Mailvelope is a browser extension ("Add-On") that makes it easy for you to send and receive encrypted
emails. With Mailvelope, you can keep using your same webmail provider and email address with the added
benefit of encrypted communication.
One of the advantages of Mailvelope is that you don't need to change your familiar environment to get
started with encrypted communication. If you've been using a webmail provider, you can also send encrypted
emails with the help of Mailvelope using the same webmail provider and the same email address.
Mailvelope lives in your browser. Encryption and decryption are handled locally (on your computer) so
your encrypted email messages are not readable by your webmail provider. Your private key never leaves
your computer. You can decrypt a message by entering your private key's password.
Who develops Mailvelope and how is it supported?
Mailvelope was developed by Thomas Oberndörfer in spring 2012 with the first public version 0.4.0.1
released on August 24, 2012. In the wake of the Snowden revelations, the question of how to adopt secure
electronic communication and its complexity arose for many Internet users.
Thomas saw Mailvelope as one solution to this problem. He believes that common webmail services should
integrate encryption in a simple way and that niche encryption technology should be accessible by everyone
who needs it. Mailvelope’s user base grew quickly thanks to recommendations from major publications.
In 2015, Mailvelope GmbH was founded with headquarters in Germany. Mailvelope is continuously developed
by Thomas and a small team of freelancers. They are supported by grants from organizations like Open
Technology Fund (OTF) and Internews.
Can I also use Mailvelope on mobile devices?
Unfortunately not. Using Mailvelope on mobile devices with the Android or iOS operating systems isn't
possible at the moment. Mobile browsers currently have restrictions that do not support the Mailvelope
extension.
However, several email clients do support the OpenPGP standard for sending and receiving PGP encrypted
emails on Android and iOS.
Mailvelope allows you to export and import your keys so that you can continue to use them on a mobile
device with these apps. For more information, the webmail provider Posteo.de offers a detailed guide on how to set up mobile PGP encryption on an Android device.
Remember that the use of PGP on your mobile device carries additional security risks. If you have high
security risk, the mobile use of PGP is not recommended. This especially applies to Android devices which
often get delayed operating system updates.
I have a feature request. How can I get in touch?
If you have any suggestions or questions about the roadmap for a specific feature, send an email to support@mailvelope.com. We will happily consider them while
planning future versions.
Mailvelope and Webmail
Which webmail providers does Mailvelope support?
Mailvelope is designed for maximum flexibility and customizability. The extension works with a variety of
webmail providers and websites including Gmail, Yahoo, Outlook Live, Zoho and many more.
Since Mailvelope first became available in 2012, more and more webmail providers have tailored their
services to support the Mailvelope API so that they can offer to their users easy-to-use email encryption.
The integration with German webmail providers WEB.DE, GMX and Posteo is especially seamless. If you want
to use Mailvelope with these webmail providers, use their help pages because the integration is unique to
their platforms:
My webmail provider isn't pre-configured (authorized) in Mailvelope. Can I still use Mailvelope?
Mailvelope was designed for flexible use. If your webmail provider is not included in the list of
authorized domains, it is usually still possible to activate Mailvelope on new websites.
How do I authorize a new domain for it to work with Mailvelope?
Load the website you want to add to the list of authorized domains. Select the Mailvelope icon in the
upper right corner of your browser to open the main menu. Select "Authorize this domain". A Mailvelope
dialogue to add the new domain will open.
In most cases you can leave the fields "Status", "Domain pattern" and "API" unchanged. Once you
select "OK", Mailvelope will save the entry in the list of authorized domains. There, the entry can be
edited at any time. Reload the newly authorized website in order to activate Mailvelope.
How do I deauthorize a domain for it to work with Mailvelope?
Navigate to the list of "Authorized domains" (Main Menu -> Dashboard) and select the relevant domain.
Click on the trash icon and confirm the security prompt. You can also temporarily deactivate a domain.
To do this, switch the "Enabled" button to "Off" and confirm with "OK".
Google requests additional permissions for the Gmail API integration of Mailvelope. What are they
necessary for and how does Mailvelope handle my data?
Mailvelope will work in Gmail, even without API integration. However, granting permission for the
Gmail API makes it easier to write emails and handle attachments.
Gmail API permissions allow Mailvelope to manage your emails in your Gmail account. This integration
activates the feature for one-click encryption and decryption of email messages and attachments, making
the Mailvelope experience in Gmail more seamless. With this API integration, Mailvelope is able to:
Insert encrypted text into the email body
Tell Gmail to send the email when you click send in the Mailvelope editor
View an email message to decrypt it
Display the decrypted text instead of the encrypted text
The API integration is activated by default. After you install Mailvelope (or activate the API
integration), a Google pop-up will ask you to confirm the API integration by asking you to allow
Mailvelope to read and send your emails. You can view and change this setting in "Options" -> "Gmail API
Integration".
