Proton

How to create new encryption keys

Reading
3 mins
Category
Encryption and keys

By default, Proton Mail uses Elliptic Curve Cryptography (ECC) keys defined on Curve25519 to secure your emails. ECC is highly secure, fast, and compatible with almost all OpenPGP implementations.

If your account was created before 2021, you may still have RSA keys instead. To get the full benefits of ECC keys (for future sent and received emails), you can generate new keys.

Additionally, you may want to generate new keys if you believe that your existing keys have been compromised.

When interacting with certain legacy versions of OpenPGP implementations, you may need to create an RSA key (if you don’t already have one), which can be done locally, for example by running gpg --full-generate-key, and then importing the key into your Proton Mail account.

Learn more about importing OpenPGP keys into Proton Mail

In all cases, it is extremely important that you do not delete your old primary keys. If you do, you will lose the ability to decrypt all your existing emails. Please follow the instructions below closely.

How to create new keys

It is only possible to add new keys after you have created a Proton Mail account.

1. Log in to the web app at mail.proton.me(new window), click Settings → All settings → Encryption and keys → Email encryption keys → Generate key.

Button to generate a new encryption key(new window)

If generating a new key using the same encryption algorithm as an existing key, you will see the following warning.

Warning that generating new keys may slow down Proton Mail loading(new window)

You can generate up to 20 keys, but additional keys will slow down Proton Mail slightly. 

Click Continue if you wish to proceed (as a security precaution, you will be asked to sign in again). Click Close in the confirmation box. 

Note: The newly generated key will be set as your primary (default) key automatically. However you can change your primary key using the step below.

2. To change your primary key, return to the Encryption and keys settings page, click the dropdown menu in the Actions column next to the newly generated key and select Make primary.

Make primary key option(new window)

3. (optional) If you are creating a new key because you believe your old key might be compromised, or it is obsolete, expand the dropdown menu in the Actions column next to your old key and select Mark obsolete or Mark compromised.

However, even if they are compromised, do not delete your old keys. These are still needed to open emails that were encrypted using them.

Options to mark keys as obsolete or compromised(new window)

Didn’t find what you were looking for?

Get help
General contactcontact@proton.me
Media contactmedia@proton.me
Legal contactlegal@proton.me
Partnerships contactpartners@proton.me