Automatic PGP Encryption

Encrypt incoming mail automatically so only you can read it

← Back to Support Documentation

What is Auto-Encryption?

Auto-Encryption automatically PGP-encrypts your incoming mail as it arrives, before it is stored on our servers. This is Zero Access encryption: once encrypted, only you can decrypt it with your private key passphrase. Even we cannot read your encrypted mail.

You can auto-encrypt on a per-alias basis, for all incoming mail using a master key, or selectively through Sieve filter rules.

All mail on CodaMail is already encrypted at rest with AES-256-GCM. Auto-Encryption adds a second layer where mail is individually PGP-encrypted with your public key, making it unreadable without your passphrase.

Three Ways to Auto-Encrypt

Method 1: Per-Alias Auto-Encryption

Encrypt incoming mail for specific addresses. This is the most common approach, allowing you to encrypt sensitive aliases (financial, medical, legal) while leaving everyday mail searchable.

  1. Go to Settings → Identities and create the identity for the incoming mail address
  2. Go to Settings → Manage PGP Keys and create or import a key for this identity
  3. Go to Settings → Auto-Encryption and add the identity

Repeat for each address you want to encrypt.

Method 2: Master Key for All Mail

Encrypt all incoming mail with a single master key. This provides the strongest protection but makes it harder to search through your mail.

  1. Go to Settings → Identities and verify your primary identity (youraccount@codamail.com) exists
  2. Go to Settings → Manage PGP Keys and create or import a master key for this identity
  3. Go to Settings → Auto-Encryption and enable the master switch

Method 3: Encryption via Sieve Filters

PGP Encrypt is available as a Sieve filter action. This lets you selectively encrypt mail based on any filter condition (sender, subject, header, etc.) and choose which PGP key to use for each rule.

  1. Go to Settings → Mail Delivery Filters
  2. Create a new filter with your desired conditions
  3. Select "PGP Encrypt" as the action and choose the key to use

See Understanding Sieve Filters for more on filter rules.

Practical Considerations

  • Encrypted mail cannot be searched. Only the encrypted blob is stored. If you encrypt everything, you lose the ability to search message content. Consider encrypting selectively for sensitive aliases instead.
  • You will need your passphrase to read encrypted mail. Each time you open an encrypted message, you will be prompted for your passphrase. You can extend how long the passphrase is cached in Settings → Preferences → Encryption by adjusting "Keep private key passwords for".
  • Do not forget your passphrase. If you lose your passphrase, your encrypted mail cannot be recovered by anyone, including us.

Maximum Security: Keep Your Private Key Off Our Servers

The methods above store your PGP private key on our servers (encrypted with your passphrase). For the highest level of security, you can generate your key pair locally, import only the public key to CodaMail, and read encrypted mail using a local client like Thunderbird with Enigmail.

This way, your private key never leaves your device. We only ever have the public key, which can encrypt but not decrypt.

Learn more: How to Use CodaMail in the Most Secure Fashion Possible