Mailvelope is open source software with its Source Code available to the public and verified by many different organizations.
Mailvelope’s security is continuously monitored by regular security audits. Moreover we are fully
transparent about how your data is processed. Our guidelines for data handling can be found in our Privacy Policy.
WEB.DE and GMX users: I need to enter a "recovery code". Where do I get that?
A recovery code is a 26-character code that is generated when you set up email encryption with WEB.DE or
GMX. This is a feature that is only offered by these email providers. Print out your recovery code so that
you can recover your key or password in case you lose them.
You can get a new recovery code if you still have your private PGP key and password. Follow these
instructions: GMX Help:
Creating a New Recovery Document (As there is currently no English version of WEB.DE Support
available, you can use the GMX instructions. The process is the same.)
If you have lost your private key or your password and you don’t have your recovery code, your encrypted
communication cannot be recovered. The PGP function of your GMX or WEB.DE accounts will have to be reset.
This can be done neither by you nor by Mailvelope, but must instead be requested through the GMX and
WEB.DE hotline:
Can I install Mailvelope on other browsers besides Chrome, Firefox and Edge?
Yes. Since there are many browsers built on Chrome and Mozilla technology, Mailvelope can run on these
browsers without any issues. We recommend the Brave
browser (based on the Chromium engine) because it offers numerous features for privacy protection.
For Opera, the Install Chrome Extensions add-on allows you to install Chrome extensions but we
cannot assure this allows Mailvelope to run on Opera without any restrictions.
As the browser market is constantly evolving, we cannot check Mailvelope’s compatibility with every
available browser.
Why does Mailvelope need to change content on websites I visit?
Mailvelope has to be integrated deeply into your browser to fulfill its task. Your browser will therefore
give you a standard warning when installing Mailvelope. It may sound alarming for you to give these
permissions, especially to a software that was designed to protect your privacy. Mailvelope is open source
software with its source code
available to the public and verified by many different organizations. On our privacy and data protection
policy see also our Privacy Policy.
On a technical level, these permissions are needed for Mailvelope to work properly for the following
reasons:
Mailvelope must be able to search the authorized websites for PGP encrypted
messages. For this Mailvelope needs the access to the data of these websites.
Mailvelope is pre-configured for the most important webmail providers, but can be extended and used
with any website. Since we do not know which mail provider (domains) will be added (authorized) by the
user, we need this general permission to read data on all websites.
Without permissions, Mailvelope cannot add its controls to the user interfaces of authorized websites.
How to limit access of Mailvelope to certain domains
If you don’t feel comfortable granting Mailvelope permission to access your data on all websites, you can
limit the domains Mailvelope can access in the settings of your browser. In Chrome select "Tools" >
"Extensions" in the main menu. You will see all your extensions. Find Mailvelope and click on "Details".
The subsection "Site access" > "On specific sites" will allow you to choose the domains that Mailvelope
can access. If you want to work with Mailvelope within your Gmail account for example, type:
https://mail.google.com/ into the "Add a site" field. Mailvelope will now only have access to data when
you’re browsing this (sub)domain.
Managing my own keys
What is a keypair?
PGP encryption and decryption uses two keys: a public key and a private key. Together they are called a
keypair.
What is the difference between my private key and a public key?
If someone wants to send you encrypted communication, they need to know your public key. All messages
that are encrypted with a public key can only be decrypted by the corresponding private key. Your private
key should be kept in your possession and kept secret.
Remember: Anyone who possesses your private key can open an encrypted message if it is
intercepted. A person who has your private key could even write an encrypted message pretending to be
you.
I already have a keypair. How do I import it into Mailvelope?
Select the Mailvelope icon in the upper right corner of your browser to open the main menu. Select
"Keyring" > "Import". You can import your keypair in two ways:
Upload a file: Choose a key file (*.asc) with keys from your drive and import it into
Mailvelope.
Copy and paste key text: First copy the key or keys (several keys can be imported at
the same time) to the clipboard. If you select "Import key from clipboard", the keys are extracted from
the texts and transferred to the local keyring. Make sure you include
-----BEGIN PGP PUBLIC KEY BLOCK----- and
-----END PGP PUBLIC KEY BLOCK----- in the selection.
Where are my keys stored?
