Mailvelope is a browser extension ("Add-On") that makes it easy for you to send and receive encrypted emails. With Mailvelope, you can keep using your same webmail provider and email address with the added benefit of encrypted communication.
One of the advantages of Mailvelope is that you don't need to change your familiar environment to get started with encrypted communication. If you've been using a webmail provider, you can also send encrypted emails with the help of Mailvelope using the same webmail provider and the same email address.
Mailvelope lives in your browser. Encryption and decryption are handled locally (on your computer) so your encrypted email messages are not readable by your webmail provider. Your private key never leaves your computer. You can decrypt a message by entering your private key's password.
Who develops Mailvelope and how is it supported?
Mailvelope was developed by Thomas Oberndörfer in spring 2012 with the first public version 0.4.0.1 released on August 24, 2012. In the wake of the Snowden revelations, the question of how to adopt secure electronic communication and its complexity arose for many Internet users.
Thomas saw Mailvelope as one solution to this problem. He believes that common webmail services should integrate encryption in a simple way and that niche encryption technology should be accessible by everyone who needs it. Mailvelope’s user base grew quickly thanks to recommendations from major publications.
In 2015, Mailvelope GmbH was founded with headquarters in Germany. Mailvelope is continuously developed by Thomas and a small team of freelancers. They are supported by grants from organizations like Open Technology Fund (OTF) and Internews.
Can I also use Mailvelope on mobile devices?
Unfortunately not. Using Mailvelope on mobile devices with the Android or iOS operating systems isn't possible at the moment. Mobile browsers currently have restrictions that do not support the Mailvelope extension.
However, several email clients do support the OpenPGP standard for sending and receiving PGP encrypted emails on Android and iOS.
Mailvelope allows you to export and import your keys so that you can continue to use them on a mobile device with these apps. For more information, the webmail provider Posteo.de offers a detailed guide on how to set up mobile PGP encryption on an Android device.
Remember that the use of PGP on your mobile device carries additional security risks. If you have high security risk, the mobile use of PGP is not recommended. This especially applies to Android devices which often get delayed operating system updates.
I have a feature request. How can I get in touch?
If you have any suggestions or questions about the roadmap for a specific feature, send an email to support@mailvelope.com. We will happily consider them while planning future versions.
Mailvelope and Webmail
Which webmail providers does Mailvelope support?
Mailvelope is designed for maximum flexibility and customizability. The extension works with a variety of webmail providers and websites including Gmail, Yahoo, Outlook Live, Zoho and many more.
Since Mailvelope first became available in 2012, more and more webmail providers have tailored their services to support the Mailvelope API so that they can offer to their users easy-to-use email encryption.
The integration with German webmail providers WEB.DE, GMX and Posteo is especially seamless. If you want to use Mailvelope with these webmail providers, use their help pages because the integration is unique to their platforms:
My webmail provider isn't pre-configured (authorized) in Mailvelope. Can I still use Mailvelope?
Mailvelope was designed for flexible use. If your webmail provider is not included in the list of authorized domains, it is usually still possible to activate Mailvelope on new websites.
How do I authorize a new domain for it to work with Mailvelope?
Load the website you want to add to the list of authorized domains. Select the Mailvelope icon in the upper right corner of your browser to open the main menu. Select "Authorize this domain". A Mailvelope dialogue to add the new domain will open.
In most cases you can leave the fields "Status", "Domain pattern" and "API" unchanged. Once you select "OK", Mailvelope will save the entry in the list of authorized domains. There, the entry can be edited at any time. Reload the newly authorized website in order to activate Mailvelope.
How do I deauthorize a domain for it to work with Mailvelope?
Navigate to the list of "Authorized domains" (Main Menu -> Dashboard) and select the relevant domain. Click on the trash icon and confirm the security prompt. You can also temporarily deactivate a domain. To do this, switch the "Enabled" button to "Off" and confirm with "OK".
Google requests additional permissions for the Gmail API integration of Mailvelope. What are they necessary for and how does Mailvelope handle my data?
Mailvelope will work in Gmail, even without API integration. However, granting permission for the Gmail API makes it easier to write emails and handle attachments.
Gmail API permissions allow Mailvelope to manage your emails in your Gmail account. This integration activates the feature for one-click encryption and decryption of email messages and attachments, making the Mailvelope experience in Gmail more seamless. With this API integration, Mailvelope is able to:
Insert encrypted text into the email body
Tell Gmail to send the email when you click send in the Mailvelope editor
View an email message to decrypt it
Display the decrypted text instead of the encrypted text
The API integration is activated by default. After you install Mailvelope (or activate the API integration), a Google pop-up will ask you to confirm the API integration by asking you to allow Mailvelope to read and send your emails. You can view and change this setting in "Options" -> "Gmail API Integration".
