Setting up PGP

Before using ProtonMail to communicate with others, you should first take care to maximize your privacy and security before exchanging email. In Settings, visit the “Keys” section, to take advantage of some advanced features.

Set up Private Keys

The default security settings for new ProtonMail users is good, but it could be even stronger if you take the time. You will notice that you have an auto-generated key of 2048 bits. You should replace your primary key with a stronger, 4096-bit key. Next to your email address, under “Actions”, add a new key. When prompted, select the “Highest security (4096-bit)” option.

Once your new key is generated, click the down-arrow next to your email address to expand your keys. Mark the new, stronger key, as your primary key by clicking the down-arrow under “Actions” and selecting “Make Primary”.

Now is the perfect time to export a copy of your private key (which will require your password) and save it to a safe storage space, like a USB stick that you can keep reasonably safe. You can also export your public key in a similar manner, to upload it to key servers elsewhere on the web.

Take note that this is also where you can revoke your key if it is ever compromised, or generate new ones for whatever reason. You shouldn’t need to do this, but it’s good to know that the options exist if you ever need them.

Enable PGP with everyone!

If you recall, you can exchange end-to-end encrypted messages with any other ProtonMail user without ever having to set anything up. However, you will definitely want to enable the same protection with non-ProtonMail users who use PGP through another client.

Navigate to the Security section in your settings, and scroll down to “External PGP Settings.” Be sure to set the “Default PGP Scheme” to Inline PGP.

ProtonMail allows you to add people’s PGP public keys to your address book. Navigate to your Contacts tab, and select an entry. Open the contact’s “Advanced Settings” by clicking the gear to the right of their entry.

Under the “Public Keys” section, select “Add Key” to upload your contact’s PGP public key. Once the key is imported, make sure to set the “Cryptographic scheme” to “PGP/Inline” (and not MIME). You can additionally set ProtonMail to automatically sign and/or encrypt all messages to that contact going forward. Click “Save” so the changes take effect.

Encrypting messages

When you compose a message from the ProtonMail web app, the recipient field will indicate whether or not your conversation will be end-to-end encrypted.

If you’re emailing someone who also uses ProtonMail, your messages will be end-to-end encrypted automatically. The recipient field shows a blue lock to the left of the address.

If you’re emailing someone who uses another service (Gmail, for example) and whose PGP key you have added into your contacts, your messages will also be end-to-end encrypted automatically. The recipient field shows a green lock to the left of the address.

However, if you're emailing someone who uses another email provider, but you don’t have their PGP key added, end-to-end encryption is not possible. There won’t be any indication next to their address in the recipient field.

This is important; there’s a bit of misinformation floating around that having a ProtonMail account means automatic E2EE email conversations with anyone. This isn’t true, and users should pay attention to these indications before sending off your email. It might take some getting used to, but before long, it will be as simple as using any other email service.

Keeping your account safe

As with any account you care about, you should first take the time to safeguard it against certain threats. Not only do you want to make it harder for hackers to get into your account, but you also want to ensure you can access your account if ever something goes wrong. Visit the Settings tab to enable a few security features before using your account.



Set a strong, unique passphrase

Hackers assume you reuse your login credentials everywhere, so when you reuse passphrases, it only takes a breach of one service for them to figure out how to log in to all the other services you use.

As with any account, this means you should be using a strong, unique passphrase. (Ideally, you should store this in a reputable password manager).

It’s especially important to have a backup of your password (e.g., backed up to a password manager), because if you lose your password, you will not be able to decrypt any of your old email ever again.



You may also set a reset/notification email address (such as your personal Gmail address) in the event you need to reset your password. Because you don’t want to lose permanent access to your ProtonMail account, this is the best option. However, you should take considerable care to lock down that backup email address as much as possible!



Set up Two-Factor Authentication

ProtonMail currently supports two-factor authentication with one-time-use code apps like Google Authenticator or Authy. Follow the steps on the ProtonMail knowledge base to enable it: https://protonmail.com/support/knowledge-base/two-factor-authentication/ and be sure to save your backup codes somewhere safe.

Monitor access

ProtonMail allows you to audit each connection your account makes with its servers. This allows you to do a few awesome things.

