Mailvelope is a browser extension that builds PGP into your webmail.

  • Encrypt and decrypt emails in your browser
  • Manage the keys of your contacts
  • Keep the content of your emails private from everyone except the recipient (even your email provider can’t read them!)

Using security tools does not have to be difficult. We did our best to make Mailvelope easy for everyone to set up and use. The steps below will get you started sending and receiving encrypted emails.

Learn more: What is Mailvelope and how does it work? Is a browser extension secure?

Illustration Mailvelope is integrated into the webmail UI

Step 1: Install Mailvelope on your browser

Your first step is to add Mailvelope to your browser, using one of these download links:

Mailvelope has to be integrated deeply into your browser in order to work. You will need to give Mailvelope some permissions so that it can add new options to your webmail inbox. These permissions look a little different in every browser. Mailvelope does not read your email or your data, and only uses these permissions so that you can use its features within your webmail.

2. Open Mailvelope

The Mailvelope icon lives in the top right corner of your browser. Click on it to start setting up your encryption keys.

3. Add your keypair

In order to send and receive encrypted messages, you first need a "keypair". The Mailvelope setup screen will help you to either generate a new one or import an existing one.

Mailvelope setup screen

Choose "Generate key" on Setup screen. Then enter your name (or pseudonym) and the email address you want your new key to be associated with. Choose a secure password or passphrase that you do not use for any other accounts. Write it down on paper or store it in a password manager.

Note: since Mailvelope does not store your password, your password cannot be recovered if you lose it! Mailvelope Input Screen for generating a new key

Mailvelope will confirm the successful creation of a key, and shows you the new key on the "Key Managment" screen.

Mailvelope generated a new key

To ensure that your communication partners can find your newly created key, it will be uploaded to the Mailvelope key server. For security reasons, the server needs to verify the identity of your email address. To do this it will send you an encrypted email with the subject line "Verify your email address" immediately after key creation. Be sure to open this email in the inbox of your webmail provider using Mailvelope. Since the email is encrypted, you must type in the password you just assigned during key generation in order to read the email and click the verification link.

Open the Mailvelope Options (Remember: The Mailvelope icon lives in the right top of your browser) and navigate to "Key Management". To import your keypair, you will need the file (usually ending in ".asc") and its password. You can import it by dragging and dropping the file into the browser window, or by finding it on your computer using "Add file".

Import key into Mailvelope

By clicking on "Import keys", Mailvelope will show you some technical information (Key ID/Fingerprint) about the key you want to add. After confirming your key will be showing up in your keyring and can be used.

Sucess. Mailvelope imported a key i

To make sure, the new keypair is automatically available to other Mailvelope users who may want to write you an encrypted email, we recommend uploading it to the Mailvelope key server (People who don’t use Mailvelope can also email you – more on that in the info box "Learn more"). To do this click on your keypair. You will see a red notification, that "The user ID is not synchronized with the Mailvelope key server". Use the "Synchronize" button to upload the public key. Then check your inbox and open the email "Verify your email address" from "Mailvelope Key Server". As you will need Mailvelope to open this encrypted email be sure to open it with your webmail provider. In order to decrypt, enter your key's password and click on the confirmation link included in the email. Your key is now available on the Mailvelope key server.

4. Add others' keys

As you now have your own keypair, it’s time to add the keys of your contacts. If they also use Mailvelope, you probably don’t have much to do: The Mailvelope key server will find their public key automatically. Just start writing them an email, following the instructions in step 5. If their email address turns from red to green as you insert it, then Mailvelope already found their key. If not, you will need to add their key to your keyring before you can send them an encrypted email. There are two ways to do this:

If your contact sent you their public key as a file (usually with the ending ".asc"), you can add this file to your keyring by choosing "Key Management" → "Import". You can import it by dragging and dropping the file into the browser window, or by finding it on your computer using "Add file".

Import key into Mailvelope

For further information, or if you want to import the key as plain text via the clipboard check the FAQ in the info box "Learn more".

Key servers are directories where public keys and their associated email addresses are listed. You can find your contacts’ keys by searching for their email addresses on key servers.

Navigate to "Key Management" → "Search". The search function built into Mailvelope searches Mailvelope’s own key server, as well as a couple of other commonly used key servers; you can customize the key servers included in the search if you like.

Mailvelope key search on different directories

5. Encrypting and decrypting an email using your webmail

With Mailvelope, you can encrypt and decrypt emails in many webmail platforms. Choose your webmail provider below:

Sending an encrypted message with Gmail

When Mailvelope is installed in your browser, you will see a Mailvelope button next to the compose button in Gmail. Click on the Mailvelope button to open the Mailvelope Editor.

Mailvelope Compose Button on Gmail Interface

If this is the first time that you are using Mailvelope for Gmail, you need to confirm a Google security alert titled "Using the Gmail API". You have to sign into your Google account again and grant Mailvelope access to your Gmail account in order to make the deep integration of encryption/decryption processes possible. More on this in the info box "Learn more".