Mailvelope is open source software with its Source Code available to the public and verified by many different organizations. Mailvelope’s security is continuously monitored by regular security audits. Moreover we are fully transparent about how your data is processed. Our guidelines for data handling can be found in our Privacy Policy.
WEB.DE and GMX users: I need to enter a "recovery code". Where do I get that?
A recovery code is a 26-character code that is generated when you set up email encryption with WEB.DE or GMX. This is a feature that is only offered by these email providers. Print out your recovery code so that you can recover your key or password in case you lose them.
You can get a new recovery code if you still have your private PGP key and password. Follow these instructions: GMX Help: Creating a New Recovery Document (As there is currently no English version of WEB.DE Support available, you can use the GMX instructions. The process is the same.)
If you have lost your private key or your password and you don’t have your recovery code, your encrypted communication cannot be recovered. The PGP function of your GMX or WEB.DE accounts will have to be reset. This can be done neither by you nor by Mailvelope, but must instead be requested through the GMX and WEB.DE hotline:
Can I install Mailvelope on other browsers besides Chrome, Firefox and Edge?
Yes. Since there are many browsers built on Chrome and Mozilla technology, Mailvelope can run on these browsers without any issues. We recommend the Brave browser (based on the Chromium engine) because it offers numerous features for privacy protection. For Opera, the Install Chrome Extensions add-on allows you to install Chrome extensions but we cannot assure this allows Mailvelope to run on Opera without any restrictions.
As the browser market is constantly evolving, we cannot check Mailvelope’s compatibility with every available browser.
Why does Mailvelope need to change content on websites I visit?
Mailvelope has to be integrated deeply into your browser to fulfill its task. Your browser will therefore give you a standard warning when installing Mailvelope. It may sound alarming for you to give these permissions, especially to a software that was designed to protect your privacy. Mailvelope is open source software with its source code available to the public and verified by many different organizations. On our privacy and data protection policy see also our Privacy Policy.
On a technical level, these permissions are needed for Mailvelope to work properly for the following reasons:
Mailvelope must be able to search the authorized websites for PGP encrypted messages. For this Mailvelope needs the access to the data of these websites.
Mailvelope is pre-configured for the most important webmail providers, but can be extended and used with any website. Since we do not know which mail provider (domains) will be added (authorized) by the user, we need this general permission to read data on all websites.
Without permissions, Mailvelope cannot add its controls to the user interfaces of authorized websites.
How to limit access of Mailvelope to certain domains
If you don’t feel comfortable granting Mailvelope permission to access your data on all websites, you can limit the domains Mailvelope can access in the settings of your browser. In Chrome select "Tools" > "Extensions" in the main menu. You will see all your extensions. Find Mailvelope and click on "Details". The subsection "Site access" > "On specific sites" will allow you to choose the domains that Mailvelope can access. If you want to work with Mailvelope within your Gmail account for example, type: https://mail.google.com/ into the "Add a site" field. Mailvelope will now only have access to data when you’re browsing this (sub)domain.
Managing my own keys
What is a keypair?
PGP encryption and decryption uses two keys: a public key and a private key. Together they are called a keypair.
What is the difference between my private key and a public key?
If someone wants to send you encrypted communication, they need to know your public key. All messages that are encrypted with a public key can only be decrypted by the corresponding private key. Your private key should be kept in your possession and kept secret.
Remember: Anyone who possesses your private key can open an encrypted message if it is intercepted. A person who has your private key could even write an encrypted message pretending to be you.
I already have a keypair. How do I import it into Mailvelope?
Select the Mailvelope icon in the upper right corner of your browser to open the main menu. Select "Keyring" > "Import". You can import your keypair in two ways:
Upload a file: Choose a key file (*.asc) with keys from your drive and import it into Mailvelope.
Copy and paste key text: First copy the key or keys (several keys can be imported at the same time) to the clipboard. If you select "Import key from clipboard", the keys are extracted from the texts and transferred to the local keyring. Make sure you include -----BEGIN PGP PUBLIC KEY BLOCK----- and -----END PGP PUBLIC KEY BLOCK----- in the selection.
Where are my keys stored?
