ProtonBlog

Introducing Proton Mail Contacts — the world’s first encrypted contacts manager

June 2022: This post has been updated to better reflect how Proton’s encrypted contacts manager works in 2022. 

Today we’re launching a new contacts manager, the first one in the world that includes both zero access encryption and digital signature verification.

Starting with Version 3.12 of Proton Mail, we have rolled out a brand new version of Contacts for Proton Mail. The new Proton Mail Contacts was in development for over a year and is an essential next step in our broader security road map.

In addition to adding a much more powerful contacts functionality to Proton Mail, our new contacts manager provides the world’s first tool for securely managing your contacts.

What is an encrypted contacts manager?

Proton Mail’s contacts manager is not a stand-alone app. It is instead built into our other products (notably Proton Mail(new window) and Proton Calendar(new window)) so that you can easily access your contacts when performing a task. For example, when writing an email or inviting someone to an event.

The name and address fields are not encrypted (although they are digitally signed – see below). This is so that we can actually send and receive the emails. Everything else is fully end-to-end encrypted to ensure that only you can read the contact details. 

Learn more about how encrypted email works(new window)

In our encrypted contacts manager, contact details protected by end-to-end encryption are shown with a lock icon when you edit a contact.

Encrypted contact feilds

End-to-end encrypted contact fields brings many security benefits. For example, if you are a journalist with a confidential source, it is very important to protect the phone number or address of that source.

Using the notes field in contacts, you can also add other information about the contact that will be protected with end-to-end encryption. 

In order to do email filtering, we do not encrypt email addresses – doing so also does not significantly improve privacy because as an email service, we necessarily must know who you are emailing in order to deliver the message.

Digitally Signed Contacts

The new Proton Contacts does more than just protect contact data fields with end-to-end encryption. We also use digital signatures to verify the integrity of contacts data. Digital signatures are used for all contact fields, including the email address itself.

The concept of digital signatures is technically complex. But in simple terms, what digital signature verification does is provide a cryptographic guarantee that nobody (not even Proton Mail) has tampered with your contacts. Thus, you can be absolutely sure that the contacts data is precisely what you entered.

Learn more about digital signatures

This is a big security benefit for many reasons. For example, if an attacker wanted to intercept the communications between you and a sensitive contact, one way to do it could be to secretly change the email address or phone number you have saved for that contact, For example, changing john.smith@proton.me to john.snnith@proton.me, which might escape your notice. 

However, because Proton Contacts are now digitally signed, any attempt to tamper with your contacts will result in the following error message being displayed.

Verification failed message

How does it work?

For those who are technically inclined, this section discusses how Proton Mail’s encrypted contacts manager is implemented. For each email account, we generate a new private and public key pair that is used exclusively for encrypting contacts.

The private key is generated on the client side and encrypted using a derivative of your password which we don’t have access to, meaning that we can never access your contacts private key. 

Encrypted contact fields are encrypted with your contacts public key and therefore can only be decrypted with the corresponding private key which only you have access to. 

Decryption failure message

If you change your account password, Proton will not be able to decrypt your contact details. You can, however, reactivate your encryption keys(new window) to gain access to your contacts

Digital signing is done by signing the data with your private key which allows the authenticity of the data to be conclusively verified on each subsequent data access. For full implementation details, it is possible to check out our source code(new window).

Always improving

The immediate security benefits of encrypted and digitally signed contacts are quite obvious. However, since its release in 2018, we have worked hard to improve our contacts manager with new features and security enhancements. 

For example, our contacts manager can now store public keys, which is an essential component for both sending PGP messages to people who don’t use Proton Mail; verifying the integrity of the keys themselves, and verifying the authenticity of received messages via digital signatures. 

We have also rolled out the encrypted contacts manager to our iOS and Android encrypted email apps, where you can easily import your phone contacts into Proton Mail. Please note that doing this gives Proton access to your contact names and email addresses.

On our road map is contact synchronization between your mobile device and the rest of the Proton ecosystem. 

You can read the encrypted contacts press release here(new window).

You can get a free secure email account from Proton Mail here(new window).

We also provide a free VPN service(new window) to protect your privacy.

Proton Mail and Proton VPN are funded by community contributions. If you would like to support our development efforts, you can upgrade to a paid plan(new window). Thank you for your support!

Secure your emails, protect your privacy
Get Proton Mail free

Related articles

Email threads are so ubiquitous you might not realize what they are. An email thread is basically a series of related emails grouped together.  This article will tell you everything you need to know about what exactly an email thread is and when you
Identity theft is a major sector of criminal activity. About 24 million people fell victim in the United States alone in 2021, costing them over $16 billion. Credit card fraud is the most common type, but criminals target all kinds of personal data.
Google is one of the biggest obstacles to privacy. The Big Tech giant may offer quick access to information online, but it also controls vast amounts of your personal or business data. Recently, more people are becoming aware of the actual price you
What to do if someone steals your Social Security number
If you’re a United States citizen or permanent resident, you have a Social Security number (SSN). This number is the linchpin of much of your existence, linked to everything from your tax records to your credit cards. Theft is a massive problem, whic
compromised passwords
Compromised passwords are a common issue and probably one of the biggest cybersecurity threats for regular people. How do passwords get compromised, and is there anything you can do to prevent it? * What does compromised password mean? * How do pa
Is WeTransfer safe?
  • Privacy basics
WeTransfer is a popular service used by millions worldwide to send large files. You may have wondered if it’s safe or whether you should use it to share sensitive files. We answer these questions below and present a WeTransfer alternative that may su