Note: if you’re using Gmail as a part of Google Workspace you may have to start a Mailvelope Business trail period. More about Mailvelope Business in the "Learn more" box below.

Back in the Mailvelope editor, type the recipient's email address into the recipient field. If your recipient has uploaded their key to the Mailvelope key server, Mailvelope will find it automatically and the email address will turn green If the address stays red, that means that Mailvelope cannot find their key in the server. You can import their key to your keyring by following the instructions in step 4. Add others' keys

Compose email on Gmail with Mailvelope editor

You can now write your email as usual, add attachments (they will get encrypted as well) and send it by clicking on "Submit".

Note: do not put confidential information in the "Subject" line. Mailvelope only encrypts the email message and eventually added attachments!


Decrypting an email sent to you

If you click on an encrypted email in your Inbox, Mailvelope will show it to you as a sealed letter. Clicking on it will open a password screen. Typing the password attached to your key will decrypt and open the message.

Decrypt email on Gmail using Mailvelope

Note that Mailvelope added a red arrow for your encrypted reply. Clicking on it will open the Mailvelope Editor, ready to type in your reply message.

If you use one of the mentioned webmail providers, you will have to look for detailed information on their support sites, as they integrated Mailvelope in different ways. Below you will find the links:

We will show you the whole process in Outlook.com. Yahoo will have quite similar steps to write and receive encrypted emails.

Being in your Outlook.com Inbox click on "New Message" to open the Outlook.com Editor. You will now see the Mailvelope icon on the upper right of the editor message field. Clicking it will open the Mailvelope Editor to write an encrypted message.

Open Mailvelope Editor on Outlook.com Mailvelope Editor floating on Outlook.com Interface

Now type the recipient's email address into the recipient field. Mailvelope will find the key automatically (it turns green), if your communication partner has uploaded their key to the Mailvelope key server like you most likely did in step 3. Add your keypair.

In case the typed address stays red, they simply might have forgotten to verify their keypair by clicking on the link in the key server validation email.

Note: you can still add their keys manually by following the instructions in step 4. Add others' keys.

Now type your message into the "Message" field. After clicking on "Encrypt" you have to type in the password attached to your key to sign your message.

Mailvelope asks for password to sign encrypted message on Outlook.com

You will now see that Mailvelope has encrypted your message and it has been transferred to the regular Outlook.com editor.

Mailvelope sends encrypted message to Outlook.com editor

Now, add a subject (Note: the subject remains unencrypted by Mailvelope!) and retype the email address of your recipient into the "To" field. By clicking on "Send" the message is sent by Outlook.com.


Decrypting an email sent to you

If you click on an encrypted email in your inbox, Mailvelope will show it as a sealed letter. By clicking on that symbol Mailvelope will ask for the password attached to your key. You will now be able to see the encrypted message in cleartext.

Mailvelope should be able to integrate into your webmail without any problem. However you have to add the domain name used to access your webmail to the list of authorized domains manually first. To do this simply navigate to the inbox of your webmail provider and click on the Mailvelope icon (Remember: It lives in the right top of your browser) to open the main menu. Select "Authorize this domain". In the Mailvelope dialog for adding the new domain, you can leave the "Status" and "Domain pattern" fields unchanged unless the URL does not contain a port number. If this is the case (you can recognize the port number by a colon and a two to five-digit number in the URL that is displayed in the address bar of the browser), you must add the colon and the port number manually in the "Domain pattern" field after the automatically recognized domain. Once you select "OK", Mailvelope will save the entry in the list of authorized domains. Just make sure to reload the newly authorized website in order to activate Mailvelope on it.

Note: some webmail clients like Mail for Nextcloud or Roundcube do support the Mailvelope API. When using these clients you should also move the API toggle to "On"

Once you select "OK", Mailvelope will save the entry in the list of authorized domains. Just make sure to reload the newly authorized website in order to activate Mailvelope on it.

For more information please see also: Additional help on how to setup and use Mailvelope on Roundcube.

Mailvelope works with a great variety of webmail providers. However you may have to add its domain to the list of authorized domains manually, because your individual webmail service may not be authorized yet.

Simply navigate to the inbox of the email provider you want to add to the list of authorized domains. Select the Mailvelope icon (Remember: It lives in the right top of your browser) to open the main menu. Select "Authorize this domain". A Mailvelope dialogue to add the new domain should open. In the Mailvelope dialog for adding the new domain, you can leave the "Status" and "Domain pattern" fields unchanged unless the URL does not contain a port number. If this is the case (you can recognize the port number by a colon and a two to five-digit number in the URL that is displayed in the address bar of the browser), you must add the colon and the port number manually in the "Domain pattern" field after the automatically recognized domain. Once you select "OK", Mailvelope will save the entry in the list of authorized domains. Just make sure to reload the newly authorized website in order to activate Mailvelope on it.

In order to send and receive encrypted emails the steps will be similar as for the users of Outlook.com and Yahoo (see above).


Creative Commons Lizenzvertrag