The location where Mailvelope stores your keys depends on your selection in Options -> General -> OpenPGP Preferences.
Default setting (OpenPGP.js)
Mailvelope stores the keys as a file in the browser's local folder, either in the Chrome user data directory or in the profile folder for Firefox. If you delete the temporary browser data, stored keys in Mailvelope will not affected. However, deleting the Mailvelope extension in Chrome or Firefox will also delete the keystore from your file system.
Key management by GnuPG
If you have selected GnuPG as your preferred backend for encryption in Options -> General -> OpenPGP Preferences, the keys will be managed by your local GnuPG program (usually GPG4Win or GPGTools).
How can I change the password for my private key?
Select the Mailvelope icon in the upper right corner of your browser to open the main menu and select "Keyring". Click on the keypair for which you want to change the password. At the bottom left you see the field "Password". "Change" opens the dialog to change the password. Enter the old password, then enter and confirm the new password.
What do I do if I forget my password?
Unfortunately Mailvelope cannot recover your password for you. Any messages sent to you using this public key can no longer be decrypted. You will need to delete your old key (this should also be done on the Mailvelope key server if it has been uploaded). Generate a new key pair and inform your communication partners that your public key changed as soon as possible.
If your email address changes, the PGP key you are using does not have to change. You can add the new email address to your existing key:
Select the Mailvelope icon in the upper right corner of your browser to open the main menu and click on "Keyring". Select the keypair that you want to add a new email address to. Under "Assigned User IDs" you will see all email addresses that have been assigned to this key. Click "Add new" to add a name and an email address. You can also delete the user ID of your old email address if you want. Finally, you can synchronize the new entry with the key server so that your communication partners can find you under the new address.
How can I export or backup my keypair?
Select the Mailvelope icon in the upper right corner of your browser to open the main menu and select "Keyring". You can use the "Export" option to save your entire keyring or individual keys. You can use this feature to save a copy of your keypair in a safe place. If you choose to export your key using the clipboard please make sure -----BEGIN PGP PUBLIC KEY BLOCK-----and -----END PGP PUBLIC KEY BLOCK----- is included.
You can also use this feature to publish your public key manually (the Mailvelope key server will do this job automatically if you are communicating with other Mailvelope users).
Exporting your public key:
Within "Key Management" in the Mailvelope options, select your key, then select "Export". Choose "Public" and if requested, provide a filename. After clicking "Save," your public key will be saved to your Download folder as a .asc file. This format is standardized and can be read by all PGP implementations. Alternatively, you can copy your key to the clipboard from the "Key Details" window. Your public key can now be sent to someone else, uploaded to a key server, or integrated into your website.
Exporting your public and private key:
Within "Key Management" in the Mailvelope options, select your key, then select "Export". Choose "All" to select the complete keypair. After clicking "Save," your keypair will be saved to your Download folder as a .asc file. Alternatively, you can copy your keypair to the clipboard from the "Key Details" window. Be careful when exporting your private key! Anyone with access to your private key and your password can send emails posing as you.
Backup of the complete keyring:
If you have multiple keyrings, first select the correct keyring on the top right of the key management window (you will only find this menu if you have more than one keyring). On the "Key Management" screen, select "Export" from the upper left corner. You can save public keys, private keys, or "All" public and private keys from the entire keyring. Input a file name. After clicking "Save," your keys will be saved to your Download folder as a .asc file.
Note: When exporting private keys, keep them in a safe place. If your security threats are high, keep the backup file on a safe offline storage, such as a USB drive, and in a physically safe location.
Special use case: Use of the GnuPG keyring:
If you use GnuPG for key management, please note that for security reasons Mailvelope only supports the export of public keys. If you want to export key pairs or private keys from GnuPG, use the export function of the respective GnuPG software.
Can I change my default keypair?
A default keypair is the main keypair that you want to use for your communication. In the key list, this key will be marked with the label "Default". The first key you generate with Mailvelope automatically becomes your default keypair. If you want to change your default keypair, select a keypair in your keyring and click "Set as default". Outgoing emails will be signed and encrypted with the default keypair which allows you to read encrypted emails in your Sent folder.
Should I upload my key to the Mailvelope key server?
Mailvelope provides its own key server. A key server is a freely accessible directory for the public keys of PGP users. You can store your public PGP key there for others to find easily. By default, Mailvelope automatically uploads newly-generated keys to the key server. You deactivate this option in the key creation dialog.