The location where Mailvelope stores your keys depends on your selection in Options -> General -> OpenPGP
Preferences.
Default setting (OpenPGP.js)
Mailvelope stores the keys as a file in the browser's local folder, either in the Chrome user data directory or in the profile
folder for Firefox. If you delete the temporary browser data, stored keys in Mailvelope will not
affected. However, deleting the Mailvelope extension in Chrome or Firefox will also delete the
keystore from your file system.
Key management by GnuPG
If you have selected GnuPG as your preferred backend for encryption in Options -> General -> OpenPGP
Preferences, the keys will be managed by your local GnuPG program (usually GPG4Win or GPGTools).
How can I change the password for my private key?
Select the Mailvelope icon in the upper right corner of your browser to open the main menu and select
"Keyring". Click on the keypair for which you want to change the password. At the bottom left you see the
field "Password". "Change" opens the dialog to change the password. Enter the old password, then enter and
confirm the new password.
What do I do if I forget my password?
Unfortunately Mailvelope cannot recover your password for you. Any messages sent to you
using this public key can no longer be decrypted. You will need to delete your old key (this should also
be done on the Mailvelope key server if it has been uploaded).
Generate a new key pair and inform your communication partners that your public key changed as soon as
possible.
If your email address changes, the PGP key you are using does not have to change. You can add the new
email address to your existing key:
Select the Mailvelope icon in the upper right corner of your browser to open the main menu and click on
"Keyring". Select the keypair that you want to add a new email address to. Under "Assigned User IDs" you
will see all email addresses that have been assigned to this key. Click "Add new" to add a name and an
email address. You can also delete the user ID of your old email address if you want. Finally, you can
synchronize the new entry with the key server so that your communication partners can find you under the
new address.
How can I export or backup my keypair?
Select the Mailvelope icon in the upper right corner of your browser to open the main menu and select
"Keyring". You can use the "Export" option to save your entire keyring or individual keys. You can use
this feature to save a copy of your keypair in a safe place. If you choose to export your key using the
clipboard please make sure -----BEGIN PGP PUBLIC KEY BLOCK-----and -----END PGP PUBLIC KEY BLOCK----- is
included.
You can also use this feature to publish your public key manually (the Mailvelope key server will do this
job automatically if you are communicating with other Mailvelope users).
Exporting your public key:
Within "Key Management" in the Mailvelope options, select your key, then select "Export". Choose "Public"
and if requested, provide a filename. After clicking "Save," your public key will be saved to your
Download folder as a .asc file. This format is standardized and can be read by all PGP implementations.
Alternatively, you can copy your key to the clipboard from the "Key Details" window. Your public key can
now be sent to someone else, uploaded to a key server, or integrated into your website.
Exporting your public and private key:
Within "Key Management" in the Mailvelope options, select your key, then select "Export". Choose "All" to
select the complete keypair. After clicking "Save," your keypair will be saved to your Download folder as
a .asc file. Alternatively, you can copy your keypair to the clipboard from the "Key Details" window.
Be careful when exporting your private key! Anyone with access to your private key and your
password can send emails posing as you.
Backup of the complete keyring:
If you have multiple keyrings, first select the correct keyring on the top right of the key management
window (you will only find this menu if you have more than one keyring). On the "Key Management" screen,
select "Export" from the upper left corner. You can save public keys, private keys, or "All" public and
private keys from the entire keyring. Input a file name. After clicking "Save," your keys will be saved to
your Download folder as a .asc file.
Note: When exporting private keys, keep them in a safe place. If your security threats are high,
keep the backup file on a safe offline storage, such as a USB drive, and in a physically safe
location.
Special use case: Use of the GnuPG keyring:
If you use GnuPG for key management, please note that for security reasons Mailvelope only supports the
export of public keys. If you want to export key pairs or private keys from GnuPG, use the export function
of the respective GnuPG software.
Can I change my default keypair?
A default keypair is the main keypair that you want to use for your communication. In the key list, this
key will be marked with the label "Default". The first key you generate with Mailvelope automatically
becomes your default keypair. If you want to change your default keypair, select a keypair in your keyring
and click "Set as default". Outgoing emails will be signed and encrypted with the default keypair which
allows you to read encrypted emails in your Sent folder.
Should I upload my key to the Mailvelope key server?
Mailvelope provides its own key server. A key server is a freely accessible directory for the public keys
of PGP users. You can store your public PGP key there for others to find easily. By default, Mailvelope
automatically uploads newly-generated keys to the key server. You deactivate this option in the key
creation dialog.
