This text should be considered a condensed "how-to" for web‑mail users that are either current Proton Mail subscribes or are prepared to create free Proton Mail service account in order to communicate with general population of e‑mail users that use OpenPGP to protect their e‑mail.

There is currently only one secure method of electronic communication, that is both widely used and at the same time well within the technical capability of an average computer user to set-up and operate: "public key"¹ OpenPGP e‑mail, used via a POP/POP3 client application, on an endpoint computer that is under exclusive e‑mail user's administrative control. In this "use mode", both the decryption keys and plain-text message contents are never stored on any third-party service provider's computer. In addition to being perfectly secure against mass electronic communication surveillance, when used with discipline and only a modicum of skill, OpenPGP will also protect the message content from many - if not all - targeted "over-the-network" attacks, even when those are originating from large, technically competent adversaries.

OpenPGP e‑mail encryption assumes, by design, e‑mail use in POP/POP3² mode. There are, however, e‑mail correspondents that are either unable or unwilling to migrate from web‑mail to POP e‑mail. In this instance, it might still be possible to encrypt the e‑mail content, but with the somewhat reduced level of security both communicating parties must be prepared to accept.

Among all web‑mail service providers, there appears to be only one that offers practical inter‑operability between its encrypted web‑mail service users and the general population of POP e‑mail users that encrypt their e‑mail traffic using OpenPGP: Proton Mail.

Proton Mail has a free tier web‑mail service which offers, among other, generous 1 GB storage quota, competently constructed web-browser interface that (and this is important!) does not require any browser "plug-ins". For those that insist on using e‑mail on mobile telephones it offers both iOS and Android e‑mail client "apps", where the Android version is also available directly from Proton Mail, thus not requiring Google registration of mobile device user.

Creating and configuring your Proton Mail account

If you are already a Proton Mail user, just review the configuration details that follow; otherwise visit Proton Mail website and click on [Create a free account].

When registering the account, do not choose a username that is in any way associated with your "real-life" identity, and never include your correspondent's "real-life" names in contact lists: most mail application will make it difficult to not having such information included with the un-encrypted message "headers". (Note that in many instances, an adversary is just as interested in the identity of correspondents, as he is in the content of encrypted messages).

In the process of account creation, Proton Mail requires either a telephone number, or an e-mail address that can be used for "account recovery". Since confirmation of the item is required to increase storage quota, a valid e-mail address protected by a redirection service such as Spamgourmet (https://www.spamgourmet.com/) or AnonAddy (https://anonaddy.com/) is strongly suggested.

As of this writing (2022/Q4), Proton Mail offers 1 GB (double the "normal" mail storage quota for "free" accounts) to new users that immediately start sending and receiving messages, that install and activate their app on a mobile device, and import any contact-list³ into their user profile. This offer is well worth taking (with the caveat in footnote ³ below on importing contact-lists).

Proton Mail web-site includes a "how-to" page on using the service to communicate with external e-mail users that use OpenPGP to encrypt e‑mail. Review it before you continue reading this text - the rest of which will outline just two items that should be done differently than suggested on that page. They are:

Disable sending html formatted mail: in the browser window connected to e-mail service on Proton Mail server, click on Settings ( icon in the top row) and in drop-down menu choose "Go to settings". On the settings edit page that will open, select "Messages and composing" and in the "Composing" section, under "Composer mode" change the selection from "Normal" to "Plain text". (HTML formatting of e-mail message content - which is what the Normal default setting entails - is a poor practice that should generally be avoided - and it should never be used for encrypted e‑mails).

Change signing/attaching defaults and key type: on the same settings edit page, select "Encryption and keys". Turn off "Sign external messages" and also turn off "Attach public key". (Both of these actions should be performed only when there is a specific reason to do so, it should not be done by default for all outgoing messages. If your external correspondent has asked you to do it, change "Default PGP scheme" from PGP/Mime to PGP/Inline.

Under "Email encryption keys" select "Generate Key", and choose RSA 4096-bit key (and not ECC Curve25519 key!). (Elliptic Curve (ECC) crypto algorithms have not yet been in use long enough to have received the same amount of cryptoanalysis as has been the case with integer factoring (RSA) algorithms. They are promoted by operators of servers that perform high volume encryption/decryption operations required by various Internet protocols. Is such instance their higher speed is an advantage that might (or might not) justify the risk of their potential weaknesses. In contrast, in e‑mail use, when the encryption and decryption is performed on an end‑user's computer that speed "advantage" has no measurable benefit. When the new key (more precisely, new private/public key-pair) has been generated, ensure ("Actions" button) that the new RSA key is marked "Primary" and "Active", and that the default, system-generated ECC key is marked "Obsolete".

Once the above two steps are completed, the only thing remaining to do is to send the external OpenPGP e‑mail user your public key. There two methods to do this: the first (and simpler one) is to click on "More options" (the ••• icon at the bottom row in new message composition panel) and select "Attach public key" before sending the message. Alternatively, you might choose to the use "Export" function (under "Actions") to export your public key and save it in a file on your computer to pass it on to a number of correspondents using any method you normally use to share computer files (for instance, .jpg photographs) with others - if they are OpenPGP e‑mail users, they will know what to do with such file in order to make it available to whatever e‑mail "client application" they are using.

Your correspondent should likewise send you his or her public key as an email attachment. When a message from an external correspondent with public key attached is received by Proton Mail, the web interface will offer to import the key in your profile, and will then automatically encrypt all messages sent from your Proton Mail address to external addresses that have the public key stored in your profile.

At the time of this writing (2022/Q4) Proton Mail provides an undocumented method of fetching the public key of any subscriber whose e‑mail address is known, by a properly formatted https search interaction with Proton Mail's API server. As an example, for Proton Mail address "john.doe@proton.me" following URL: "https://api.protonmail.ch/pks/lookup?op=get&search=john.doe@proton.me" can be used in browser to download the public key of "john.doe@proton.me". The advantage of this method is that it makes possible bootstrapping of encrypted e‑mail with a user that has limited understanding of e‑mail encryption and is required to do nothing except signing up for free and anonymous Proton Mail account and to inform the external correspondent what his chosen user name is.

With the above steps completed, you can exchange encrypted messages from your Proton Mail address with any correspondent using OpenPGP encryption.