First, you can view all the IP addresses your account has been seen on, which is great for making sure it was you, and only you, who’s been online. Under Authentication Logs, be sure to enable the “Advanced” view.

Also, you can manage which sessions are currently active on your account, and revoke any session that is no longer needed, or suspicious, under Session Management.

Take control of your privacy

Sometimes, hackers, or even advertisers, use sneaky tricks in email to pierce through your privacy. One common technique: tracking cookies can be embedded in images in your emails.

Sometimes these trackers are even embedded in images as small as one pixel, providing no value to you whatsoever.

Make sure ProtonMail only loads images and other remote content if, and only if, you request it. Under "Account" hit "Email Content" . Make sure “Load remote content” and “Load embedded images” are both set to “Manual.”

ProtonMail seems like the perfect solution for those who want to get started with end-to-end encryption over email without going down the rabbit hole when mastering PGP’s nuances. The ProtonMail team is diligent, attentive and responsive to surfaced vulnerabilities from the larger infosec community— an admirable quality everyone should look for when choosing a product. That said, let’s look at the caveats (and also let’s take the opportunity to readily acknowledge that every single product has its fair share of them!).

The backdoor spectre

ProtonMail is primarily accessed from its web interface. This means that every cryptographic calculation is handled in your browser, using code delivered from ProtonMail’s servers directly to you, each time you log in. In addition to trusting ProtonMail’s code, the security of your browser, and other factors, this also requires a strong amount of trust in ProtonMail as a company.



Security researchers have long pondered the possibility [PDF] that a company offering a web-based client doing in-browser crypto could be silently, but legally, compelled to deliver a backdoored version of their code to users specifically targeted by a FISA court order, or something similar. It’s happened to users of other services before; one might call it “getting Lavabitten.”

As a trainer, it’s wise to bring this scenario up due to the menagerie of threats high risk ProtonMail users like journalists might one day face. So, if that’s something you’re particularly worried about, learn to use PGP with a desktop client like GPGTools, Thunderbird with the Enigmail plugin, or GPG4Win.

Default key size doesn’t offer the highest security

After you take off the tin-foil hat, there are other small ways that could make great improvements to ProtonMail’s overall security perks. As mentioned before, new users’ default keys are 2048-bit, in order to support less capable browsers and mobile devices which might choke on a larger key. While this can be easily mitigated by setting up a new key, or importing one generated elsewhere, it would be great if this were more transparent to new users.



Some workflows might encourage risky user behavior

What happens if you want to send an end-to-end encrypted email to someone who doesn’t have a PGP key at all? Designing a proper workflow for encrypting messages to users who have no public key is a well-recognized challenge in security engineering. What ProtonMail (and a growing number of competing E2EE email services) does to address this is allow you to encrypt an email to your contact using a password that you are responsible for somehow sharing securely.

The email that lands in your contact’s inbox is, rather than the original content of the email, a branded notification saying something to the effect of “Click this link to view your message!!!” Your contact is then instructed to click through to a ProtonMail portal where they can view the original decrypted message after typing in your shared secret.



In the digital security training space, trainers work very hard to teach people to identify this as phishing behavior. It’s disheartening to see this UX pattern leveraged across so many services because that undermines the advice most likely to keep at-risk users safe.

But hey, what are you gonna do? This is still a hugely convenient feature— imagine being able to send personal details like passport numbers to a travel agent who was willing to go a tiny step further to protect your information, but not far enough to use PGP? It’s a classic example of the security and usability trade-offs companies must make. And remember, context is everything— always be wary of unsolicited emails enticing you to click through; and when in doubt, ring someone up on the phone and have them confirm that they meant to send it!

No support for hardware-token based 2FA

Finally, while ProtonMail admirably offers two-factor authentication, they don’t yet support its most secure method— using a hardware-based token like a Yubikey. As we recently saw in Amnesty International’s world-rocking report, sophisticated spearphishing campaigns have been successfully waged against users who even use SMS, or an app (the “software token”) as their second factor. Frightening stuff! ProtonMail (and other awesome services) should make it their priority to support hardware token-based 2FA in 2019.

Critiques aside, ProtonMail is an excellent choice for bootstrapping PGP-curious users onto more secure communications, and improvements they’ve already implemented to their product further demonstrate its promise.