ProtonMail Professional Accounts are protected by an Organization Password which is associated with an Organization Key
ProtonMail Professional Accounts protect the emails of your organization by using end-to-end encryption. This is achieved using a master encryption key called the Organization Key which nobody other than the administrators of your organization have access to. Because even we do not have access to this Key, your data remains private, even from us.
At the bottom of the Addresses/Users tab in Settings, you can find some details about your Organization Key, such as RSA key strength, and also the fingerprint of your Organization Key. This fingerprint can be optionally used as a security feature to verify that all administrators in your account have the same key.
The Organization Key is protected by a Organization Password that is only known to the administrators of your organization. Because we do not know the Organization Password, we cannot read any of the emails associated with your organization. However, because administrators have access to the Organization Password and Organization Key, administrators are able to read the emails of all users of an organization, unless the user is explicitly set to private.
For day to day management of your organization, administrators do not need to use the Organization Password because an administrator’s ProtonMail account password is sufficient for most organization management functions. However, the Organization Password must be known for certain situations such as:
- Adding a new administrator to your organization
- Changing Organization Keys
The Organization Password also serves as a recovery mechanism if an administrator loses administrative privileges to their ProtonMail organization (for instance, due to password reset).
Changing Organization Password
Any administrator can change the Organization Password. When this is done, it is the responsibility of each administrator to share the new Organization Password with all other administrators.
Resetting Organization Password
For more information about resetting the Organization Password, please consult the article here.
Changing Organization Key
It is also possible to change the Organization Key in the Security section of the Users page.
This process is not typically necessary, but we recommend doing it for security purposes if an administrator leaves your organization, or if an administrator has his account compromised. Changing Organization Key will generate a new encryption key to encrypt all the data of your organization, replacing the old key. You will also be required to set a new Organization Password.
No data will be lost or destroyed in this process, however, after the Organization Key has been changed, all other administrators will be placed into a restricted privileges mode. The administrator that changed the Organization Key will have to share the new Organization Password with all other administrators in order for them to restore administrative privileges.
Below are some additional articles to assist you while setting up ProtonMail Professional accounts:
Step 1: Setting up Your Domain(s)
Step 2: Creating your Organization
Step 3: Setting up Users(s)
Step 4: Migration of existing email messages (Coming 2018)