How do I download my public and private keys?

ProtonMail uses PGP for end-to-end encryption. All users have two encryption keys, one public and one private. The public key can be shared with anyone and is used by your contacts to encrypt their messages to you. The private key is secret (you should never share it) and is used to decrypt incoming messages.

This article shows you how to generate, delete, download, and manage your keys.You can download your public and private keys from ProtonMail in order to send PGP encrypted emails to non-ProtonMail users or to use your keys in another PGP client.

Note: This is an advanced feature for technical users. For instructions on uploading PGP keys to ProtonMail, check out this article

Generating keys

By default, ProtonMail generates a set of keys when you create an account and any time you create a new email address. When generating a key, you can choose between three different key types:

  • RSA-2048 (Secure, older, fast)
  • RSA-4096 (Very secure, slow)
  • X25519 ECC (Very secure, fast)

The first two key types encrypt and sign your emails using RSA. RSA-2048 uses 2,048-bit keys, which are secure and relatively fast. You can also use RSA-4096, which is the largest key size and is commonly used. RSA-4096 provides greater security but decrypts your emails at a slower rate.

The third key type, X25519, uses the elliptic curve cryptography (ECC) system. It is fast, secure, and resistant to timing attacks. You can only add ECC keys after you have already created a Proton account.

Generating additional keys after address creation is recommended if your existing keys have been leaked or have an undesirable key size. 

Note: Having multiple keys per email address increases your login time, since each key has to be loaded and decrypted. You can only generate up to 20 keys per email address. 

Deleting keys

You can delete non-primary keys to speed up loading times or free up space for new keys.

You can delete a key by clicking on the key dropdown menu and selecting Delete. Before the deletion of your key, we highly recommend you export it since your emails cannot be decrypted without it. The only way to decrypt your emails is to import the exported key. 

How to download your public key

There are two different ways to download your public key depending on how many you have and which one you need.

1. In the web app at mail.protonmail.com, go to Settings > Encryption & keys and scroll down to Email encryption keys.

2. Choose the address for which you want to download the public key from the dropdown menu if it is not already selected.

3. Click Export to automatically export your Primary public key. Or, if you have multiple active public keys, you can click export next to the key you wish to download in the list below. Once you click Export, the file will automatically download in your browser.

Email encryption keys in Protonmail

4. You can also download your own public key or the key of a friend by using this link:

https://api.protonmail.ch/pks/lookup?op=get&search=user.email@protonmail.com

For the link to work, you need to replace [user.email@protonmail.com] with the ProtonMail email address of the appropriate account. You can also quickly share your key with friends by sending them that link with your email address in place of [user.email@protonmail.com].

Once you have placed your ProtonMail address in the link, you can send it to your friend, and with one click they can download your public key.

How to download your private key

1. In the web app at mail.protonmail.com, go to Settings > Encryption & keys and scroll down to Email encryption keys.

2. Choose the address for which you want to download the private key from the dropdown menu if it is not already selected.

3. Click on the dropdown menu labeled Export and select Export private key to download your primary private key. Or select Export private key from the dropdown menu of a specific key if you have multiple key pairs.

4. A pop-up window will ask you to confirm that you wish to download your private key. You will then be asked for your current password, which will be used to decrypt your private key. Then, you will be asked for a new password to encrypt your exported key with. Make sure you keep this password safe, as you will need it to use this key!

Key flags and settings

Primary keys 

To encrypt your incoming emails with your new key, you can mark it as a primary key. Click on the key dropdown menu and select Make primary. Once you’ve set a primary key, all of your signed messages sent from this email address will be signed with this key. 

Obsolete keys 

If a contact has trusted your keys, setting a different key as the primary key does not ensure that your contact will encrypt emails addressed to you using the new primary key. To force contacts to use the new primary key, you will need to mark the old key as obsolete. This blocks all ProtonMail users from sending with this key.

To mark a key obsolete, click on the key dropdown and select Mark obsolete. You can only mark a non-primary key as obsolete. You can also reverse this process by clicking on the key dropdown menu and selecting Mark not obsolete.

Compromised keys

You can flag a key as compromised. This blocks all ProtonMail users from sending emails to you using this key, and causes all emails signed with that key to fail signature verification. Note that signature verification is only possible if your contact has key trusting enabled.

You can mark a key as compromised by clicking on the key dropdown menu and selecting Mark compromised. You can only mark a non-primary key as compromised. A compromised key is also marked obsolete. You can reverse this process by clicking on the key dropdown menu and selecting Mark not compromised.

Inactive keys

If you forget your ProtonMail password and reset it, you will lose access to your private keys. These keys will be inactive, and you will not be able to encrypt or decrypt messages with them. However, you can reactivate inactive keys if you still remember your old password by following this guide.

Post Comment

15 comments

  1. ernest

    No download on my browser (iPhone).

    Why ?

  2. ProtonMail Support

    Please contact our support team using the support form at https://protonmail.com/support-form.

  3. Wolfgang

    „Trust“ starts with the UPLOAD of the key pair?!?

  4. Hasan

    Not the key pair. You only hand out your PUBLIC key to others. You should never-ever share your private key with anyone, or even transmit it to yourself over an unsecured channel on the Internet. You can share your public key with those who wish to send you encrypted messages. They use your public key to encrypt their messages to you. You can then decrypt those messages using your private key. ProtonMail does this automatically between two ProtonMail users.

  5. Brian

    Is there a way to download the public key of a ProtonMail user so I can send PGP mail in from the outside?

  6. ProtonMail Support

    We have a keyserver running at hkps://api.protonmail.ch (see https://protonmail.com/blog/address-verification-pgp-support/). We also support WKD, which allows other people to find ProtonMail keys using gpg --locate-keys.

  7. Romeo Shamaoun

    greetings
    how are you all? i need to access all my contacts. can you help me, please?
    Thanks.God bless you all

  8. ProtonMail Support

    Please contact our support team: https://protonmail.com/support-form.

  9. Jake

    As the last step outlines, the user is required to set a password to encrypt their private key before exporting. What software should be used to decrypt the ProtonMail public key?

  10. ProtonMail Support

    If you add your private key to another PGP-enabled email client, you will need the password added during export from ProtonMail in order to decrypt the messages in that email client.

  11. Jake

    But which software should be used?

  12. Jake

    Step 5 could do with some elaboration:

    1) What sort of encryption is entailed – OpenPGP?

    2) And the setting of a password for the private key – is this equivalent to setting a passphrase for a private key in Kleopatra or Gnu Privacy Assistance (GPA) ?

  13. ProtonMail Support

    2) Yes, this is the same, meaning that 1) works just like a passphrase does with other PGP solutions.

  14. grady

    If I have someone’s public key in text form, say it is posted somewhere, How do I convert that text to a file that I can then upload and add to that person as a contact.

  15. ProtonMail Support

    If you have the armored text, save it as a .txt file with a text editor, rename it to filename.asc and import that. You should also be able to import it even if you don’t change the extension from .txt to .asc.

Leave a Reply to Hasan Click here to cancel reply.