Syncing (uploading) or removing a key on the key server
Click on any of your keypairs to find out if it’s synced with the key server. You can add or remove your
key from the key server:
If Mailvelope tells you "The key is not synchronized with the Mailvelope key server" it will give you
the option "Synchronize". Click this button to upload your public key to the server. You will receive an
encrypted verification email sent by the key server. Confirm the action by decrypting and clicking the
link within the email.
If the message reads "The key data on the Mailvelope key server is up to date" you are given the
option to "Remove all user IDs". Click this button to remove the key from the server. You will get a
verification email sent by the key server. Confirm the action by clicking the link within the email.
Sharing and using keys
How can I import (add) someone's public key to my Mailvelope keyring?
Select the Mailvelope icon in the upper right corner of your browser to open the main menu. Select
"Keyring" > "Import".
There are two options:
Import key as a file: Choose a key file (*.asc) from your computer and import it into
Mailvelope.
Import key as text: First copy the key or keys (several keys can be imported at the
same time) to the clipboard. If you select "Import key from clipboard", the keys are extracted from the
texts and transferred to the local keyring. Make sure you include
-----BEGIN PGP PUBLIC KEY BLOCK----- and
-----END PGP PUBLIC KEY BLOCK----- in the selection.
What is the Mailvelope key server and how can I use it?
Mailvelope provides its own key server. A key server is a freely accessible directory for the public keys
of PGP users. If you want to send an encrypted email to someone but do not know their public key, you can
use the key server to search for it.
Automatic key search
Mailvelope sometimes uses the key server in the background to help you find and manage keys. For
instance, when you’re composing an email in the Mailvelope editor and you type the recipient’s email
address, Mailvelope will search for their public key on the key server. The background color of the email
address changes if a public key is found or not. A green background means that Mailvelope found the public
key and the email can be encrypted for the recipient. A red background means that Mailvelope could not
find the public key and the email cannot be encrypted for the recipient.
The automatic use of the key server is activated by default. You can deactivate this feature by selecting
"Options" -> "Key-Directories" and unchecking the box: "Use the Mailvelope key server".
Search for keys on the key server
Select the Mailvelope icon in the upper right corner of your browser to open the main menu. Click on
"Keyring" and then on "Search" Enter either the email address or the key ID/Fingerprint of the key you are
searching for. Then click the "Search" button.
How do I export my public key to give it to someone else?
Select the Mailvelope icon in the upper right corner of your browser to open the main menu click on
"Keyring". Click on the keypair that contains the public key you want to share. It’s likely this is your
"default" keypair. Click the "Export" button on the right. Choose "Public" (default) and click "Save". The
key is saved as a file with the ending .asc in your download folder. You can send this file to anybody who
wants to contact you securely. An .asc key file can be imported into any software using PGP protocol.
Do not share your private key!
How do I use the Key ID and PGP Fingerprint?
Key IDs and PGP Fingerprints help you identify and compare keys. A PGP Fingerprint is a 40-digit checksum
("hash") of a key. A Key ID consists of the last 16 digits of the PGP Fingerprint.
The PGP Fingerprint can help you check the legitimacy of a key. For example if you shared your public key
with somebody, they might want proof that it was not intercepted and altered. An altered key would have a
different PGP Fingerprint. By comparing the PGP Fingerprint on a phone call (for example), you and the
other person can check the legitimacy of a key. This helps establish secure communication going forward.
Automatic key selection: Can Mailvelope detect when my communication partner gets a new keypair?
Some people routinely discard old keys and use new ones. This is called key rotation. Mailvelope can help
you when someone else gets a new key so that you don’t have to find it and add it to your keyring
manually. When you receive a message signed with a new key, a Mailvelope message will appear asking if you
want to decrypt the email and add the new public key to your keyring. If you want to decide later, click
"Not now". If you are not sure whether the key is legitimate, we recommend contacting the sender via
another communication channel and comparing the fingerprint to confirm. If you don’t add the new key, your
communication partner might not be able to open your future emails if you are still encrypting with their
old key.
Mailvelope can only perform this process with signed encrypted emails. Mailvelope determines the
contact's current key by looking at the most recent valid signature. This information is stored by
Mailvelope so that it can automatically select the correct key for future emails to this contact.
This feature is turned on by default and it is optional. Under "Options" -> "Key Directories" in the
Mailvelope settings, look for the option "Determine current key of contacts and perform key selection
automatically".
How do I communicate with someone whose key is used by multiple people (e.g. at the same company)
Some companies and institutions have an organization-wide key that is universally valid for all email
addresses of the same domain (i.e. all employees). In this case because the recipient’s email address is
not linked to the shared key, Mailvelope allows you to specify an additional key.
