How to create new encryption keys

3 mins
Encryption and keys

By default, Proton Mail(new window) uses ECC Curve25519 keys to secure your emails. These use elliptic curve cryptography and are highly secure, fast, and compatible with almost all other PGP implementations. 

Notable exceptions include versions of GnuPG earlier than 2.1 and PGP-encrypted Facebook notifications, both of which require an RSA key to work correctly.

Learn more about using Proton Mail with Facebook PGP emails(new window)

Once your account is created, it is possible to change your primary keys to RSA 4096-bit or to generate new ECC Curve25519 keys and set them to be your primary keys. RSA-4096 keys are slower than ECC Curve25519 keys, but they are secure and offer greater compatibility with legacy software.

Changing your primary key is recommended if you are concerned that your keys may have become compromised in some way. Changing to an RSA key may also help solve compatibility issues with legacy software. 

It is extremely important that you do not delete your old primary keys. If you do, you will lose the ability to decrypt all your existing emails. Please follow the instructions here closely.

How to create new keys

It is only possible to add new keys after you have created a Proton Mail account.

1. Log in to the web app at window), click Settings → All settings → Encryption and keys → Email encryption keys → Generate key.

2. Select the encryption scheme you prefer for your new key and click Continue.

If generating a new key using the same encryption algorithm as an existing key, you will see the following warning.

You can generate up to 20 keys, but additional keys slow down the loading process. This is because all emails encrypted by those keys must be decrypted separately. 

Click Continue if you wish to proceed (as a security precaution, you will be asked to sign in again). Click Close in the confirmation box. 

Note: The newly generated key will be set as your default key automatically. However you can change your primary key using the step below.

4. To change your primary key, return to the Encryption and keys settings page, click the dropdown menu in the Actions column next to the newly generated key and select Make primary.

Make primary key option(new window)

5. (optional) If you are creating a new key because you believe your old key might be compromised, or it is obsolete, expand the dropdown menu in the Actions column next to your old key and select Mark obsolete or Mark compromised

However, do not delete your old keys. These are still needed to open emails that were encrypted using them.

Options to mark keys as obsolete or compromised(new window)

Didn’t find what you were looking for?