Syncing (uploading) or removing a key on the key server
Click on any of your keypairs to find out if it’s synced with the key server. You can add or remove your key from the key server:
If Mailvelope tells you "The key is not synchronized with the Mailvelope key server" it will give you the option "Synchronize". Click this button to upload your public key to the server. You will receive an encrypted verification email sent by the key server. Confirm the action by decrypting and clicking the link within the email.
If the message reads "The key data on the Mailvelope key server is up to date" you are given the option to "Remove all user IDs". Click this button to remove the key from the server. You will get a verification email sent by the key server. Confirm the action by clicking the link within the email.
Sharing and using keys
How can I import (add) someone's public key to my Mailvelope keyring?
Select the Mailvelope icon in the upper right corner of your browser to open the main menu. Select "Keyring" > "Import".
There are two options:
Import key as a file: Choose a key file (*.asc) from your computer and import it into Mailvelope.
Import key as text: First copy the key or keys (several keys can be imported at the same time) to the clipboard. If you select "Import key from clipboard", the keys are extracted from the texts and transferred to the local keyring. Make sure you include -----BEGIN PGP PUBLIC KEY BLOCK----- and -----END PGP PUBLIC KEY BLOCK----- in the selection.
What is the Mailvelope key server and how can I use it?
Mailvelope provides its own key server. A key server is a freely accessible directory for the public keys of PGP users. If you want to send an encrypted email to someone but do not know their public key, you can use the key server to search for it.
Automatic key search
Mailvelope sometimes uses the key server in the background to help you find and manage keys. For instance, when you’re composing an email in the Mailvelope editor and you type the recipient’s email address, Mailvelope will search for their public key on the key server. The background color of the email address changes if a public key is found or not. A green background means that Mailvelope found the public key and the email can be encrypted for the recipient. A red background means that Mailvelope could not find the public key and the email cannot be encrypted for the recipient.
The automatic use of the key server is activated by default. You can deactivate this feature by selecting "Options" -> "Key-Directories" and unchecking the box: "Use the Mailvelope key server".
Search for keys on the key server
Select the Mailvelope icon in the upper right corner of your browser to open the main menu. Click on "Keyring" and then on "Search" Enter either the email address or the key ID/Fingerprint of the key you are searching for. Then click the "Search" button.
How do I export my public key to give it to someone else?
Select the Mailvelope icon in the upper right corner of your browser to open the main menu click on "Keyring". Click on the keypair that contains the public key you want to share. It’s likely this is your "default" keypair. Click the "Export" button on the right. Choose "Public" (default) and click "Save". The key is saved as a file with the ending .asc in your download folder. You can send this file to anybody who wants to contact you securely. An .asc key file can be imported into any software using PGP protocol. Do not share your private key!
How do I use the Key ID and PGP Fingerprint?
Key IDs and PGP Fingerprints help you identify and compare keys. A PGP Fingerprint is a 40-digit checksum ("hash") of a key. A Key ID consists of the last 16 digits of the PGP Fingerprint.
The PGP Fingerprint can help you check the legitimacy of a key. For example if you shared your public key with somebody, they might want proof that it was not intercepted and altered. An altered key would have a different PGP Fingerprint. By comparing the PGP Fingerprint on a phone call (for example), you and the other person can check the legitimacy of a key. This helps establish secure communication going forward.
Automatic key selection: Can Mailvelope detect when my communication partner gets a new keypair?
Some people routinely discard old keys and use new ones. This is called key rotation. Mailvelope can help you when someone else gets a new key so that you don’t have to find it and add it to your keyring manually. When you receive a message signed with a new key, a Mailvelope message will appear asking if you want to decrypt the email and add the new public key to your keyring. If you want to decide later, click "Not now". If you are not sure whether the key is legitimate, we recommend contacting the sender via another communication channel and comparing the fingerprint to confirm. If you don’t add the new key, your communication partner might not be able to open your future emails if you are still encrypting with their old key.
Mailvelope can only perform this process with signed encrypted emails. Mailvelope determines the contact's current key by looking at the most recent valid signature. This information is stored by Mailvelope so that it can automatically select the correct key for future emails to this contact.
This feature is turned on by default and it is optional. Under "Options" -> "Key Directories" in the Mailvelope settings, look for the option "Determine current key of contacts and perform key selection automatically".
How do I communicate with someone whose key is used by multiple people (e.g. at the same company)
Some companies and institutions have an organization-wide key that is universally valid for all email addresses of the same domain (i.e. all employees). In this case because the recipient’s email address is not linked to the shared key, Mailvelope allows you to specify an additional key.
