How to install Mailvelope Business for Nextcloud

Mailvelope Business for Nextcloud is designed to provide seamless email encryption for organizations using the Nextcloud Mail app. To install Mailvelope within your Nextcloud environment, please follow the steps below.

Illustration Mailvelope is integrated into the webmail UI

1. Install Mailvelope in Nextcloud Mail

Open the Nextcloud Mail app and navigate to Nextcloud Mail Settings in the bottom left corner. You will find the Mailvelope related settings under Privacy and security.

Nextcloud Mail Settings

Click the Install Mailvelope browser extension by clicking here button to be directed to Mailvelope’s website. There, click the Download Mailvelope button to be taken to your browser’s web store. Simply add the Mailvelope extension to your browser from there.

Since Mailvelope requires deep integration with your browser to function properly, you’ll be prompted to grant read/write permissions during installation. Please confirm these permissions to ensure Mailvelope works seamlessly within your browser.

2. Open Mailvelope

The Mailvelope icon is located in the top-right corner of your browser. Simply click on it to begin setting up your encryption keys.

3. Add your keypair

To send and receive encrypted messages, you’ll need a PGP key pair. The Mailvelope setup screen will guide you through generating a new key pair or importing an existing one.

Mailvelope setup screen

Select Generate key on set up screen. Start by entering your name (or a pseudonym). Next, add the email address of the Nextcloud Mail account you want to use with Mailvelope — your new key will be associated with it. Now create a strong, unique password or passphrase. Be sure to write it down on paper or save it securely in a password manager.

Note: Mailvelope does not store your password, so if you lose it, it cannot be recovered by us.Mailvelope Input Screen for generating a new key

Once your key is successfully created, Mailvelope will confirm the process and display your new key on the Key Management screen.

Because a key backup is essential for recovering your encrypted data in case of data loss or reinstallation of your operating system or browser extension, we recommend creating one now by clicking the Create a Backup button. This will save a copy of your keys to your device’s download folder. Make sure to store the backup securely in a safe location — for example, on a USB drive or in a password manager.

Mailvelope generated a new key

To ensure your communication partners can find your newly created key, it will be automatically uploaded to the Mailvelope Key Server unless you unchecked the option Upload public key to Mailvelope Key Server during key creation. Shortly after key creation, you’ll therefore receive an encrypted email with the subject line “Verify your email address.” Open the email in the inbox of your Nextcloud Mail account (not on another device, since the message is encrypted). Now enter the password you created during key generation in order to decrypt the email. Once you can see the message in cleartext, click on the verification link provided in the email. Your public key will now be available on the Mailvelope Key Server, making it discoverable by other Mailvelope users, whether within your organization or externally.

Note: Should you encounter any difficulty to open the email from Mailvelope Key Server, see step 4 of this tutorial, section: Decrypting an email sent to you.

Select Import Keys on the setup screen. You’ll need the keypair file (usually a file with an .asc extension). Import the key by either dragging and dropping the file into the browser window or selecting it manually using the Add File option.

Import key into Mailvelope

When you click the Import Keys button, Mailvelope will display the key’s technical details, including the Key ID and Fingerprint, for your review. After you confirm, the key will be successfully added to your keyring and is ready for use.

Sucess. Mailvelope imported a key i

To ensure the new keypair is available to other Mailvelope users who may want to send you encrypted emails, we recommend uploading it to the Mailvelope Key Server. To do this, open Key Management and click on your newly imported keypair. On the key details page (just click on the key in the keychain), you will see a red notification saying, The user ID is not synchronized with the Mailvelope Key Server. Simply click the Synchronize button to upload your public key. Next, check your email inbox for a message titled Verify your email address from the Mailvelope Key Server. Since this email is encrypted, make sure to open it using your webmail provider with Mailvelope enabled. Decrypt the email by entering your key’s password, then click the confirmation link inside. Once verified, your key will be available on the Mailvelope Key Server, making it easy for other users to send you encrypted messages.

Note: If you should encounter any difficulty to open the email, head on to Step 4 of this tutorial, section: Decrypt an email sent to you.

4. Add others' keys

To send encrypted emails, you’ll need to add the recipients’ public keys to your keyring. There are two ways to do this:

Key servers are directories that store public keys along with their associated email addresses, making it easy to find your contacts’ keys by searching for their email addresses. To search for a key, navigate to Key Management → Search. Mailvelope’s built-in search function queries its own key server as well as several other commonly used key servers. If needed, you can customize the key servers included in the search to suit your preferences.

Mailvelope key search on different directories

If your contact has sent you their public key as a file (typically with a “.asc” extension), you can easily add it to your keyring. Simply go to Key Management and select Import. You can upload the file by either dragging and dropping it into the browser window or selecting it manually using the “Add File” option.

Import key into Mailvelope

5. Encrypting and decrypting an email with Mailvelope

Enabling Mailvelope for your domain

Before you start writing emails on Nextcloud Mail the first time, you have to authorize your Nextcloud domain in Mailvelope. This step has only to be done once, as Mailvelope will remember the settings. Head back to Mail settings (in the bottom left of Nextcloud Mail) and scroll to the Mailvelope section.

Nextcloud Mail Settings

Once you click on Enable Mailvelope for the current domain, Mailvelope will open an Authorize domain dialog window. Click on Confirm, and after a reload of the browser tab your Nextcloud inbox lives in, you are settled to write your first email.

Compose new email in Nextcloud Mail

Click at the three dots beneath the Send button. You will now find the new option Encrypt message with Mailvelope. Tick the checkbox and the Mailvelope editor will appear.

Mailvelope editor in Nextcloud Mail

Type the recipient's email address into the To field of the editor. Make sure you select a recipient for whom you have already imported the public key in Step 4.

If Mailvelope does not find a public key for the typed address, a warning message will be displayed. If so, return to Step 4 and add your recipient’s public key.

You can now write your email as usual, add attachments by clicking on Add file. Send the email by hitting the Encrypt with Mailvelope and send button.

Note: Do not use the paperclip icon in the last line to send encrypted attachments. Always use the Add file option within the Mailvelope editor.

Decrypting an email sent to you

If you click on an encrypted email in your Inbox, Mailvelope will first show it to you as a sealed letter. Clicking on it will open a Enter key password dialog. Typing the password of your private key and clicking OK will decrypt and open the message.

Decrypting a message in Nextcloud Mail

Once your email is decrypted, you can send an encrypted reply by clicking the Reply button on the bottom right of the Mailvelope editor window.

Reply to an encrypted message in Nextcloud Mail

If the email you received includes an encrypted attachment (usually with a .gpg file extension, as shown in the screenshot above), click the three dots next to the attachment to download it.

Next, click the Mailvelope icon in the upper right corner of your browser to open the main menu. Go to Dashboard and select Decrypt from the top menu bar. Click “Add File” or simply drag and drop the encrypted file into the Mailvelope window. After entering your private key password, the decrypted content will be displayed, and you can download the files.

6. Backup your keys

We strongly recommend backing up your keys and storing them in a secure location. If you reinstall Mailvelope or need to reset your browser or operating system, you’ll have to reimport your keychain, as Mailvelope stores keys only locally. For step-by-step backup instructions, refer to this FAQ, section: Backup of the complete keyring.

Note: Keep in mind that even if you back up your private key, it will be useless without the password associated with it. Make sure to also store your password securely.

Backup your keyring