Posteo Help Help categories Article

How do I install end-to-end encryption for the Posteo webmail interface with Mailvelope (PGP)?

In the Posteo webmail interface, you can use genuine end-to-end encryption with the browser add-on Mailvelope.

In this help article, we show you how to install end-to-end encryption in the Posteo webmail interface. You will find out how to create an individual key pair for encrypted communication or import an existing one. In addition, we show you how to send your key to contacts, so that they can write encrypted emails to you.

Before you begin: Current security notice (May 2017)

We have had a current security audit of Mailvelope undertaken, in which a critical weakness in the interaction between the browser Firefox and Mailvelope was found. Under specific circumstances, the Firefox security architecture allows attackers to access a user’s private keys via compromised add-ons. You should therefore make sure to note the additional security recommendations at the end of this article.

How to install Mailvelope

Google Chrome users can find the add-on in the Chrome Webstore. For Firefox, you can obtain Mailvelope as a download from the Mailvelope website.

Mailvelope is an open source project and has undergone an independent security audit by Cure53.

You can find out how to install an add-on in the following help articles:

How to Einstall Mailvelope in Google Chrome

How to check the installation

After installation, you will see a new menu item in the webmail interface titled Compose and encrypt.

Click "Compose and encrypt"

Click IconCompose and encrypt, to check your installation. If you see a Mailvelope lock symbol in the text field, the installation was successful.

Correct display in Mailvelope

If you do not see this, please check whether you have activated the Mailvelope API for Posteo.

How to create or import a key pair

If you have installed Mailvelope, you will now need a personal key pair. This consists of two parts: a public key, with which your contacts encrypt emails to you, and a private key, with which you can make encrypted emails readable. Never give anyone your private key. This ensures that only you can read your encrypted emails.

Do you already possess an OpenPGP key pair? If so, you can skip forward the How to import a personal key pair section.

How to generate a personal key pair

  1. Click the Mailvelope symbol in your browser’s menu
  2. Click Options to open Mailvelope
How to generate key pair in Mailvelope: Step 1 to 2
  1. Click Generate a key
How to generate key pair in Mailvelope: Step 3

  1. In the Email field, enter your Posteo email address. Choose a password for access to your private key. This should be different to your Posteo password.
    The password protects your private key from unauthorised access.
    Leave the name field empty to protect your anonymity
  2. Click Submit
How to generate key pair in Mailvelope: Step 4 to 5
  1. Wait until your key pair has been created
How to generate key pair in Mailvelope: success

Once Mailvelope has created your key pair, you will find it in the Mailvelope key chain.

How to import a personal key pair

Alternatively, you can also import a key pair that already exists to Mailvelope:

  1. To do this, click the Mailvelope symbol in the browser
  2. Click Options
Import a key pair to Mailvelope: Step 1 to 2
  1. Click Import keys
  2. Click Select a key text file to import
  3. Select your key file in the format “.asc”
  4. Click Import
Import a key pair to Mailvelope: Step 3 to 6

You have now successfully installed Mailvelope and created or imported your personal key pair. We will now show you how to share your public key with others, in order to communicate encrypted with them.

How to send your public key to your contacts

If someone wants to send you an encrypted email, they will need your public key. Using this, they can encrypt emails to you.

Exporting your public key:

  1. Click the Mailvelope symbol in your browser
  2. Click Options

Send your public key to a contact: Step 1 to 2

  1. Open the Key management tab
  2. Click Display keys
  3. Select your key

Send your public key to a contact: Step 3 to 5

  1. Click Export
  2. Select Public
  3. Save the key to your computer by clicking Save

Send your public key to a contact: Step 6 to 8

Tip: Save your key in a place that you can quickly and easily find it. Give the file a recognisable name such as Public-Key-John-Example.asc.

Now send the exported key as an email attachment.

  1. Write a new email to the person you wish to send your public key to
  2. Using Attach a file, attach they key you just saved
  3. Click Send

Send your public key to a contact

Tip: In addition, you can publish your public key in the Posteo key directory.

Additional security recommendations for the use of Mailvelope in Firefox

Firefox’s architecture does not sufficiently compartmentalise add-ons from each other. At Firefox, new architecture is already being developed, which overcomes the weakness. Mozilla plans to conclude this work with the release of Firefox 57 in November 2017. Until Mozilla has updated the architecture, the following security recommendations apply for anyone who uses Mailvelope with Firefox:

  1. In the interim, switch to different software. Either use Mailvelope in a different browser, or use PGP with a local email program.
    You can find various instructions for these options in the Posteo help section.
  2. Alternatively, using an independent Firefox profile for Mailvelope minimises the risk in the interim. In the Posteo help section, we have published step-by-step instructions for the creation of Firefox profiles:
    Instructions for Mac
    Instructions for Windows
    Mailvelope users with other providers can also follow these instructions.

Please make sure to note the following security recommendations in order to effectively minimise the risk of a fruitful attack:

  • Do not install any additional add-ons in the newly-created browser profile
  • Use the Firefox profile exclusively for encrypted Mailvelope communication: Access your email provider’s webmail interface and never visit other websites
  • In addition, choose a password for your PGP key that is as secure as possible
  • Be careful not to accidentally install any add-ons via phishing, via which you could be attacked

Due to the problems with the Firefox architecture, we additionally recommend:

  • Restrict the use of add-ons in the Firefox browser to a minimum, until Mozilla has updated the architecture
  • You can further protect yourself from potential attackers by setting up an additional user on your operating system for end-to-end encrypted communication

Related help articles