In the Mailvelope editor, enter the email address of your contact. Note that the email address background color will not turn green because Mailvelope will not find a key for this email address. In the lower left corner of the Mailvelope editor, click on "Options". Now mark the box "Add extra key" and a new input field will open. Enter the key ID or its associated email address that you want to encrypt the email with. Under the recipient's email address, a confirmation message will appear: "Email will be encrypted with the alternative key entered below."
Sending and receiving emails
Can I exchange encrypted emails with people who don’t use Mailvelope?
Yes. Because Mailvelope uses the OpenPGP standard, you can communicate not only with other Mailvelope users but with anyone who uses software compatible with the PGP standard. The OpenPGP standard is open and has been trusted as secure for many years.
Gpg4win for Windows, for use with Outlook for example.
GPGtools for macOS in conjunction with the default mail application "Mail".
As people using this software may not use the Mailvelope key server also consult the chapter: Sharing and using keys to find out how to exchange keys with them.
Do I need to sign my email?
Signing a message guarantees that it actually came from the sender, and not someone posing as the sender. We recommend that you sign your encrypted emails because this proves the origin of the message.
To sign an encrypted email, click on the "Options'' button in the Mailvelope editor. There you can select the key that you want to sign the message with.
In the Mailvelope settings, you can choose to sign all messages by default by checking "Sign all outgoing messages."
In case you don’t need to encrypt your message and only want to proof that the message is from you and not from another person posing as you, you Mailvelope gives you the option to send your PGP signature. To do this you will need to choose a key for signing in the email options and use the button "Sign only" in the editor. Mailvelope will then create a PGP signature and will add it directly into the email text. Note: The email content will be sent unencrypted.
How do I check the validity of signed messages?
If a message contains a signature and Mailvelope can determine the sender address, Mailvelope automatically checks it. The message "Digitally signed" and the corresponding signature are then displayed in the lower area of the decoded message.
Can I also encrypt email attachments with Mailvelope?
Yes. Depending on the webmail you use, there are different ways to encrypt an email attachment.
Gmail users with API integration turned on and with other providers like GMX, WEB.DE, Posteo, mailbox.org or freenet.de: When you compose an email in the Mailvelope editor and upload a file as an attachment, the attachment is encrypted along with the email message. Please keep in mind that email addresses and subject lines are never encrypted.
For other webmail providers, you can use the Mailvelope file encryption feature:
Using Mailvelope's file encryption you can easily encrypt any file to send as an email attachment. In this case, the file is encrypted with the public key of the recipient in the same way as email encryption. The size of an attached file is currently limited to 50MB, as sending larger files is usually not supported by email providers.
Encrypting Files
Select the Mailvelope icon to the right of the browser input field to open the main menu and select "File Encryption". The first step is to enter the email address of the recipient in the input field. In the next step, reselect the files to be encrypted with "Add file" or by dragging them on the Mailvelope window. After selecting "Encrypt" the files will be encrypted for the selected recipients. You can now select the files to download them and later add them to your email as an attachment. The encrypted files can either be selected individually or together using the "Download all" button.
Note: Encrypting with Mailvelope changes the format of the file. Your encrypted files will have the file extension for GnuPG encrypted files (.gpg). After decryption, the file will be restored to its original format.
Decrypting Files
Select the Mailvelope icon in the upper right corner of your browser to open the main menu. Select "Dashboard" and then "Decrypt" in the top menu bar. Next, select the files to be decrypted with "Add file" or by dragging them into the Mailvelope window. After entering your private key’s password, the decrypted files are displayed and can be downloaded.
Mailvelope's Security & Privacy
How secure is Mailvelope?
Mailvelope provides end-to-end encryption, meaning the app ensures (within its set technical limits) that sensitive files and information can be sent from one device to another over a potentially unprotected channel such as an email.
However, security while using Mailvelope is dependent on how secure your device is. We therefore recommend security measures such as regular updates of your browser and operating system as well as the use of sufficiently secure passwords.
Can my webmail provider read my encrypted emails?
No. When you compose an encrypted email in the Mailvelope editor, your data remains on your computer and is never stored or analyzed - whether by Mailvelope nor by your Webmail provider. Only after successful encryption, the data is passed to the webmail provider for sending. This also means that all your emails sent or received with Mailvelope are stored in encrypted form by your webmail provider and can't be read by anyone unless they have your private key.
Is a browser extension secure?