In the Mailvelope editor, enter the email address of your contact. Note that the email address background
color will not turn green because Mailvelope will not find a key for this email address. In the lower left
corner of the Mailvelope editor, click on "Options". Now mark the box "Add extra key" and a new input
field will open. Enter the key ID or its associated email address that you want to encrypt the email with.
Under the recipient's email address, a confirmation message will appear: "Email will be encrypted with the
alternative key entered below."
Sending and receiving emails
Can I exchange encrypted emails with people who don’t use Mailvelope?
Yes. Because Mailvelope uses the OpenPGP standard, you can communicate not only with other Mailvelope
users but with anyone who uses software compatible with the PGP standard. The OpenPGP standard is open and
has been trusted as secure for many years.
Gpg4win for Windows, for use with Outlook for
example.
GPGtools for macOS in conjunction with the default
mail application "Mail".
As people using this software may not use the Mailvelope key server also consult the chapter: Sharing and using keys to find out how to exchange keys with them.
Do I need to sign my email?
Signing a message guarantees that it actually came from the sender, and not someone posing as the sender.
We recommend that you sign your encrypted emails because this proves the origin of the message.
To sign an encrypted email, click on the "Options'' button in the Mailvelope editor. There you can select
the key that you want to sign the message with.
In the Mailvelope settings, you can choose to sign all messages by default by checking "Sign all outgoing
messages."
In case you don’t need to encrypt your message and only want to proof that the message is from you and
not from another person posing as you, you Mailvelope gives you the option to send your PGP signature. To
do this you will need to choose a key for signing in the email options and use the button "Sign only" in
the editor. Mailvelope will then create a PGP signature and will add it directly into the email
text. Note: The email content will be sent unencrypted.
How do I check the validity of signed messages?
If a message contains a signature and Mailvelope can determine the sender address, Mailvelope
automatically checks it. The message "Digitally signed" and the corresponding signature are then displayed
in the lower area of the decoded message.
Can I also encrypt email attachments with Mailvelope?
Yes. Depending on the webmail you use, there are different ways to encrypt an email attachment.
Gmail users with API integration turned on and with other providers like GMX, WEB.DE, Posteo,
mailbox.org or freenet.de: When you compose an email in the Mailvelope editor and upload a file
as an attachment, the attachment is encrypted along with the email message. Please keep in mind that email
addresses and subject lines are never encrypted.
For other webmail providers, you can use the Mailvelope file encryption feature:
Using Mailvelope's file encryption you can easily encrypt any file to send as an email attachment. In
this case, the file is encrypted with the public key of the recipient in the same way as email encryption.
The size of an attached file is currently limited to 50MB, as sending larger files is usually not
supported by email providers.
Encrypting Files
Select the Mailvelope icon to the right of the browser input field to open the main menu and select "File
Encryption". The first step is to enter the email address of the recipient in the input field. In the next
step, reselect the files to be encrypted with "Add file" or by dragging them on the Mailvelope window.
After selecting "Encrypt" the files will be encrypted for the selected recipients. You can now select the
files to download them and later add them to your email as an attachment. The encrypted files can either
be selected individually or together using the "Download all" button.
Note: Encrypting with Mailvelope changes the format of the file. Your encrypted files will have the file
extension for GnuPG encrypted files (.gpg). After decryption, the file will be restored to its original
format.
Decrypting Files
Select the Mailvelope icon in the upper right corner of your browser to open the main menu. Select
"Dashboard" and then "Decrypt" in the top menu bar. Next, select the files to be decrypted with "Add file"
or by dragging them into the Mailvelope window. After entering your private key’s password, the decrypted
files are displayed and can be downloaded.
Mailvelope's Security & Privacy
How secure is Mailvelope?
Mailvelope provides end-to-end encryption, meaning the app ensures (within its set technical limits) that
sensitive files and information can be sent from one device to another over a potentially unprotected
channel such as an email.
However, security while using Mailvelope is dependent on how secure your device is. We therefore
recommend security measures such as regular updates of your browser and operating system as well as the
use of sufficiently secure passwords.
Can my webmail provider read my encrypted emails?
No. When you compose an encrypted email in the Mailvelope editor, your data remains on your computer and
is never stored or analyzed - whether by Mailvelope nor by your Webmail provider. Only after successful
encryption, the data is passed to the webmail provider for sending. This also means that all your emails
sent or received with Mailvelope are stored in encrypted form by your webmail provider and can't be read
by anyone unless they have your private key.
Is a browser extension secure?
