Frequently Asked Questions

Encryption

Are attachments also encrypted?

Yes, both the message and attachments are protected with end-to-end encryption.

Are drafts encrypted?

Yes. If you write a message but don’t send it, you can check your drafts and see that the OpenPGP encrypted draft is there. Once the message is sent, the draft is deleted.

My contact sent me a public OpenPGP key. How and where do I use it?

See how to send encrypted messages to other OpenPGP software users.

What happens when the recipient doesn’t use FlowCrypt or another OpenPGP software?

You’ll be asked to protect the outgoing message with a password. The recipient will need the password to open the message.

Do I have to set up FlowCrypt on every device?

You need to set it up on every device where you want to read encrypted emails. See how to set up FlowCrypt on another device.

Which messages will be encrypted? Do my contacts have to use this too?

Do I send all my messages in the secure compose after installing FlowCrypt, or can I use the regular unencrypted Gmail compose as well?

For each message, you have the option to choose whether you want it encrypted or not. If you want the message to be encrypted, use the secure compose option. Otherwise, use the regular one.

I’m unsure how the encryption works. Do I need to tell my friends to get the encryption thing too? Or does this encrypt all messages to and from people either way?

You can send an encrypted message to anyone, but it’s more convenient if the other side also has encryption set up. See how to send to users who have encryption set up and to users who don’t use encryption.

Can the recipient decrypt email when not using Gmail or Chrome?

I opened Gmail in Mac Safari and the email was encrypted. I couldn’t read it. However, I can read it in Chrome.

Does it mean that when I send an encrypted email and if the recipient uses Safari, they won’t be able to read it?

Messages sent between users who both have encryption set up won’t be readable without encryption software, along with the appropriate private key and passphrase.

If there is an extension that works with Safari, you can set it up there as well.

If he/she has FlowCrypt and Chrome, it will auto-decrypt?

Our product roadmap includes apps for Chrome, Firefox, Brave, Thunderbird, Outlook app, Android, iOS, and more. You’ll need to have some sort of compatible software on every platform where you plan to use encrypted messages.

There is a mechanism for sending encrypted messages to users who don’t use any special software. This mechanism is the password-protected message. Such messages can be read on any modern browser, email client, and device, as long as the recipient has the password that was used to send it. In short, if someone has OpenPGP set up, they can communicate with you smoothly only when using devices on which they have it set up. If they don’t have anything set up, they can still open your messages on any device, but they’ll need to know the password to open each message every time.

Privacy and Safety

Can my email provider (e.g., Google) read the contents?

FlowCrypt uses end-to-end encryption designed so that only you and your intended recipients can read it, not us, Google, or other email providers.

When using FlowCrypt in the browser, decrypted messages are displayed in a separate frame that Google doesn’t have access to, even if they deliberately tried to. They would first have to somehow update your browser to a different version that includes a deliberate vulnerability (assuming you’re using Chrome), which is unlikely. On Android, FlowCrypt is using a completely separate Android app to access and encrypt your email, which is even more secure.

Are mobile clients self-reliant or somehow connected to the Gmail app?

Currently, our mobile clients are completely independent. However, we’re interested in building a FlowCrypt integration with the Gmail app in the future.

Can FlowCrypt be used with the incognito mode in Chrome or private browsing mode in Firefox?

Currently, you can’t. Although, this is something we’d like to work on, and some features do work. We do hope to support this eventually, and we’ll announce it on the blog (and update this answer!) as soon as we have this functionality working.

However, there are some workarounds if you wish to use FlowCrypt in an incognito/private browsing mode, but they have limited capabilities. Please follow the instructions below:

For Google Chrome, enter chrome:extensions to the address bar ⮕ find the FlowCrypt extension and click Details ⮕ Enable the Allow in incognito option.
For Mozilla Firefox, enter about:addons to the address bar ⮕ select the FlowCrypt extension ⮕ select Allow for the Run in Private Windows option. You’ll need to use custom history settings with the Always use private browsing mode option unchecked.

Why was the FlowCrypt browser extension missing after a successful installation?

Browser extensions are disabled (hidden) by default when running in incognito/private browsing mode. To enable (make visible) the browser extension, make sure that your browser isn’t running in incognito/private browsing mode.

For Mozilla Firefox, you can disable private browsing mode by navigating to Settings ⮕ Privacy & Security ⮕ History ⮕ Remember history. If you’re using custom settings for browser history, please uncheck the Always use private browsing mode option and restart your browser.

Is access to Google safe?

FlowCrypt is asking me to connect the plugin to my Gmail account. Is it safe? Where can I read more about this?

Any email client that you set up on your device needs to retrieve emails from your email provider and display them on your device. In FlowCrypt’s case, it also encrypts and decrypts emails using OpenPGP end-to-end encryption. For more details, please see Google API Disclosure for FlowCrypt.

FlowCrypt software on your device will request access tokens from your email provider to:

Send messages.
Download and decrypt messages and attachments.
Backup, restore, and other user-initiated actions within the app.

The email access tokens are kept strictly on your device, and won’t be shared with us or anyone else. This is stated in our Privacy Policy:

Tokens are then exclusively stored in the Local App on the user’s Local Machine, with no exceptions. The Access Token is used solely within the Local App for user authentication, sending and receiving of Encrypted Messages, and other related actions that make the Local App work smoothly.

It explains what our code does. The FlowCrypt source code is available for your review on the FlowCrypt GitHub repo.

Does FlowCrypt work with Google Advanced Protection?

I received an error from Google stating they can’t grant FlowCrypt access because the Advanced Protection option is enabled.

If you’re an owner of an organization that uses Google Workspace, you can adjust the permission for the extension through Google Admin ⮕ find the FlowCrypt mobile app/extension ⮕ click the Change Access button and change the access option from “Limited” to “Trusted”.

Will this plugin send my data to your server?

Your email data stays on your device, except when you use the Secure Compose option to write to someone who doesn’t use encryption. In such cases, those messages are relayed through FlowCrypt servers. We don’t have access to the content, because only you and your recipient will know the password it was protected with. Additionally, we only store them temporarily and delete them regularly.

Also, when you write someone using the Secure Compose option, FlowCrypt software will check with our servers to see if the other person is using encryption. Similarly, when you installed it, FlowCrypt noted that your email is capable of receiving encrypted messages. Visit the FlowCrypt Attester to search for public keys of other users.