This guide is an overhaul of a previous piece, entitled “Encrypting email with Mailvelope: A beginner”s guide.”
Table of ContentsAdding contacts to your keyringAdvanced features in Mailvelope
What is Mailvelope?Mailvelope is a tool that works in Firefox or Chrome to facilitate end-to-end encrypted email. When you send an end-to-end encrypted email, that means that only you and your contact can read your messages, and no one else — not your email provider, your contact’s email provider, or any network snoopers.
Mailvelope makes sending and receiving end-to-end encrypted email on your computer simple: Sign in to your existing email service from your web browser, compose an encrypted message in Mailvelope’s integrated browser experience, and click “Send.”
Like any other tool that encrypts your email content, Mailvelope won’t protect the metadata of your messages from other parties. Some actors may have the ability to see information like when you sent a message, who it was addressed to, the Internet Protocol (IP) address of the devices involved, and more.
If you must use email for private correspondence, however, Mailvelope is an appropriate choice for those who are just getting started with end-to-end encryption in email on their computer. Mailvelope won’t work on mobile browsers, similar to the majority of traditional email encryption tools.
An up-to-date web browser; either Chrome or Firefox
Getting started with MailvelopeOnce you install the Mailvelope browser extension, a Mailvelope icon will appear at the top of your browser, to the right of the address bar. Click on the icon to bring up your Mailvelope control center, where you’ll go through your initial setup.
Before you can start sending encrypted emails to your contacts, you’ll need to configure your Mailvelope with two files that together make a keypair. Your keypair opens up the doors of encrypted email, and consists of a public key your contacts can use to encrypt messages to you, and a private key you use to decrypt messages addressed to you, so you can read them. While many of your friends might hold on to a copy of your public key, your private key is for your eyes only.
If this is your first time using encrypted email, select the option to “Generate key.” We’ll walk through the full key generation process in the next section.
Note: If you’ve already used email encryption with another tool and want to continue using the same keypair, select the “Import key” option instead of generating a keypair. You’ll then import your old public/private keypair as a file or text block. After importing, consider securely deleting any unneeded copies of your keypair, and making a secure backup to an encrypted storage device.
Generating keys with MailvelopeGenerating a keypair in Mailvelope is simple. It’s only a required step if it’s your first time using encrypted email, or if you’ve tried encrypted email before but want to start fresh with a new keypair.
During your initial setup, click the “Generate key” option to configure your new keypair. You can also generate a new keypair at any point by navigating to the “Key management” menu in your Mailvelope control center and clicking “Generate key.”
Name & emailTo start, input the “Name” and “Email” you plan to use as your primary contact for email encryption. Later, people you correspond with can use this contact information to look you up on public directories called key servers.
Advanced: Algorithm, key size & key expiration dateNext, the default algorithm and key size entries under “Advanced” are good as-is — RSA encryption at 4096 bits is the strongest option available.
Setting a key expiration date is not required, but does keep you accountable for stricter key maintenance. Chances are this will not affect most people, but it is technically possible for a sophisticated actor to compromise a user’s key. If this is a concern for you, consider setting an expiry date 1-2 years in the future.
PasswordFinally, it’s time to choose a password. The passphrase you designate in the “Password” field should be unique, long, and randomly generated. Why? The strength of the encryption protecting your private key is directly related to the strength of the passphrase used to secure it. If an adversary gets a copy of your private key, they may be able to decrypt your messages. If you have a long and random passphrase, however, you can rest easier. A lengthy, unique passphrase likely requires an impractically long time for a hacker to guess.
Uploading your key to Mailvelope’s key serverBe careful with this next part.
Before hitting the Generate button at the bottom of the window, you’ll notice a checkbox giving you the option to upload your public key to Mailvelope”s key server.
If you select this option, people can pull your key through Mailvelope and start sending you encrypted emails within moments of generation. This is a bit like putting up a public listing for your key, but you want to be sure this key and the associated email should be public, because the public listing is permanently available to anyone.
If you don’t choose this option, not to worry. You can always push your key to Mailvelope’s key server — or any other key server, for that matter — later.
If you do send upload your key to Mailvelope’s key server, you’ll be sent an email asking you to verify your key. Why? You have to interact with Mailvelope to prove that you indeed own the email account tied to the key that you are trying to send up to its servers.
Adding contacts to your keyringUnder the “Key Management” tab in your Mailvelope control center, you’ll find your keyring. Think of your keyring as your encrypted email contact list. When you import a contact’s public key, it’ll show up in your keyring so that you can easily encrypt messages to them in the future, and update their key information as needed.
When you first configure Mailvelope your keyring will look pretty empty.
The image of two interlocking keys you see on the far left of your entry points to your public/private keypair. Later on, your contact’s keys will appear with a single key icon next to their public key information.
When you click on your key’s entry in your keyring, you’ll see more details about it. Most notably, you’ll find your key’s PGP fingerprint, as well as its key ID.
A PGP fingerprint is a 40-character identifier attributed to a single public key, while a key ID is a shortened version of the fingerprint — in Mailvelope, featuring the final 16 characters of the full fingerprint. Each key has a unique ID and fingerprint, and, in addition to name and email, are used to search on public key directories called key servers.
Now that you’re set up with your own key on Mailvelope, you’ll want to add the public keys of individuals you’d like to communicate with over encrypted email. Note that you can only send encrypted emails to friends who have gone through the steps to set up their own keypair, so your mileage may vary.
Adding contacts on key serversIf your correspondents have already begun sending encrypted emails, chances are they’ve uploaded their public key to a key server. Once you’ve send your public key to a key server, anyone can search the key server for your key, import it to their keyring, and send you encrypted messages.