By default, Proton Mail uses ECC Curve25519 keys to secure your emails. These use elliptic curve cryptography and are highly secure, fast, and compatible with almost all other PGP implementations.
Notable exceptions include versions of GnuPG earlier than 2.1 and PGP-encrypted Facebook notifications, both of which require an RSA key to work correctly.
Once your account is created, it is possible to change your primary keys to RSA 4096-bit or to generate new ECC Curve25519 keys and set them to be your primary keys. RSA-4096 keys are slower than ECC Curve25519 keys, but they are secure and offer greater compatibility with legacy software.
Changing your primary key is recommended if you are concerned that your keys may have become compromised in some way. Changing to an RSA key may also help solve compatibility issues with legacy software.
It is extremely important that you do not delete your old primary keys. If you do, you will lose the ability to decrypt all your existing emails. Please follow the instructions here closely.
How to create new keys
It is only possible to add new keys after you have created a Proton Mail account.
1. Log in to the web app at mail.proton.me(new window), click Settings → Go to settings → Encryption and keys → Email encryption keys → Generate key.
2. Select the encryption scheme you prefer for your new key and click Continue.
If generating a new key using the same encryption algorithm as an existing key, you will see the following warning.
You can generate up to 20 keys, but additional keys slow down the loading process. This is because all emails encrypted by those keys must be decrypted separately.
Click Continue if you wish to proceed (as a security precaution, you will be asked to sign in again). Click Close in the confirmation box.
4. To make the new key your primary key, back on the Encryption and keys settings page, click the dropdown menu in the Actions column next to the newly generated key and select Make primary.
5. (optional) If you are creating a new key because you believe your old key might be compromised, or it is obsolete, expand the dropdown menu in the Actions column next to your old key and select Mark obsolete or Mark compromised.
However, do not delete your old keys. These are still needed to open emails that were encrypted using them.