flags and settings

Primary keys 

To encrypt your incoming emails with your new key, you can mark it as a primary key. Click on the key dropdown menu and select Make primary. Once you’ve set a primary key, all of your signed messages sent from this email address will be signed with this key.

Make primary key option

Obsolete keys 

If a contact has trusted your keys, setting a different key as the primary key does not ensure that your contact will encrypt emails addressed to you using the new primary key. To force contacts to use the new primary key, you must mark the old key as obsolete. This blocks all ProtonMail users from sending with this key.

To mark a key obsolete, click on the key dropdown and select Mark obsolete. You can only mark a non-primary key as obsolete. You can also reverse this process by clicking on the key dropdown menu and selecting Mark not obsolete.

Mark private key as obsolete

Compromised keys

You can flag a key as compromised. This blocks all ProtonMail users from sending emails to you using this key, and causes all emails signed with that key to fail signature verification. Note that signature verification is only possible if your contact has key trusting enabled.

You can mark a key as compromised by clicking on the key dropdown menu and selecting Mark compromised. You can only mark a non-primary key as compromised. A compromised key is also marked obsolete. You can reverse this process by clicking on the key dropdown menu and selecting Mark not compromised.

Mark private key as compromised

Inactive keys

If you forget your ProtonMail password and reset it, you will lose access to your private keys. These keys will be inactive, and you will not be able to encrypt or decrypt messages with them. However, you can reactivate inactive private keys if you still remember your old password or you have a recovery phrase or a recovery file.

Learn how to reactivate inactive private keys

Post Comment


  1. ernest

    No download on my browser (iPhone).

    Why ?

  2. ProtonMail Support

    Please contact our support team using the support form at

  3. Wolfgang

    „Trust“ starts with the UPLOAD of the key pair?!?

  4. Hasan

    Not the key pair. You only hand out your PUBLIC key to others. You should never-ever share your private key with anyone, or even transmit it to yourself over an unsecured channel on the Internet. You can share your public key with those who wish to send you encrypted messages. They use your public key to encrypt their messages to you. You can then decrypt those messages using your private key. ProtonMail does this automatically between two ProtonMail users.

  5. Brian

    Is there a way to download the public key of a ProtonMail user so I can send PGP mail in from the outside?

  6. ProtonMail Support

    We have a keyserver running at hkps:// (see We also support WKD, which allows other people to find ProtonMail keys using gpg --locate-keys.

  7. Romeo Shamaoun

    how are you all? i need to access all my contacts. can you help me, please?
    Thanks.God bless you all

  8. ProtonMail Support

    Please contact our support team:

  9. Jake

    As the last step outlines, the user is required to set a password to encrypt their private key before exporting. What software should be used to decrypt the ProtonMail public key?

  10. ProtonMail Support

    If you add your private key to another PGP-enabled email client, you will need the password added during export from ProtonMail in order to decrypt the messages in that email client.

  11. Jake

    But which software should be used?

  12. Jake

    Step 5 could do with some elaboration:

    1) What sort of encryption is entailed – OpenPGP?

    2) And the setting of a password for the private key – is this equivalent to setting a passphrase for a private key in Kleopatra or Gnu Privacy Assistance (GPA) ?

  13. ProtonMail Support

    2) Yes, this is the same, meaning that 1) works just like a passphrase does with other PGP solutions.

  14. grady

    If I have someone’s public key in text form, say it is posted somewhere, How do I convert that text to a file that I can then upload and add to that person as a contact.

  15. ProtonMail Support

    If you have the armored text, save it as a .txt file with a text editor, rename it to filename.asc and import that. You should also be able to import it even if you don’t change the extension from .txt to .asc.

Comments are closed.