Yes. As several independent security audits have shown, Mailvelope creates a secure isolation between the
private content of your communication and other applications that run in the browser. See our audits on
Github.
Mailvelope can only be as secure as your browser. For this reason, we highly recommend keeping your
browser up to date.
How are private keys protected? Can anyone who has access to my computer also access my private key?
Mailvelope stores and exports private keys only in their encrypted form. The private key is therefore
always password protected. All steps that require a private key (such as decrypting or signing a message)
always require both components: the private key and the password. Even after exporting a private
key it remains encrypted and password protected at all times.
Mailvelope guarantees a high level of security for your private keys by default. You can further increase
this security by selecting GnuPG as the preferred backend for encryption under Options -> General ->
OpenPGP Preferences.
Additional information:
The OpenPGP standard also allows private keys without a password, however, such keys are rarely used
in practice. Using such keys with Mailvelope is not recommended.
In case an attacker ever gains access to the private key, it's ability to resist brute force attacks
entirely depends on the complexity and length of the password. Please read the notes in the next section
of this FAQ.
As an end-to-end encryption software, Mailvelope must be able to rely on secure endpoints. If one of
the computers on both sides is insecure (e.g. due to missing updates of the operating system or
browser), encryption is also potentially at risk. In addition to the usual protective measures, physical
access to your computer by third parties should also be avoided.
GPG uses a similar
security model for private keys: The "Keyring" is not encrypted in this case, only the individual parts
of the key are. Any user with local access rights can copy the private key from the file system.
However, their password is required to access or use a single private key.
By default, the Chrome and Firefox browsers automatically send usage statistics and crash reports to
Google or Firefox. These functions should be deactivated because in case of a bug it is possible that
stored content, which could also include private keys, could be sent to them. We therefore recommend
that you disable "Automatically send usage statistics and crash reports to Google" in Chrome settings
(chrome://settings/syncSetup). In Firefox you can find the corresponding option under "Privacy &
Security" -> "Firefox Data Collection and Use".
How and why does Mailvelope collect analytics data?
With Mailvelope v6.0 and the transition to Manifest V3, all
analytics features have been disabled for the Mailvelope extension on Chrome and Edge browsers.
If you as a user consent to it, Mailvelope will collect analytics data using Clean Insights. Clean Insights is committed to the highest
standards of data minimization and stores your data anonymously without identifying features. Therefore,
Mailvelope cannot trace the collected data back to specific users and does not store personal
characteristics such as IP addresses at any time.
How and from whom are data collected?
From Mailvelope v5.2 onwards, 1% of users will get a consent dialog displayed after the first load of the
browser extension. It informs about the possibility to help us improve our software by consenting to the
collection of analytics data. Without consent and prior information, Mailvelope never collects
any analytics data.
What is collected upon consent?
If you decide to share your usage data, the following events will be recorded:
A First load - This is usually the time of installation
B A PGP keypair is uploaded or a keypair is generated
C1 The user decrypts the verification email from the Mailvelope key server
C2 The user encrypts and sends an email
C3 The user decrypts an email (not originating from the Mailvelope key server)
In addition to these events, the time span between the events is measured. The events are recorded once a
day.
We kindly request your consent to optimize our installation process. Your cooperation would be greatly
appreciated!
Can I withdraw my consent?
Yes, you can withdraw your consent at any time. Simply go to the "Options" menu in the Mailvelope
overview dialog. Under "Analytics" uncheck the box and click "Save." Please note that reactivating usage
data collection is not possible once it has been disabled.
Can I activate analytics myself?
No, this is currently not possible. The "Analytics" menu item under Mailvelope "Options" is permanently
grayed out and not selectable for users who were not chosen for the consent dialog at installation.
Mailvelope Business
What is Mailvelope Business?
With Mailvelope Business, you can send and receive end-to-end encrypted emails within your Google
Workspace with one click. Mailvelope blends the Gmail user interface with the intuitive Mailvelope
controls. The Mailvelope key server will ensure that you don't have to keep track of the keys of your
email partners. Attachments are also encrypted and decrypted with one click. Neither Google nor Mailvelope
can read your messages along the way. You can find more on Mailvelope Business in our related blog post.
How can I use Mailvelope Business as a nonprofit organization?
Our Mailvelope Nonprofit plan offers free access for up to 4 users. Mailvelope Nonprofit comes with the
same features as the Mailvelope Business plan but without the enterprise support.
Please note:
Mailvelope Nonprofit is intended for organizations that serve non-commercial
purposes.
When registering, please specify the web domain of your organization. This domain
must be a publicly accessible website on which the nonprofit character of the
organization is clearly visible.
