Your encrypted mailbox

With mailbox.org, users have the option to automatically encrypt both outgoing and incoming emails using a PGP key. This ensures that access to messages in one's inbox is only achievable with the corresponding private PGP key and password.

How to enable mailbox encryption

To ensure that your messages can be decrypted online, you must first configure the mailbox.org Guard and enable automatic encryption for incoming emails. The key and settings you establish here will apply to both your "Inbox" and "Sent Items" folders.

Figure 1: Activating your encrypted Mailbox

In the mailbox.org Office, click on the cogwheel symbol in the upper right corner (1) to access the settings pages.
Click on the menu item "Email | Inbox encryption" (2).
You need to insert your PGP public key (as plain ASCII text) into the large form field (3) on this page. We will explain how to do this in the next section.
Enable the checkbox "Activate PGP encryption for incoming e-mails" (4).

Should you encounter any error messages, please clear the field and try again to copy and insert the entire key. It is easy to make a mistake in the process, so always check first if the public key was inserted correctly.

No further action is required. From now on, all incoming and outgoing messages will be encrypted automatically, although the messages that already exist will not be affected.

Where can I obtain my PGP key?

When mailbox.org Guard is being enabled, a pair of PGP keys will be created for you, and the public key can be downloaded following these steps:

Figure 2: How to use an encrypted inbox with existing keys

In the mailbox.org menu, select "Security | mailbox.org Guard" (5).
Scroll down to the bottom of the page and click on the button "Your keys" (6).
A pop-up window with your key list will appear. Select the key that you want to use and click on the corresponding icon in the "Download" column (7).
Another pop-up window will open. Click on the button "Download PGP Public Key" (8) to save the public.asc key file.
Finally, click on the "Close" button (9) and then again on "Done" (10) (see Figure 2).

Figure 3: Downloading your PGP public key

The public key file you downloaded earlier can usually be found in the pre-configured download directory of your browser. Open the public.asc file in any text editor and copy the entire contents including both the first line " -----BEGIN PGP PUBLIC KEY BLOCK -----" and the last line " -----END PGP PUBLIC KEY BLOCK -----" and paste it into the public key form field (4) from Figure 1.

Finally, tick the checkbox (3) labelled "Activate PGP encryption for incoming e-mails". Figure 4 shows a file manager and editor with context menu in Linux:

Figure 4: Using a public key downloaded from mailbox.org in your file manager and an editor

The technology

In the background, a so-called sieve e-mail filter on our mail server takes care of the encryption: Once the encrypted mailbox is enabled, a filter rule will be created, which can also be inspected under "Settings | Email | Filter Rules". For the time being, the sender, recipient and subject line of the message remain unencrypted because unfortunately, there is currently no way (yet) to encrypt these parts of a message. Please note that any further filtering rules applying to your e-mails must be appended below the rule that is responsible for encrypting your mailbox. The description "This rule contains unsupported properties" exists for technical reasons and can be ignored - it has no effect on the functionality of the rule.

Figure 5: E-Mail filter rules

The filter rules will be applied to all new incoming mail (but not any mail that has already arrived). If you are running into problems, it may be a good idea to start over with a fresh mailbox.org test account.

How to use existing PGP keys with mailbox.org

It is possible to upload existing PGP keys to the key list (7) for use with encrypted mailboxes. For example, this could be a pair of keys previously created by using the Open PGP key management function in an e-mail client like Mozilla Thunderbird. In order for mailbox encryption to work, it is necessary to upload both your public and private keys. To do this, click on the plus symbol in figure 2 and then on "Upload private key" (11) and "Upload public key only" (12). Guard will prompt you to enter your current private key password and ask you create a new password (see below).

Figure 6: Uploading your own keys

It's complicated: Multiple keys

Although mailbox.org and Guard can handle multiple keys, special care must be taken when using them at the same time, things can get very confusing. That's why mailbox.org recommends using the same key for email and inbox encryption.

Expired PGP Keys

If your PGP-key has become invalid (expired), please delete it out of "Settings | E-Mail | Inbox Encryption" Additionally, please uncheck the box "Activate PGP encryption for incoming e-mails.". Finally, please delete the rule for "Your encrypted mailbox" under "Filter rules". If you now import a new or extended PGP-Key, everythings will work smoothly.

How often do I need to enter the password?

Visit the mailbox.org security settings ("Security | Guard") to configure the session runtime (how long the Guard will remember your passwords). Use the drop-down menu "Remember password default settings" (13) to select one of the following options: "Always ask", "10 minutes", "20 minutes ", "30 minutes ", "60 minutes ", "120 minutes" or "Once per session".

Figure 7: Setting the timeout for the Guard password cache

Once the encrypted mailbox has been enabled, the default behaviour of the system will be to ask you to enter your private PGP key password every time you want to open an encrypted e-mail for the first time within a session. Use the drop-down menu labelled " Remember password default" to set how long mailbox.org will remember your password before you need to enter it again. When selecting the option "Session", this will have the effect that the PGP password needs to be entered only once after logging in and will be remembered until you log out.

Figure 8: Setting the timeout in the e-mail editor

How to use the encrypted mailbox on other devices

In order to use the encrypted mailbox with an e-mail client on your PC or on a mobile device you need to download your key pair from the web interface. Click on the button "Download Public and Private Key" to do so (see figure above). Additional programs will normally be required to perform the next steps, for example "OpenKeychain" for Google Android, or the Open-PGP key management utility for the Mozilla Thunderbird client (Find more guidance here). Make sure you import your key pair into the chosen program.

When saving your private keys onto another device, always make sure you can trust the software, device, and operating system for encryption purposes. If your private key gets stolen, an attacker may be able to decrypt all your messages or send fake e-mails in your name to other people. They may also use the key to compromise other devices that would normally be considered secure.

Since there is a large spectrum of devices and software products, mailbox.org is unfortunately unable to provide support for third-party clients and devices. Please contact the respective vendor for support.

Page: An introduction to mailbox.org Guard
Page: How to specify a key server in the SRV record
Page: Temporary mailbox for external users
Page: Encrypt files on your Drive

How to enable mailbox encryption​

Where can I obtain my PGP key?​

The technology​

How to use existing PGP keys with mailbox.org​

How often do I need to enter the password?​

How to use the encrypted mailbox on other devices​

Related​