How to use PGP

Note: This article refers to a feature that is still in beta and not yet released on the public version of ProtonMail.

PGP is a time-tested and proven method of protecting email communications with end-to-end encryption (which prevents emails from being read by any third parties, including the email provider). Historically, PGP has been difficult to use, and it was not possible for most users to set up and regularly use PGP.

ProtonMail is unique because it has PGP fully integrated such that you do not need to take any additional steps to benefit from PGP encryption. This means that with ProtonMail, anybody can use PGP, regardless of their technical knowledge.

All messages between ProtonMail users are automatically end-to-end encrypted. Additionally, all messages in ProtonMail inboxes are protected with PGP encryption to prevent us (or anyone else) from reading or sharing your emails while at rest, a concept known as zero-access encryption.

By default, ProtonMail communicates with external email accounts without end-to-end encryption. While, we store your emails encrypted, the external email provider on the other side might have access to the emails sent from ProtonMail. To provide end-to-end encryption between ProtonMail and external email providers, ProtonMail provides two options: Encryption for Outside Users and PGP encryption.

Using PGP with ProtonMail

By far the easiest way to use PGP with someone else is for both you and your contact to create a ProtonMail email address. It’s free and takes less than a minute — you can sign up here.

If that is not an option for the contacts with whom you are communicating, you can use our Encrypt for Outside Users feature or, for more technically proficient contacts, ProtonMail’s external PGP encryption.

PGP works by generating a key pair: a public key and a private key. The public key can be distributed to anyone who wants to send you a message and is used to encrypt a message that can only be decrypted by you. The private key is kept secret and is used for decryption.

End to end Encrypted Email Graphic showing Alice's public and private key in the browserIn addition to encryption, PGP can also create digital signatures. Signatures, created with your private key, are proof that you have written the message you have signed. Using your public keys, other users can verify these signatures.

While ProtonMail does all of this for you automatically if both parties are using ProtonMail, if the recipient is not using ProtonMail, but does use PGP, it is also possible to manually set this up following the instructions below.

Sharing your public key

First, you need to share your public key with the non-ProtonMail recipient that you want to exchange encrypted emails with. The contact on the other side would need to know already how to use PGP and have a PGP plugin installed in their mail client. Sending your ProtonMail public key is very easy. Log in to your ProtonMail account and compose a message from ProtonMail to the non-ProtonMail user you want to use PGP with. Click on the dropdown menu and make sure the “Attach Public Key” option is activated. Then click send and your public key will be attached.

Composer drop down to Attach Public Key

The recipient can now open this mail in their mail client. Often the PGP client will automatically ask them to import the key.

There is another way to see your public keys, allowing you to distribute them via another method if you wish. Your keys can be found in the Keys menu in Settings at mail.protonmail.com in the web application. See here for more detailed instructions.

It is also possible to automatically distribute your public keys to all recipients whenever you send an email. To set up your ProtonMail account for automatic key distribution, go to mail.protonmail.com and visit Settings -> Security. Scroll down and enable the “Automatically attach public key” option. This is only recommended for advanced users.

Advanced Default encryption Settings

Sending PGP emails

Setting up encryption so that ProtonMail automatically encrypts messages sent to a specific non-ProtonMail recipient can either be done by manually uploading the public key of the recipient into ProtonMail’s contacts manager or by asking the contact to send you an email with their public key attached.

If you get a message that is properly cryptographically signed from your contact with their public key attached, you will see something similar to this:

Header on message that states if a message was signed properly

To enable sending PGP email to this contact, click on Trust Key. In the popup, make sure to turn on “Use for encryption”. Then click on Trust Key in the popup.

Pop up for trust Public Key Address Verification

Now PGP encryption is set up between ProtonMail and the external email address.

If your contact is digitally signing their messages, a check mark should now appear on the lock next to their email address in messages you receive from them, indicating the signature is correctly verified.

Encrypted, no signature:

Icon displayed next to the email address showing the message was encrypted but not signed

Encrypted and digitally signed:

Icon displayed next to the email address showing the message was encrypted and signed

If your contact does not send you their public key via email, there is an alternate way to import keys through the advanced contacts settings menu.

Advanced options can be accessed through the ProtonMail contacts manager found at mail.protonmail.com → Contacts. To access this menu:

  • go to Contacts;
  • select the contact you want to configure PGP for;
  • click on the “Advanced Settings” gear icon.

This will display a modal that allows you to configure advanced contact settings.

Advanced Contact Address Icon in the Email field of contact details

The first option is the format. This setting will indicate that you want your emails to be converted to plain text (i.e. unformatted text) when sending to this contact. For more information about the email format go here.

Advanced contact key settings popup with the ability to upload Contact's public key

The second option in advanced settings is Encrypt. This option is not available until you upload a public key that is valid for encryption.

To upload a public key click on the Upload Key button. This will open a window that allows you to select a PGP key from your computer.

After uploading your key the Encrypt button becomes enabled. Note that if you upload an expired key, it is not possible to enable PGP encryption.

Advanced Contact Settings pupup that shows if a key is expired or not.

In the example above, you see the public key with fingerprint fb10772d7ec6… is used for encryption. The other keys are only used to verify signatures created by that contact. Note that the public key with fingerprint 6e7a3becca… cannot be used for encryption: this key has expired. To change the encryption key used for encryption, click on the text that says “Set Primary”. When encryption is enabled, ProtonMail will always digitally sign outgoing messages.

The cryptographic scheme determines how the message is sent and what content types are supported. In general, we advise using PGP/MIME because it offers an additional privacy benefit. To learn more about the two schemes, view our article here.

Final tips

Setting up PGP encryption is not simple and not for the faint of heart. It requires work by both you and the contact you are communicating with. For this reason, if you would like to use PGP encryption to communicate with someone, we highly recommend that both you and your contact create ProtonMail accounts (it’s free) and let our software take care of these complex operations for you automatically. However, if your contact is unable or unwilling to create a ProtonMail account, ProtonMail’s built-in PGP integration gives you the most user-friendly PGP experience possible. If you have any questions or problems, you can contact our support team.