Yes. As several independent security audits have shown, Mailvelope creates a secure isolation between the private content of your communication and other applications that run in the browser. See our audits on Github.
Mailvelope can only be as secure as your browser. For this reason, we highly recommend keeping your browser up to date.
How are private keys protected? Can anyone who has access to my computer also access my private key?
Mailvelope stores and exports private keys only in their encrypted form. The private key is therefore always password protected. All steps that require a private key (such as decrypting or signing a message) always require both components: the private key and the password. Even after exporting a private key it remains encrypted and password protected at all times.
Mailvelope guarantees a high level of security for your private keys by default. You can further increase this security by selecting GnuPG as the preferred backend for encryption under Options -> General -> OpenPGP Preferences.
Additional information:
The OpenPGP standard also allows private keys without a password, however, such keys are rarely used in practice. Using such keys with Mailvelope is not recommended.
In case an attacker ever gains access to the private key, it's ability to resist brute force attacks entirely depends on the complexity and length of the password. Please read the notes in the next section of this FAQ.
As an end-to-end encryption software, Mailvelope must be able to rely on secure endpoints. If one of the computers on both sides is insecure (e.g. due to missing updates of the operating system or browser), encryption is also potentially at risk. In addition to the usual protective measures, physical access to your computer by third parties should also be avoided.
GPG uses a similar security model for private keys: The "Keyring" is not encrypted in this case, only the individual parts of the key are. Any user with local access rights can copy the private key from the file system. However, their password is required to access or use a single private key.
By default, the Chrome and Firefox browsers automatically send usage statistics and crash reports to Google or Firefox. These functions should be deactivated because in case of a bug it is possible that stored content, which could also include private keys, could be sent to them. We therefore recommend that you disable "Automatically send usage statistics and crash reports to Google" in Chrome settings (chrome://settings/syncSetup). In Firefox you can find the corresponding option under "Privacy & Security" -> "Firefox Data Collection and Use".
How and why does Mailvelope collect analytics data?
With Mailvelope v6.0 and the transition to Manifest V3, all analytics features have been disabled for the Mailvelope extension on Chrome and Edge browsers.
If you as a user consent to it, Mailvelope will collect analytics data using Clean Insights. Clean Insights is committed to the highest standards of data minimization and stores your data anonymously without identifying features. Therefore, Mailvelope cannot trace the collected data back to specific users and does not store personal characteristics such as IP addresses at any time.
How and from whom are data collected?
From Mailvelope v5.2 onwards, 1% of users will get a consent dialog displayed after the first load of the browser extension. It informs about the possibility to help us improve our software by consenting to the collection of analytics data. Without consent and prior information, Mailvelope never collects any analytics data.
What is collected upon consent?
If you decide to share your usage data, the following events will be recorded:
A First load - This is usually the time of installation
B A PGP keypair is uploaded or a keypair is generated
C1 The user decrypts the verification email from the Mailvelope key server
C2 The user encrypts and sends an email
C3 The user decrypts an email (not originating from the Mailvelope key server)
In addition to these events, the time span between the events is measured. The events are recorded once a day.
We kindly request your consent to optimize our installation process. Your cooperation would be greatly appreciated!
Can I withdraw my consent?
Yes, you can withdraw your consent at any time. Simply go to the "Options" menu in the Mailvelope overview dialog. Under "Analytics" uncheck the box and click "Save." Please note that reactivating usage data collection is not possible once it has been disabled.
Can I activate analytics myself?
No, this is currently not possible. The "Analytics" menu item under Mailvelope "Options" is permanently grayed out and not selectable for users who were not chosen for the consent dialog at installation.
Mailvelope Business
What is Mailvelope Business?
With Mailvelope Business, you can send and receive end-to-end encrypted emails within your Google Workspace with one click. Mailvelope blends the Gmail user interface with the intuitive Mailvelope controls. The Mailvelope key server will ensure that you don't have to keep track of the keys of your email partners. Attachments are also encrypted and decrypted with one click. Neither Google nor Mailvelope can read your messages along the way. You can find more on Mailvelope Business in our related blog post.
How can I use Mailvelope Business as a nonprofit organization?
Our Mailvelope Nonprofit plan offers free access for up to 4 users. Mailvelope Nonprofit comes with the same features as the Mailvelope Business plan but without the enterprise support.
Please note:
Mailvelope Nonprofit is intended for organizations that serve non-commercial purposes.
When registering, please specify the web domain of your organization. This domain must be a publicly accessible website on which the nonprofit character of the organization is clearly visible.
