In the Posteo webmail interface, you can use genuine end-to-end encryption with the browser add-on Mailvelope.
In this help article, we show you how to install end-to-end encryption in the Posteo webmail interface. You will find out how to create an individual key pair for encrypted communication or import an existing one. In addition, we show you how to send your key to contacts, so that they can write encrypted emails to you.
Before you begin: Current security notice (May 2017)
We have had a current security audit of Mailvelope undertaken, in which a critical weakness in the interaction between the browser Firefox and Mailvelope was found. Under specific circumstances, the Firefox security architecture allows attackers to access a user’s private keys via compromised add-ons. You should therefore make sure to note the additional security recommendations at the end of this article.
How to install Mailvelope
Mailvelope is an open source project and has undergone an independent security audit by Cure53.
You can find out how to install an add-on in the following help articles:
How to check the installation
After installation, you will see a new menu item in the webmail interface titled Compose and encrypt.
Click , to check your installation. If you see a Mailvelope lock symbol in the text field, the installation was successful.
If you do not see this, please check whether you have activated the Mailvelope API for Posteo.
How to create or import a key pair
If you have installed Mailvelope, you will now need a personal key pair. This consists of two parts: a public key, with which your contacts encrypt emails to you, and a private key, with which you can make encrypted emails readable. Never give anyone your private key. This ensures that only you can read your encrypted emails.
Do you already possess an OpenPGP key pair? If so, you can skip forward the How to import a personal key pair section.
How to generate a personal key pair
- Click the Mailvelope symbol in your browser’s menu
- Click Options to open Mailvelope
- Click Generate a key
- In the Email field, enter your Posteo email address. Choose a password for access to your private key. This should be different to your Posteo password.
The password protects your private key from unauthorised access.
Leave the name field empty to protect your anonymity
- Click Submit
- Wait until your key pair has been created
Once Mailvelope has created your key pair, you will find it in the Mailvelope key chain.
How to import a personal key pair
Alternatively, you can also import a key pair that already exists to Mailvelope:
- To do this, click the Mailvelope symbol in the browser
- Click Options
- Click Import keys
- Click Select a key text file to import
- Select your key file in the format “.asc”
- Click Import
You have now successfully installed Mailvelope and created or imported your personal key pair. We will now show you how to share your public key with others, in order to communicate encrypted with them.
How to send your public key to your contacts
If someone wants to send you an encrypted email, they will need your public key. Using this, they can encrypt emails to you.
Exporting your public key:
- Click the Mailvelope symbol in your browser
- Click Options
- Open the Key management tab
- Click Display keys
- Select your key
- Click Export
- Select Public
- Save the key to your computer by clicking Save
Tip: Save your key in a place that you can quickly and easily find it. Give the file a recognisable name such as Public-Key-John-Example.asc.
Now send the exported key as an email attachment.
- Write a new email to the person you wish to send your public key to
- Using Attach a file, attach they key you just saved
- Click Send
Tip: In addition, you can publish your public key in the Posteo key directory.
Additional security recommendations for the use of Mailvelope in Firefox
Firefox’s architecture does not sufficiently compartmentalise add-ons from each other. At Firefox, new architecture is already being developed, which overcomes the weakness. Mozilla plans to conclude this work with the release of Firefox 57 in November 2017. Until Mozilla has updated the architecture, the following security recommendations apply for anyone who uses Mailvelope with Firefox:
- In the interim, switch to different software. Either use Mailvelope in a different browser, or use PGP with a local email program.
You can find various instructions for these options in the Posteo help section.
- Alternatively, using an independent Firefox profile for Mailvelope minimises the risk in the interim. In the Posteo help section, we have published step-by-step instructions for the creation of Firefox profiles:
Instructions for Mac
Instructions for Windows
Mailvelope users with other providers can also follow these instructions.
Please make sure to note the following security recommendations in order to effectively minimise the risk of a fruitful attack:
- Do not install any additional add-ons in the newly-created browser profile
- Use the Firefox profile exclusively for encrypted Mailvelope communication: Access your email provider’s webmail interface and never visit other websites
- In addition, choose a password for your PGP key that is as secure as possible
- Be careful not to accidentally install any add-ons via phishing, via which you could be attacked
Due to the problems with the Firefox architecture, we additionally recommend:
- Restrict the use of add-ons in the Firefox browser to a minimum, until Mozilla has updated the architecture
- You can further protect yourself from potential attackers by setting up an additional user on your operating system for end-to-end encrypted communication
Related help articles
- How do I send an end-to-end encrypted email in the Posteo webmail interface and how do I make encrypted emails readable?
- Does my S/MIME or OpenPGP key need to fulfil certain criteria?
- How do I activate inbound encryption with my public PGP key?
- How do I use PGP/MIME on an Android smartphone or tablet?