ProtonMail Professional Accounts are protected by an Organization Password which is associated with an Organization Key

ProtonMail Professional Accounts protect the emails of your organization by using end-to-end encryption. This is achieved using a master encryption key called the Organization Key which nobody other than the administrators of your organization have access to. Because even we do not have access to this Key, your data remains private, even from us.

At the bottom of the Addresses/Users tab in Settings, you can find some details about your Organization Key, such as RSA key strength, and also the fingerprint of your Organization Key. This fingerprint can be optionally used as a security feature to verify that all administrators in your account have the same key.

Organization Password

The Organization Key is protected by a Organization Password that is only known to the administrators of your organization. Because we do not know the Organization Password, we cannot read any of the emails associated with your organization. However, because administrators have access to the Organization Password and Organization Key, administrators are able to read the emails of all users of an organization, unless the user is explicitly set to private.

For day to day management of your organization, administrators do not need to use the Organization Password because an administrator’s ProtonMail account password is sufficient for most organization management functions. However, the Organization Password must be known for certain situations such as:

• Adding a new administrator to your organization
• Changing Organization Keys

The Organization Password also serves as a recovery mechanism if an administrator ever loses access to their ProtonMail account and has to do a password reset.

Changing Organization Password

Any administrator can change the Organization Password. When this is done, it is the responsibility of each administrator to share the new Organization Password with all other administrators.

Resetting Organization Password

For more information about resetting the Organization Password, please consult the article here.

Changing Organization Key

It is also possible to change the Organization Key in the Security section of the Users page.

This process is not typically necessary, but we recommend doing it for security purposes if an administrator leaves your organization, or if an administrator has his account compromised. Changing Organization Key will generate a new encryption key to encrypt all the data of your organization, replacing the old key. You will also be required to set a new Organization Password.

No data will be lost or destroyed in this process, however, after the Organization Key has been changed, all other administrators will be placed into a restricted privileges mode. The administrator that changed the Organization Key will have to share the new Organization Password with all other administrators in order for them to restore administrative privileges.

Below are some additional articles to assist you while setting up ProtonMail Professional accounts:

Step 1: Setting up Your Domain(s)

Step 2: Creating your Organization

• [You are currently here] Organization Key
• Restore Administrator

Step 3: Setting up Users(s)

• User Roles
• Private users
• Catch-All Address

Step 4: Migration of existing email messages (Coming 2018)