Using security tools does not have to be difficult. We did our best to make the free Mailvelope for You version easy for everyone to set up and use. The steps below will get you started sending and receiving encrypted emails.
Learn more: What is Mailvelope and how does it work? Is a browser extension secure?
If you’re using one of the webmail providers listed below, please refer to their support pages for detailed guidance. Since each provider has integrated Mailvelope differently, the steps for installation may differ. Consulting their own documentations will likely provide the most accurate instructions.
Please note: We are unable to offer customer support for users of these providers. For assistance, kindly reach out directly to their support teams:
Your first step is to add Mailvelope to your browser, using one of these download links:
Since Mailvelope requires deep integration with your browser to function properly, you’ll be prompted to grant read/write permissions during installation. Please confirm these permissions to ensure Mailvelope works seamlessly within your browser.
The Mailvelope icon lives in the top right corner of your browser. Click on it to start setting up your encryption keys.
To send and receive encrypted messages, you’ll need a PGP key pair. The Mailvelope setup screen will guide you through generating a new key pair or importing an existing one.
Select Generate key on setup screen. Enter your name (or a pseudonym) and the webmail address you want to associate with your new key. Next, create a strong, unique password or passphrase. Be sure to write it down on paper or save it securely in a password manager.
Note: Mailvelope does not store your password, so if you lose it, it cannot be recovered by us.
Once your key is successfully created, Mailvelope will confirm the process and display your new key on the Key Management screen.
To ensure your communication partners can find your newly created key, it will be automatically uploaded to the Mailvelope Key Server unless you unchecked the option Upload public key to Mailvelope Key Server during key creation. Shortly after key creation, you’ll therefore receive an encryptedemail with the subject line “Verify your email address.” Open the email in the inbox of your Google Workspace Email account (not on another device, since the message is encrypted). Now enter the password you created during key generation in order to decrypt the email. Once you can see the message in cleartext, click on the verification link provided in the email. Your public key will now be available on the Mailvelope Key Server, making it discoverable by other Mailvelope users, whether within your organization or externally.
Note: If you should encounter any difficulty to open the email from Mailvelope Key Server, see step 4 of this tutorial, section: Decrypt an email sent to you.Select Import Keys on the setup screen. You’ll need the keypair file (usually a file with an .asc extension). Import the key by either dragging and dropping the file into the browser window or selecting it manually using the Add File option.
When you click the Import Keys button, Mailvelope will display the key’s technical details, including the Key ID and Fingerprint, for your review. After you confirm, the key will be successfully added to your keyring and is ready for use.
To ensure the new keypair is available to other Mailvelope users who may want to send you encrypted emails, we recommend uploading it to the Mailvelope Key Server. To do this, open Key Management and click on your newly imported keypair. On the key details page (just click on the key in the keychain), you will see a red notification saying, The user ID is not synchronized with the Mailvelope Key Server. Simply click the Synchronize button to upload your public key. Next, check your email inbox for a message titled Verify your email address from the Mailvelope Key Server. Since this email is encrypted, make sure to open it using your webmail provider with Mailvelope enabled. Decrypt the email by entering your key’s password, then click the confirmation link inside. Once verified, your key will be available on the Mailvelope Key Server, making it easy for other users to send you encrypted messages.
Note: If you should encounter any difficulty to open the email, head on to Step 4 of this tutorial, section: Decrypt an email sent to you.Now that you have your own keypair, it’s time to add your contacts’ keys. Gmail users can skip this step, as keys of your communication partners will be found automatically when composing an email to them (if they also use Mailvelope and uploaded their keys to the key server).
In all other cases you'll need to add the recipients’ public keys to your keyring first. There are two ways to do this:
Key servers are directories that store public keys along with their associated email addresses, making it easy to find your contacts’ keys by searching for their email addresses. To search for a key, navigate to Key Management → Search. Mailvelope’s built-in search function queries its own key server as well as several other commonly used key servers. If needed, you can customize the key servers included in the search to suit your preferences.
If your contact has sent you their public key as a file (typically with a “.asc” extension), you can easily add it to your keyring. Simply go to Key Management and select Import. You can upload the file by either dragging and dropping it into the browser window or selecting it manually using the “Add File” option.
As soon as Mailvelope is installed in your browser, you will see a Mailvelope button next to the compose button in Gmail. If this is not the case, please reload the browser tab with your Gmail inbox. Now, click on the Mailvelope button to open the Mailvelope Editor.
If this is your first time using Mailvelope with Gmail, you’ll need to confirm a Google security alert titled Using the Gmail API. Sign in to your Google account and grant Mailvelope the necessary permissions. This step enables the deep integration required for seamless encryption and decryption of your emails. For more details, refer to the “Learn More” box.
Note: if you’re using Gmail as a part of a Google Workspace subscription, you will have to purchase a Mailvelope Business for Workspace license. In this case please go on with step 4 of our Mailvelope Business for Workspace tutorial.
Back in the Mailvelope editor, type the recipient's email address into the recipient field. If your recipient has uploaded their key to the Mailvelope key server, Mailvelope will find it automatically and the email address will turn green. If the address stays red, it means that Mailvelope couldn’t find the recipient’s key. You can import their key to your keyring by following the instructions in step 4. Add others' keys.
You can now write your email as usual, add attachments (they will get encrypted as well) and send it by clicking on Submit.
