Mailvelope: use OpenPGP encryption on Gmail, Yahoo, Hotmail and other webmail services

Martin Brinkmann
Aug 4, 2013
Updated • Aug 5, 2013
Email, Encryption

If you prefer to use a webmail interface such as those provided by Gmail, Hotmail or Yahoo! Mail, you probably know that you cannot really secure your data directly when you are using those services. The majority of popular webmail services do not support email encryption for instance which would protect the content of messages from being read by automated tools and anyone else with access.

Mailvelope is a free browser extension for Google Chrome and Mozilla Firefox that introduces OpenPGP encryption to webmail services that you may be using. The extension ships with support for Gmail, Yahoo! Mail, Outlook and GMX by default, and options to integrate other web-based email providers as well.

Setup is a little bit complicated, especially if you have never worked with PGP before. After you have installed the extension in your browser of choice, it is necessary to either create a new encryption key or import an existing one.

OpenPGP for webmail services

If you need to generate a new key, you are asked to enter your name and email address, and a passphrase that is used to encrypt and decrypt messages. If you want, you can also change the algorithm and key size (default 1024 up to 4096), and set an expiration date.

generate pgp key

You need to import public keys as well here from your contacts so that you can encrypt messages for them.

Let me explain how the encryption process works. PGP uses a private and public key pair system. When you generate a new set of keys, you generate a private key and a public key. Others use your public key to encrypt messages for you that only you can decrypt with your private key.

I recommend you check out the settings before you head out to your webmail service of choice to start encrypting your emails.

Some interesting options that you have are the following:

  1. Select whether you want to use the mail service's compose window or a separate editor.
  2. Select whether you want to decrypt messages on the page of the mail provider or a separate window.
  3. Set a primary key you want to be selected automatically.

Here you can also add other mail providers to the list of supported services.

A new icon is displayed in the compose window once you have added at least one key for a supported email address. When you click on it, a new window pops up that lets you compose the message. I highly recommend you keep the default option of composing emails in a separate window as contents may leak otherwise, for example when they are auto-saved.

Once you have clicked on the encryption icon, you can start typing in your message. You do need to click on the Fe> icon once you are done to start the encryption process.

What you need to do is select the recipients of the email. You can only add recipients whose public keys you have imported previously into the application.

encrypt email messages

Once done hit the transfer button to send the message to all selected recipients. You may also want to add yourself to the list as you will then be able to read the messages in your send folder (and inbox).

Encrypted messages appear like normal messages in your inbox. They have a plain text title but the body content is encrypted. When you open an encrypted email, you see random characters and a lock icon in the middle.

encrypted message
PGP encrypted email

A click on the icon opens a password prompt. You need to enter the correct passphrase that you have selected during key creation. The email is displayed in plain text when you do so that you can read it.


Mailvelope adds a much needed feature to webmail services. You do face a couple of challenges though using it. First, you need to get your contacts to start using PGP as well as you can only use it effectively if that is the case.

Second, you rely on the Chrome or Firefox extension, which means that you may not be able to access your email at any time. This is for instance the case if you check your mail in a public library or on a third party computer.

The current implementation does not support the signing of messages as well.

Good news is however that it is fully compatible with existing mail encryption solutions that use OpenPGP.


Tutorials & Tips

Previous Post: «
Next Post: «


  1. Joe said on April 30, 2014 at 6:26 pm

    A major concern that you didn’t mention: what if two people use the same filename? I assume this will simply overwrite the earlier file, rather than adding an incremental number or using some other method to avoid overwriting.

    To avoid that, you have to “add ingredients” using the big blue plus sign in the “File Name” area when setting up the Dropbox section of the recipe. I had mine use sender address, time received, AND file name (in case someone sends the same filename twice and I want both copies, which could happen if they use some boilerplate name like “NewDocument1”).

    1. Martin Brinkmann said on April 30, 2014 at 6:52 pm

      Is not Dropbox using copies of files automatically in this case? But good point, need to investigate this.

    2. Martin Brinkmann said on April 30, 2014 at 11:55 pm

      I have tested it, only on Google Drive but still. Same name attachments are stored as well. You end up with several same name files in the same folder structure but that is okay I guess.

  2. Blue said on May 1, 2014 at 7:03 pm

    They are poor variations of cloud storage (Google Drive, Dropbox or Microsoft’s OneDrive.) because they have specific limitations which do not make them idea as a cloud storage even for personal use. They don’t allow executable files (EXE, COM, BAT) to be uploaded or saved on their servers. I have purchase a few programs from online sources and want to save them in a cloud for easy access on the go. “Google Drive, Dropbox or Microsoft’s OneDrive.”, do not allow executable files so aren’t really a good choice for cloud storage or drop box option.

    So MediaFire or Firedrive to the rescue. Both allow executable files uploaded, saved and shared (Mediafire checks copyrights of the files shared). Plus for programmers, who need to allow a few individuals to download a specific file or folder to beta test a program, Mediafire and Firedrive are great resources. Firedrive allows online chat and messaging between Dropbox and shared file users. But as they are based in UK their download speed is not consistent for all Canada/USA users.

    1. Joe said on May 1, 2014 at 10:31 pm

      I’ve never seen that limitation on Dropbox – I’ve been storing dozens of .exe and .bat files there for years. I thought maybe you were referring only to the web uploader (I never use it – my files are all uploaded from synchronized folders), but I just tested it and it works. Maybe you should give Dropbox another look.

  3. Joe said on May 1, 2014 at 10:53 pm

    Another limitation: it apparently can only pull in one attachment. I usually wouldn’t have a use for this, but right now I am accepting job applications via email, so I was excited to try it out. I’ve received two so far, and both used multiple attachments for cover letter, resume, and references. In both cases, only one attachment made it into Dropbox. The recipe “ingredient” in IFTTT is “FirstAttachmentPrivateURL”, and there are no options other than “First…”.

    Of course, if you are asking people to send attachments, you could always specify to include just one file per email.

    1. Martin Brinkmann said on May 1, 2014 at 11:16 pm

      They could also pack multiple files into a single archive.

    2. Garrett Williams said on December 10, 2014 at 5:02 pm

      Because of this, I chose to have IFTTT just save all attachments instead of filtering to a specific sender or label. Multiple attachments worked just fine after that, though of course now I have various other attachments mixed in.
      I know this is an old comment, but it seems this solution should be mentioned.

      My main issue is that it doesn’t have the option of overwriting the old file, which puts a roadblock in my automation, as updated files must have a consistent name. Likely adding yet another online service to the mix to remedy that.

      @Martin: While a too-technical step for many people, asking for a zipped file might be a really nice test of computer literacy if hiring for a very technical job.

  4. Nathan Smith said on March 14, 2015 at 6:25 am

    “You can change the folder path where those files are transferred to however”

    Do you just change one or more?
    File URL
    File name
    Dropbox folder path

    My dropbox folder name for example is John Smith……………however the path to get there is John Work/Clients/Jane Client

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.