Public Key Management

A public key contains information about how to encrypt messages for you: a unique combination of numbers, letters, and symbols that will be used in the encryption process. It also stores personal information about the user, such as a name and email address, which can be used to authenticate the user.

FlowCrypt is designed to make most public key operations automatic so that a wider, non-technical audience can benefit from encryption. If email senders are using FlowCrypt, your public key will be loaded automatically when they compose a message to you. If all of your encrypted contacts use FlowCrypt, you’ll not have to worry about public key management.

Share your public key manually

You have several options to share your public key:

• Share a link to your public key page. Take the flowcrypt.com/pub/human@flowcrypt.com address, replace the email address with yours and senders can download your public key themselves.
• Save your public key to a file. Go to FlowCrypt Settings ⮕ Additional Settings ⮕ Public Key ⮕ Save public key to a file and share the file with your recipient.

• Attach your public key when sending an encrypted email by clicking the button on the bottom right corner of the Secure Compose window.

  

You only have to do this once for each recipient that uses non-FlowCrypt OpenPGP software. After that, they’ll be able to send you encrypted messages.

Import other user’s public key

You might need to import other user’s public key if your recipient uses other OpenPGP software. See the Send Emails to Other OpenPGP Software guide in this matter.

Manage other user’s public keys

From the moment you load (set) your recipient’s public key for the first time, either manually or automatically, it won’t be removed or replaced until you manually remove it from FlowCrypt Settings ⮕ Additional Settings ⮕ Contacts. Importing another public key for that correspondent by clicking Update Key when you receive an encrypted email will import the new public key side by side with the already imported key, and both will be used. Importing can also be done from the FlowCrypt Settings ⮕ Additional Settings ⮕ Contacts section. When you choose a specific contact you’ll see a button that lets you modify it, removing or adding public keys manually.

Client app public key retrieval and management

FlowCrypt client apps lookup public keys always by the user’s email address not by fingerprint. This is accomplished using sources that verify the correspondent’s email address such as WKD, recipient LDAP server, FlowCrypt Attester, and keys.openpgp.org in the described order. Therefore, when a public key is received from these sources, it’s auto-imported and automatically considered trustable.

The browser extension can track more than one public key per correspondent. And keyservers are queried for public keys each time you’re composing a message to someone. This means that if your correspondents use different keys on different devices, or if they’re in the process of rotating keys, the user experience will be smooth under those circumstances.

Outgoing messages will be encrypted for all valid (not expired, not revoked, usable) public keys of that recipient. Incoming message signatures will be considered valid if they can verify against any of the correspondent’s public keys that were not revoked.

Enterprise customers can choose which public key sources to use or which ones to forbid, either for all correspondents or granularly by the domain of the recipient.

Enterprise public key management

If you already have your own mechanism for keeping track of your employees’ public keys and their contacts, FlowCrypt can integrate with your key server to ensure a smooth and secure experience. See Keyserver Integration and FlowCrypt for Enterprise Email Encryption guides to learn more.

Export all public keys from GPG (GnuPG)

If you used another software that managed public keys for you using GnuPG, you can use the command line to export your previous public keys for use in FlowCrypt:

gpg --export --armor > all-public-keys.asc

After that, you can import them if you follow the FlowCrypt Settings ⮕ Additional Settings ⮕ Contacts ⮕ Import public keys ⮕ Select a file steps.

This way FlowCrypt will know how to encrypt messages for all your contacts.

Public key fingerprints

A fingerprint in OpenPGP is a unique identifier for a public key created by applying a cryptographic hash function to the public key. Fingerprints are represented as a sequence of hex digits or ASCII characters. Fingerprints offer a way to verify and compare public keys. It’s useful as an additional layer of security for people who want to cross-check it.

When you use the Secure Compose option added by FlowCrypt and you enter someone’s email, it will appear in green if FlowCrypt finds a valid public key for the recipient. Additionally, you can hover over it to see the user’s fingerprint.

You could then contact them by phone to confirm that the fingerprint you see are the same as the fingerprint they see in their account settings. With this, you can be 100% sure that it will be encrypted for the correct key.