After registration, Mailvelope Nonprofit is immediately activated. A review of the domain will take
place at a later date. We reserve the right to delete registrations which do not meet our eligibility
criteria.
Do I have to buy a license for all users in my organization?
No. The license defines the maximum number of users of a domain linked to Google Workspace. At the
beginning of each month, the free licenses will be assigned to the first users who will log in. This
allows for flexible allocation of the maximum number of licenses purchased each month. Therefore, you only
need licenses for the number of users who will actively use Mailvelope. Should your license needs evolve,
you can increase or decrease the number of users through our portal.
Why is a DPA (data processing agreement) necessary for Mailvelope Business?
Mailvelope’s end-to-end encryption is client-based and therefore, sensitive data is always encrypted
before it leaves your end device. However, to provide the convenience of easy public key management, we
rely on the Mailvelope Key Server. With the (optional) upload of keys to our key server, data relevant to
data protection such as name and email address of people in your organization are stored on our server.
The DPA defines the roles and responsibilities in handling this data. You can always
request a signed agreement for your organization at support@mailvelope.com. Users of Mailvelope Business are also
registered and managed on our Chargebee payment platform.
How can I cancel my subscription to Mailvelope Business? How to delete my account?
With the end of the trial phase the subscription ends automatically if no payment method is defined. An
active subscription can be cancelled at any time via our portal and ends at the end of the current billing period. If you want to delete
your account completely, please send us a short email to support@mailvelope.com.
Troubleshooting
What can I do if it looks like Mailvelope isn't working properly?
Mailvelope has been designed as a browser extension and therefore needs an updated "software base" in
order to function as intended. In the case of malfunctions, check to see if you are working with an
outdated operating system or if you have to update your browser to the latest available version. If you
still experience issues, you can try one of the following options:
Firefox:
First try to disable all other currently installed browser extensions, then restart Firefox. Sometimes
the installed extensions affect one another.
First try to disable all other currently installed extensions, then restart Chrome. Sometimes the
installed extensions affect one another.
If you find that other extensions are interfering with Mailvelope (this rarely happens in Chrome), you
could create a special user profile in which Mailvelope is the only extension installed.
What should I include in my bug report to Mailvelope?
Before you send a bug report, please always restart your browser and check if the problem
persists. Often browser issues, and not Mailvelope itself, are responsible for malfunctions. If you are
using an older version of your browser or operating system, please update and check is the problem
persists. In case the bug persists, please send us a bug report at: support@mailvelope.com
A bug report should at least contain the following informations:
Short description of the problem
Type and version of the operating system
Google Chrome
Check your browser version: type about:version in the address bar.
If Mailvelope does not show an error message, you may find relevant information in the logs:
In the browser tab in which your webmail provider is open, select + +
(Windows/Linux) or + + (Mac) and add the errors marked in red to the report.
In addition, open the extension page by entering chrome:extensions in the address bar.
Activate developer mode at the top right corner of the page.
Click on Details in the Mailvelope entry on the page and click on Service
Worker in the Inspect views section.
A new browser window will open. Make sure the Console tab is enabled and add any errors
marked in red to the bug report.
Chromium-based browsers (Edge, Brave, and others)
Please follow the instructions for Google Chrome
Note: The toggle button for activating developer mode on the extensions page is located in the
left-hand column on Microsoft Edge.
Firefox
Check your browser version: Click Firefox in the main menu and select About Firefox
to confirm your version.
If Mailvelope does not display an error message, relevant information might be found in the logs.
Steps to gather log information:
Restart your browser.
Try to reproduce the problem.
Open the Firefox main menu and select Tools -> Add-ons and Themes.
In the left-hand column, choose Extensions.
At the top of the extensions list, click the gear icon and select Debug Add-ons.
Find the Mailvelope entry and click the Inspect button.
Go to the Console tab and copy the content of the console window.
Include the console log in your bug report for analysis.
Mailvelope reports error: "No private Key found for this message. Required private key IDs:..."
This error occurs if you have received an encrypted message for which Mailvelope does not find the
matching private key. If the public key your communication partner encrypted the email with does not have
a matching private "counterpart" on your side, Mailvelope can't decrypt the email.
There are several reasons why private keys could be missing: For example, you exchanged the public keys
with your communication partner first and later forgot the password of your private key. You then
generated a new key and deleted the old one. In this case, you must pass the corresponding new public key
to your communication partner again, so that future emails to you are not accidentally encrypted with the
old public key and you end up receiveing this error message.
