21. Install the Mailvelope add-on in Mozilla Firefox and use it to encrypt/decrypt emails

by Cover Tower - Updated March 14, 2021

The best method to encrypt/decrypt emails is to use Thunderbird. However, you can also use a Firefox add-on for the same purpose. The Mailvelope add-on enables you to generate encryption key pairs and store them in your browser, so that you can encrypt/decrypt emails when you access your email accounts using the browser. It can encrypt/decrypt emails sent from/to the mail server that you have installed and from/to all major email providers. The Mailvelope add-on has also a Chrome version, but we don’t advice using it. If you value digital freedom and privacy you will use Firefox.

Mailvelope prevents partial saving of messages before encryption, by creating a window offline, to type messages.

To install the Mailvelope add-on in Firefox go to the official website of Firefox add-ons: https://addons.mozilla.org/en-US/firefox/extensions/ use the search box to search for Mailvelope and when you find it click on it, then click ‘+ Add to Firefox’, then ‘Add’, then in the ‘Mailvelope has been added to Firefox’ window check ‘Allow this extension to run in Private Windows’ then click ‘Okay, Got It’.

We’ll describe how to use Mailvelope to encrypt email messages sent from an email account on your mail server (mail.example.com), to a mail.com email account and from a mail.com account to the email account on your server, but the procedure is similar for any other two email accounts.

Please note: to test the email encryption/decryption in good conditions, you should use two Firefox browsers installed on two distinct machines (physical or virtual machines). If you use the same Firefox browser to access both your Roundcube account and your mail.com account, when you will encrypt a message you will be asked for the key password of the other account instead of the one you are logged in with. Since both email accounts are yours and you know both key passwords, this may not be a problem, but to test Mailvelope in real-world conditions, you should use, as mentioned, two Firefox browsers installed on two different machines.

First click on the Mailvelope icon in the upper bar and then on the ‘Let’s start!’ button.

In the next screen click on the ‘Options’ tab > ‘Security’ > under ‘Remember passwords for this browser session’ select ‘No’ and then, under ‘Where are decrypted messages displayed?’ select ‘In a separate Mailvelope popup.’, then click ‘Save’; then click on ‘General’ on the left panel, and under ‘Default Key’ uncheck ‘Always add my default key to the list of recipients.’, check ‘Would you like to sign all your emails?’ then click ‘Save’; next click on ‘Security Background’, choose an icon and a color for the mailvelope popup window, then click ‘Save’; then go to ‘Authorized Domains’ > click ‘Add new entry’, in the ‘Site’ box enter mail.example.com (replace example.com with the main domain hosted on your server), in the ‘Domain pattern’ enter *.mail.example.com, then click ‘OK’.

Next, authorize the mail.com domain: click ‘Add new entry’, in the ‘Site’ box enter mail.com, in the ‘Domain pattern’ enter *.mail.com, like below:

Then click ‘OK’.

Next, click on the ‘Key Management’ tab, and click on ‘Generate Key’. The screen will look as follows:

Fill out the ‘Name’ (the name of the person using the email account hosted on your server; you can enter the email address if it’s obvious who is using that email address (Eg. admin@example.com)), ‘Email’ (the email address (Eg. admin@example.com)), ‘Password’ (here you should enter a password for the cryptographic key; you can enter the same password that you use to log in to the mail server as admin@example.com), ‘Re-enter Password’ fields, uncheck the ‘Upload public key to Mailvelope Key Server’ option, then click the ‘Generate’ button.

Next generate the key pair for your mail.com email account in a similar way: fill out the ‘Name’ (the name of the person using the mail.com email account; you can enter the email address here (Eg. bill@mail.com)), ‘Email’ (the mail.com email address (Eg. bill@mail.com)), ‘Password’ (here you should enter a password for the cryptographic key; you can enter the same password that you use to log in to the mail.com account), ‘Re-enter Password’ fields, uncheck the ‘Upload public key to Mailvelope Key Server’ option, then click the ‘Generate’ button. Once generated, the keys can be seen under ‘Key Management’. Then restart the browser.

Please note that if you want to write an encrypted message to someone (s)he must have your public key imported in Mailvelope, and you must have her/his public key imported in Mailvelope. To exchange public keys with someone first go to ‘Key Management’, click on the email account whose public key you want to send to your contact, then click on the ‘Export’ button in the upper right corner of the screen. A popup window will show up. Make sure that ‘Public’ is selected, then click ‘Save’ and ‘OK’ to save to public key to your computer. The public key will be saved as a file with a name of the form username@example.com_pub.asc. The next step is to attach this file to a regular email and send it to your contact. When you receive a similar file containing the public key of your contact, you will have to import it to Mailvelope. To do that click again on ‘Key Management’, click on the ‘Import’ button located below the ‘Key Management’ header, then click on ‘Add file’, select the key file from your computer, click ‘Open’, then click ‘Import contacts’, then ‘Confirm’.

Now, when you log in to your mail.com account and click on ‘Compose E-mail’ to write a new message, you’ll see a small overlayed red button in the upper right corner of the new message window, like in this picture:

Before writing anything in the new message window, click on the red button. You will see a new popup window:

Write the entire content of the new email in the ‘Message’ text area, enter the recipient’s address in the ‘Recipient’ text box, then click ‘Encrypt’. Once you click on ‘Encrypt’, you’ll be asked to enter your email account’s key password. You should enter the password that you configured when you generated the key pair for the email address that you are logged in with now. Once you enter the key password, the encrypted message will be transferred to the new message window. Here you should enter the recipient’s email address, then if you want to, you can enter a subject (which will not be encrypted), then you can click ‘Send’ to send the encrypted email. The same steps should be followed if you want to send an encrypted email from your Roundcube account to your mail.com account.

When you receive an encrypted email, if you click on it, you will see the entire encrypted text of the message and the overlaid red button with the text ‘click to decrypt’, like below:

To decrypt the message first click on it, then when prompted ‘Please enter your key password to decrypt this message.’ enter the key password for the email account you are logged in with, then click ‘OK’. The decrypted message will appear in the Mailvelope popup window.

Please keep in mind that the recipient’s email address and the subject of an encrypted email are not encrypted, so if the content of the email is secret, the subject shouldn’t be too closely related to the content of the message.

Currently, there are two Mailvelope-related bugs in Roundcube:

– if you use the ‘Elastic’ theme, in the new message window, you will see two red Mailvelope buttons instead of one. Also, if you want to send regular, unencrypted emails, you won’t be able to change the message text area of new messages from ‘Plain text’ to ‘HTML’.

– if you use the ‘Larry’ theme, you will see two red Mailvelope buttons in the upper right corner of the new message window. If you want to encrypt a message, you should click on the red Mailvelope button from the bottom.