Note: do not put confidential information in the Subject line. Mailvelope only encrypts the email message and eventually added attachments!
An encrypted email will first be shown to you as a sealed letter only. Simply click on it to open the Mailvelope password prompt. Enter the password for your private key, and the message will be decrypted and displayed.
Note that Mailvelope added a red arrow for your encrypted reply. Clicking on it will open the Mailvelope Editor, ready to type in your reply message.
We will show you the whole process in Outlook.com. Yahoo will have quite similar steps to write and receive encrypted emails.
Being in your Outlook.com Inbox click on "New Message" to open the Outlook.com Editor. You will now see the Mailvelope icon on the upper right of the editor message field. Clicking it will open the Mailvelope Editor to write an encrypted message.
Now type the recipient's email address into the recipient field. Mailvelope will find the key automatically (it turns green), if your communication partner has uploaded their key to the Mailvelope key server like you most likely did in step 3. Add your keypair. In case the typed address stays red, they simply might have forgotten to verify their keypair by clicking on the link in the key server validation email.
Note: you can still add their keys manually by following the instructions in step 4. Add others' keys
Now type your message into the "Message" field. After clicking on "Encrypt" you have to type in the password attached to your key to sign your message.
After confirming your password, Mailvelope will encrypt your message and automatically transfer it to the standard Outlook editor, ready for you to review and send.
Next, add a subject to your email (Note: the subject remains unencrypted by Mailvelope). Then, re-enter the recipient’s email address in the To field. Finally, click “Send” to send your encrypted message via Outlook.com.
If you click on an encrypted email in your inbox, Mailvelope will show it as a sealed letter. By clicking on that symbol Mailvelope will ask for the password attached to your key. You will now be able to see the encrypted message in cleartext.
To get Mailvelope working with Roundcube, you’ll first need to manually add your webmail’s domain to the list of authorized domains. Here’s how to do it: Navigate to your Roundcube inbox and click on the Mailvelope icon located in the upper right corner of your browser to open the main menu. Select Authorize this domain from the menu.
In the Mailvelope dialog for adding a new domain, you can leave the Status and Domain Pattern fields unchanged unless the URL contains a port number. A port number appears after a colon (:) followed by 2 to 5 digits in the browser’s address bar (e.g., https://mail.example.com:8080). If a port number is present, manually add the colon and port number to the Domain Pattern field manually, right after the automatically detected domain. Now do a reload of the browser tab of your Roundcube inbox.
Next, head on to Roundcube Settings->Preferences->Encrpytion on turn the toggle Use Mailvelope main keyring in Mailvelope options to On. Mailvelope will now be authorized to work seamlessly with your Roundcube webmail.
After successful installation of Mailvelope you will find the Encrypt button in the top navigation activated. You can now choose to Encrypt or Encrypt and sign your message. We recommend choosing the latter, as this verifies, it was you sending the message to your recipient.
Note: The Encrypt button will be inactive if the message editor type is set to HTML as encryption is supported only for plain text messages. To set the editor type to Plain text, press the X button in the top-left corner of the message field, next to the Icons for HTML formation in the top line of your Roundcube editor.
Now you will see the activated Mailvelope editor and you can start typing your message.
You can add attachments by clicking on Add file. Send the email by hitting the Send button.
Note: Do not use the Options and attachments section on the right to send encrypted attachments.Always use the Add file option within the Mailvelope editor. Otherwise your attachments will stay unencrypted.
If you click on an encrypted email in your Inbox, Mailvelope will first show it to you as a sealed letter. Clicking on it will open a Enter key password dialog. Typing the password of your private key and clicking OK will decrypt and open the message.
If the email you received includes an encrypted attachment (usually with a .gpg file extension, as shown in the screenshot above), first download it. Next, click the Mailvelope icon in the upper right corner of your browser to open the main menu. Go to Dashboard and select Decrypt from the top menu bar. Tap “Add File” or simply drag and drop the encrypted file into the Mailvelope window. After entering your private key password, you can download the decrypted attachment files.
Mailvelope works with a wide range of webmail providers. If your provider’s domain is not listed under Authorized Domains (Mailvelope Main Menu → Dashboard → Authorized Domains), you will need to manuallyadd your webmail’s domain to the list of authorized domains. To do this, navigate to your webmail inbox and click on the Mailvelope icon in the upper right corner of your browser to open the main menu. Then select Authorize this domain from the menu.
In the Mailvelope dialog for adding a new domain, you can leave the Status and Domain Pattern fields unchanged unless the URL contains a port number. A port number appears after a colon (:) followed by 2 to 5 digits in the browser’s address bar (e.g., https://mail.example.com:8080). If a port number is present, manually add the colon and port number to the Domain Pattern field manually, right after the automatically detected domain. Now do a reload of the browser tab of your webmail inbox.
In order to send and receive encrypted emails and encrypted attachments the steps will be most likely similar as for the users of Outlook.com and Yahoo (see above).
We strongly recommend backing up your keys and storing them in a secure location. If you reinstall Mailvelope or need to reset your browser or operating system, you’ll have to reimport your keychain, as Mailvelope stores keys only locally. For step-by-step backup instructions, refer to this FAQ, section: Backup of the complete keyring.
Note: Keep in mind that even if you back up your private key, it will be useless without the password associated with it. Make sure to also store your password securely.
Mailvelope for Google Chrome
Mailvelope for Mozilla Firefox
Mailvelope for Microsoft Edge