After registration, Mailvelope Nonprofit is immediately activated. A review of the domain will take place at a later date. We reserve the right to delete registrations which do not meet our eligibility criteria.
Do I have to buy a license for all users in my organization?
No. The license defines the maximum number of users of a domain linked to Google Workspace. At the beginning of each month, the free licenses will be assigned to the first users who will log in. This allows for flexible allocation of the maximum number of licenses purchased each month. Therefore, you only need licenses for the number of users who will actively use Mailvelope. Should your license needs evolve, you can increase or decrease the number of users through our portal.
Why is a DPA (data processing agreement) necessary for Mailvelope Business?
Mailvelope’s end-to-end encryption is client-based and therefore, sensitive data is always encrypted before it leaves your end device. However, to provide the convenience of easy public key management, we rely on the Mailvelope Key Server. With the (optional) upload of keys to our key server, data relevant to data protection such as name and email address of people in your organization are stored on our server. The DPA defines the roles and responsibilities in handling this data. You can always request a signed agreement for your organization at support@mailvelope.com. Users of Mailvelope Business are also registered and managed on our Chargebee payment platform.
How can I cancel my subscription to Mailvelope Business? How to delete my account?
With the end of the trial phase the subscription ends automatically if no payment method is defined. An active subscription can be cancelled at any time via our portal and ends at the end of the current billing period. If you want to delete your account completely, please send us a short email to support@mailvelope.com.
Troubleshooting
What can I do if it looks like Mailvelope isn't working properly?
Mailvelope has been designed as a browser extension and therefore needs an updated "software base" in order to function as intended. In the case of malfunctions, check to see if you are working with an outdated operating system or if you have to update your browser to the latest available version. If you still experience issues, you can try one of the following options:
Firefox:
First try to disable all other currently installed browser extensions, then restart Firefox. Sometimes the installed extensions affect one another.
First try to disable all other currently installed extensions, then restart Chrome. Sometimes the installed extensions affect one another.
If you find that other extensions are interfering with Mailvelope (this rarely happens in Chrome), you could create a special user profile in which Mailvelope is the only extension installed.
What should I include in my bug report to Mailvelope?
Before you send a bug report, please always restart your browser and check if the problem persists. Often browser issues, and not Mailvelope itself, are responsible for malfunctions. If you are using an older version of your browser or operating system, please update and check is the problem persists. In case the bug persists, please send us a bug report at: support@mailvelope.com
A bug report should at least contain the following informations:
Short description of the problem
Type and version of the operating system
Google Chrome
Check your browser version: type about:version in the address bar.
If Mailvelope does not show an error message, you may find relevant information in the logs:
In the browser tab in which your webmail provider is open, select + + (Windows/Linux) or + + (Mac) and add the errors marked in red to the report.
In addition, open the extension page by entering chrome:extensions in the address bar.
Activate developer mode at the top right corner of the page.
Click on Details in the Mailvelope entry on the page and click on Service Worker in the Inspect views section.
A new browser window will open. Make sure the Console tab is enabled and add any errors marked in red to the bug report.
Chromium-based browsers (Edge, Brave, and others)
Please follow the instructions for Google Chrome
Note: The toggle button for activating developer mode on the extensions page is located in the left-hand column on Microsoft Edge.
Firefox
Check your browser version: Click Firefox in the main menu and select About Firefox to confirm your version.
If Mailvelope does not display an error message, relevant information might be found in the logs.
Steps to gather log information:
Restart your browser.
Try to reproduce the problem.
Open the Firefox main menu and select Tools -> Add-ons and Themes.
In the left-hand column, choose Extensions.
At the top of the extensions list, click the gear icon and select Debug Add-ons.
Find the Mailvelope entry and click the Inspect button.
Go to the Console tab and copy the content of the console window.
Include the console log in your bug report for analysis.
Mailvelope reports error: "No private Key found for this message. Required private key IDs:..."
This error occurs if you have received an encrypted message for which Mailvelope does not find the matching private key. If the public key your communication partner encrypted the email with does not have a matching private "counterpart" on your side, Mailvelope can't decrypt the email.
There are several reasons why private keys could be missing: For example, you exchanged the public keys with your communication partner first and later forgot the password of your private key. You then generated a new key and deleted the old one. In this case, you must pass the corresponding new public key to your communication partner again, so that future emails to you are not accidentally encrypted with the old public key and you end up receiveing this error message.