Also your communication partner may have used an outdated public key stored on Mailvelope-(or another) key server, which you forgot to delete after changing your keys. Always remember
that anyone who has outdated public keys, can email you at any time without receiving an error message.
You will not be able to open these emails, because Mailvelope doesn't have the key to decrypt them.
As of version 4.5.1, Mailvelope offers the so-called "key rotation feature" to warn your communication
partners and to prompt them to add a newly generated key if you have changed it. However, in order for
this process to be triggered automatically, you must send your encrypted mails signed. You can find more
details under: Automatic key selection: Can Mailvelope detect when my communication
partner gets a new keypair?
Installed GnuPG is not recognized by Mailvelope.
You have installed GnuPG and Mailvelope does not recognize the existing installation, or you cannot
select GnuPG as backend for key management under Options -> General. The use of GnuPG is not yet optimized
for all operating systems. Further information can be found on our GitHub Wiki: Mailvelope GnuPG Integration.
Mailvelope gets blocked for users of Google Advanced Protection Program
Google Advanced Protection Program routinely blocks all apps which are not approved by the program by
now. However, as a workaround it is possible to add Mailvelope manually to the list of trusted apps in
your Google Workspace admin console.
To do this just navigate to the admin console of your Google Workspace account and Choose Security ->
Access and data control -> API controls (or navigate directly to: https://admin.google.com/ac/owl). The Control
panel there will allow you to "MANAGE THIRD-PARTY APP ACCESS". You will be shown a list of "Configured
apps" which may be empty by now. Now click on "Add app"->"Oauth App Name or Client ID", type "Mailvelope"
into the search field and, after Google found "Mailvelope" as a search result, hit the "select" button.
Mark the OAuth Client ID connected with Mailvelope and confirm again with "SELECT". Now you can grant
Mailvelope access by choosing "Trusted: Can access all Google services". By clicking on "CONFIGURE" you
give Mailvelope the needed access to your data.
Is it possible to use Mailvelope just as an encryption program, independently from email?
Yes. The flexible concept of Mailvelope makes it adaptable to different usecases. It is possible to
exchange PGP-encrypted files or texts, including any attachments, in means, other than email. You can save
and exchange encrypted files or message texts for example on a USB stick or a memory card. This is a way
to avoid metadata. It is also possible to store messages on websites, on a cloud storage, or to send them
with messenger services.
In case of such use of Mailvelope go to "Main menu" -> "File encryption". As for file encryption, the "Do
you also want to encrypt a text" button lets you encrypt and decrypt texts from the same page. Further
instructions under: Can I also encrypt email attachments with Mailvelope?.
How to use Encrypted Forms with Mailvelope?
Mailvelope provides a way for web developers to define forms in a specific format so that the data can
only be read by a selected recipient. The Mailvelope Browser extension takes care of the encryption and
packages the form data in a secure OpenPGP message.
A technical documentation for encrypted forms is available in Mailvelope
Wiki.
Can I use GnuPG backend instead of OpenPGP.js?
From version 3.0 onwards, Mailvelope can also collaborate with a locally installed GnuPG application
(e.g. Ggp4win or GPGTools). Select Main Menu -> Dashboard -> Options -> General and choose your OpenPGP
Preferences. For the option to be available in Mailvelope, there must be a properly installed implemention
of GnuPG on your device.
Users can then choose whether they want OpenPGP.js or the locally installed GnuPG application to handle
key management and encryption routines. If you are experiencing detection issues, please also read The GnuPG extension is not recognized by Mailvelope. Key management by
GnuPG can increase the security of Mailvelope by protecting the private keys in case your browser gets
compromised. The support of security tokens such as a smartcard is also possible.
What is the Web Key Directory, and how can I use it?
At the beginning of an encrypted communication with OpenPGP, the public keys of the communication
partners must be exchanged. By default, Mailvelope uses the Mailvelope key server to simplify and
partially automate this initial key exchange.
Web Key Directory is a new standardized procedure, which pursues a decentralized approach for this key
exchange: The keys can be requested directly from the email provider, if the latter supports this
procedure. Further information can be found on GnuPG
Wiki.
What is Autocrypt, and how can I use it?
At the beginning of an encrypted communication with OpenPGP, the public key of the communication partner
must first be exchanged. By default, Mailvelope uses the Mailvelope key server to simplify and partially
automate the key exchange.
Autocrypt is a new procedure that uses the email "headers" for this key exchange: The sender
automatically includes the public keys in the email header. Further information can be found on the
Autocrypt team’s website.
Our special thanks to the volunteers of localizationlab.org for making this translation possible!
