With mailbox.org, users can choose to have both their outgoing and their incoming e-mails encrypted automatically using a PGP key. That means access to the messages in your inbox is only possible with your private PGP key and the corresponding password.
How to enable mailbox encryption
In order to make sure your messages can be decrypted online, it is necessary to set up the mailbox.org Guard and enable the automatic encryption of incoming e-mail first. The key and the settings you make here will work for both your “Inbox” as well as your “Sent items” folder.
Figure 1: Activating your encrypted Mailbox
In the mailbox.org Office, click on the cogwheel symbol in the upper right corner (1) to access the settings pages.
Click on the menu item "Email | Inbox encryption" (2).
You need to insert your PGP public key (as plain ASCII text) into the large form field (3) on this page. We will explain how to do this in the next section.
Enable the checkbox "Activate PGP encryption for incoming e-mails" (4).
Should you encounter any error messages, please clear the field and try again to copy and insert the entire key. It is easy to make a mistake in the process, so always check first if the public key was inserted correctly.
No further action is required. From now on, all incoming and outgoing messages will be encrypted automatically, although the messages that already exist will not be affected.
Where can I obtain my PGP key?
When mailbox.org Guard gets enabled, a pair of PGP keys will be created for you, and the public key part can be downloaded as follows:
Figure 2: How to use an encrypted inbox with existing keys
In the mailbox.org menu, select "Security | mailbox.org Guard" (5).
Scroll down to the bottom of the page and click on the button "Your keys" (6).
A pop-up window with your key list will appear. Select the key that you want to use and click on the corresponding icon in the "Download" column (7).
Another pop-up window will open. Click on the button "Download PGP Public Key" (8) to save the public.asc key file.
Finally, click on the "Close" button (9) and then again on "Done" (10) (see Figure 2).
Figure 3: Downloading your PGP public key
The public key file you downloaded earlier can normally be found in the download directory set up for your browser. Open the public.asc file in Notepad or any other text-based editor and copy the entire contents including both the first line "-----BEGIN PGP PUBLIC KEY BLOCK-----" and the last line "-----END PGP PUBLIC KEY BLOCK-----" and paste it into the public key form field (4) from Figure 1.
Finally, tick the checkbox (3) labelled "Activate PGP encryption for incoming e-mails". Figure 4 shows a file manager and editor with context menu in Linux:
Figure 4: Using a public key downloaded from mailbox.org in your file manager and an editor
In the background, a so-called sieve e-mail filter on our mail server takes care of the encryption: Once the encrypted mailbox is enabled, a filter rule will be created, which can also be inspected under "Settings | Email | Filter Rules". For the time being, the sender, recipient and subject line of the message remain unencrypted because unfortunately, there is currently no way (yet) to encrypt these parts of a message. Please note that any further filtering rules applying to your e-mails must be appended below the rule that is responsible for encrypting your mailbox. The description "This rule contains unsupported properties" exists for technical reasons and can be ignored - it has no effect on the functionality of the rule.
Figure 5: E-Mail filter rules
The filter rules will be applied to all new incoming mail (but not any mail that has already arrived). If you are running into problems, it may be a good idea to start over with a fresh mailbox.org test account.
How to use existing PGP keys with mailbox.org
It is possible to upload existing PGP keys to the key list (7) for use with encrypted mailboxes. For example, this could be a pair of keys previously created by using the Open PGP key management function in an e-mail client like Mozilla Thunderbird. In order for mailbox encryption to work, it is necessary to upload both your public and private keys. To do this, click on the plus symbol in figure 2 and then on "Upload private key" (11) and "Upload public key only" (12). Guard will prompt you to enter your current private key password and ask you create a new password (see below).
Figure 6: Uploading your own keys
It's complicated: Multiple keys
Although mailbox.org and Guard can handle multiple keys, special care must be taken when using them at the same time, things can get very confusing. That's why mailbox.org recommends using the same key for email and inbox encryption.
How often do I need to enter the password?
Visit the mailbox.org security settings ("Security | mailbox.org Guard") to configure for how long Guard will remember your passwords. Use the drop-down menu "Remember password default settings" (13) to select one of the following options: "Always ask", "10 minutes", "20 minutes ", "30 minutes ", "60 minutes ", "120 minutes" or "Once per session".
Figure 7: Setting the timeout for the Guard password cache
Once the encrypted mailbox has been enabled, the default behaviour of the system will be to ask you to enter your private PGP key password every time you want to open an encrypted e-mail for the first time within a session. Use the drop-down menu labelled " Remember password default" to set how long mailbox.org will remember your password before you need to enter it again. When selecting the option "Session", this will have the effect that the PGP password needs to be entered only once after logging in and will be remembered until you log out.
Figure 8: Setting the timeout in the e-mail editor
How to use the encrypted mailbox on other devices
In order to use the encrypted mailbox with an e-mail client on your PC or on a mobile device you need to download your key pair from the web interface. Click on the button "Download Public and Private Key" to do so (see figure above). Additional programs will normally be required to perform the next steps, for example "OpenKeychain" for Google Android, or the Open-PGP key management utility for the Mozilla Thunderbird client (Find more guidance here). Make sure you import your key pair into the chosen program.
When saving your private keys onto another device, always make sure you can trust the software, device, and operating system for encryption purposes. If your private key gets stolen, an attacker may be able to decrypt all your messages or send fake e-mails in your name to other people. They may also use the key to compromise other devices that would normally be considered secure.
Since there is a large spectrum of devices and software products, mailbox.org is unfortunately unable to provide support for third-party clients and devices. Please contact the respective vendor for support.