Also your communication partner may have used an outdated public key stored on Mailvelope-(or another) key server, which you forgot to delete after changing your keys. Always remember that anyone who has outdated public keys, can email you at any time without receiving an error message. You will not be able to open these emails, because Mailvelope doesn't have the key to decrypt them.
As of version 4.5.1, Mailvelope offers the so-called "key rotation feature" to warn your communication partners and to prompt them to add a newly generated key if you have changed it. However, in order for this process to be triggered automatically, you must send your encrypted mails signed. You can find more details under: Automatic key selection: Can Mailvelope detect when my communication partner gets a new keypair?
Installed GnuPG is not recognized by Mailvelope.
You have installed GnuPG and Mailvelope does not recognize the existing installation, or you cannot select GnuPG as backend for key management under Options -> General. The use of GnuPG is not yet optimized for all operating systems. Further information can be found on our GitHub Wiki: Mailvelope GnuPG Integration.
Mailvelope gets blocked for users of Google Advanced Protection Program
Google Advanced Protection Program routinely blocks all apps which are not approved by the program by now. However, as a workaround it is possible to add Mailvelope manually to the list of trusted apps in your Google Workspace admin console.
To do this just navigate to the admin console of your Google Workspace account and Choose Security -> Access and data control -> API controls (or navigate directly to: https://admin.google.com/ac/owl). The Control panel there will allow you to "MANAGE THIRD-PARTY APP ACCESS". You will be shown a list of "Configured apps" which may be empty by now. Now click on "Add app"->"Oauth App Name or Client ID", type "Mailvelope" into the search field and, after Google found "Mailvelope" as a search result, hit the "select" button. Mark the OAuth Client ID connected with Mailvelope and confirm again with "SELECT". Now you can grant Mailvelope access by choosing "Trusted: Can access all Google services". By clicking on "CONFIGURE" you give Mailvelope the needed access to your data.
Is it possible to use Mailvelope just as an encryption program, independently from email?
Yes. The flexible concept of Mailvelope makes it adaptable to different usecases. It is possible to exchange PGP-encrypted files or texts, including any attachments, in means, other than email. You can save and exchange encrypted files or message texts for example on a USB stick or a memory card. This is a way to avoid metadata. It is also possible to store messages on websites, on a cloud storage, or to send them with messenger services.
In case of such use of Mailvelope go to "Main menu" -> "File encryption". As for file encryption, the "Do you also want to encrypt a text" button lets you encrypt and decrypt texts from the same page. Further instructions under: Can I also encrypt email attachments with Mailvelope?.
How to use Encrypted Forms with Mailvelope?
Mailvelope provides a way for web developers to define forms in a specific format so that the data can only be read by a selected recipient. The Mailvelope Browser extension takes care of the encryption and packages the form data in a secure OpenPGP message.
A technical documentation for encrypted forms is available in Mailvelope Wiki.
Can I use GnuPG backend instead of OpenPGP.js?
From version 3.0 onwards, Mailvelope can also collaborate with a locally installed GnuPG application (e.g. Ggp4win or GPGTools). Select Main Menu -> Dashboard -> Options -> General and choose your OpenPGP Preferences. For the option to be available in Mailvelope, there must be a properly installed implemention of GnuPG on your device.
Users can then choose whether they want OpenPGP.js or the locally installed GnuPG application to handle key management and encryption routines. If you are experiencing detection issues, please also read The GnuPG extension is not recognized by Mailvelope. Key management by GnuPG can increase the security of Mailvelope by protecting the private keys in case your browser gets compromised. The support of security tokens such as a smartcard is also possible.
What is the Web Key Directory, and how can I use it?
At the beginning of an encrypted communication with OpenPGP, the public keys of the communication partners must be exchanged. By default, Mailvelope uses the Mailvelope key server to simplify and partially automate this initial key exchange.
Web Key Directory is a new standardized procedure, which pursues a decentralized approach for this key exchange: The keys can be requested directly from the email provider, if the latter supports this procedure. Further information can be found on GnuPG Wiki.
What is Autocrypt, and how can I use it?
At the beginning of an encrypted communication with OpenPGP, the public key of the communication partner must first be exchanged. By default, Mailvelope uses the Mailvelope key server to simplify and partially automate the key exchange.
Autocrypt is a new procedure that uses the email "headers" for this key exchange: The sender automatically includes the public keys in the email header. Further information can be found on the Autocrypt team’s website.
Our special thanks to the volunteers of localizationlab.org for making this translation possible!