How to check encryption status using lock icons
All messages in Proton Mail are labeled with a lock icon that tells you their encryption status. In this article, we explain what they mean.
A lock icon is shown next to every email in your inbox and custom folders(nowe okno).
The encryption status of sent and received emails shows you how the message was encrypted when it was sent and can’t be changed.
Lock icons are also shown in the Composer window and may change depending on how the email is sent. For example, if you set a password for your message using our Encrypt for non-Proton Mail recipients(nowe okno) feature, the lock will change from Black (or Green (open) if a PGP signature is attached) to Blue.
What the lock icons mean
The main indicator of a message’s encryption status is the color of the lock icon. Additional information is provided by a small symbol inside the lock. Please note that encryption only applies to message contents and attachments. Message headers and metadata are not encrypted so that Proton Mail can be interoperable with PGP.
Black lock
A black lock means that a message is stored with zero-access encryption(nowe okno). This means nobody other than you can read this email in your mailbox. Not even Proton Mail can decrypt this message. However, a copy of this email may be stored insecurely on the sender or recipient’s email server.
(nowe okno) | Plain — Message stored on Proton Mail’s servers using zero-access encryption |
Blue lock
You will see a blue lock on emails sent between Proton Mail email addresses. These messages are stored with zero-access encryption, but they also feature automatic end-to-end encryption(nowe okno) (E2EE) for an extra layer of security.
This means the messages have been encrypted by the sender on their device and can only be decrypted by the intended recipient on their device. No one else, including Proton Mail, can access E2EE messages.
(nowe okno) | Plain — End-to-end encrypted message |
(nowe okno) | Checkmark — End-to-end encrypted message with verified recipient/sender. This lock is used for the contacts for whom you enabled the optional Address Verification feature. Address verification and end-to-end encryption allow for a much higher level of security than just E2EE alone. |
(nowe okno) | Warning — This lock can appear if you enabled the optional Address Verification feature. It means the message could not be verified using the sender’s trusted key. If you see this warning, you may wish to contact the sender to confirm the authenticity of the message. It can also mean that the contact’s key or signature is insecure. In this case, please ask them to update their key or software. To find out more specific information about the problem, hover your mouse pointer over the lock icon to see a tooltip. |
Here are some examples of things that could cause a warning to be shown:
- The use of an insecure key (for example, an RSA-1024 key or a key authenticated using SHA1)
- The sender changed their key and signed the email with a new key that you haven’t trusted yet
- You reset your password, and the contact signature (containing the trusted key) couldn’t be verified
Green lock (closed)
Proton Mail is interoperable with PGP, allowing you to send and receive E2EE emails with people who don’t use Proton Mail. Messages to people who have correctly set up PGP will be end-to-end encrypted and show a closed green lock. This includes people using WKD keys(nowe okno).
Learn how to use PGP with Proton Mail(nowe okno)
(nowe okno) | Plain – PGP end-to-end encrypted message |
(nowe okno) | Pencil — PGP end-to-end encrypted and signed message. A PGP signature guarantees that the sender is genuine and that the message hasn’t been tampered with. |
(nowe okno) | Checkmark — PGP end-to-end encrypted message with verified recipient/sender. This is the most secure way to email someone who doesn’t use Proton Mail. |
(nowe okno) |
Warning — PGP end-to-end encrypted message, but the sender’s email or key couldn’t be verified. If you see this warning, you may wish to contact the sender to confirm the authenticity of the message.
|
Green lock (open)
An open green lock shows that a message is not end-to-end encrypted using PGP, but has been digitally signed with a PGP signature. These emails, like all emails, are stored on our servers using zero-access encryption.
Pencil — PGP-signed message. A PGP signature guarantees that the sender is genuine and that the message hasn’t been tampered with. | |
(nowe okno) | Checkmark — PGP-signed message from a verified sender |
(nowe okno) | Warning — PGP-signed message, but the message could not be verified using the sender’s trusted key. If you see this warning, you may wish to contact the sender to confirm the authenticity of the message. It can also mean that the contact’s key or signature is insecure. In this case, please ask them to update their key or software. To find out more specific information about the problem, hover your mouse pointer over the lock icon to see a tooltip. |