Bernhard E. Reiter edited this page Nov 16, 2018 · 4 revisions

Contract 'Mailvelope development' 2018 (mw18)

Scheduled contract time line: January 2018 - January 2019.


  • Develop a JavaScript bridge to native GnuPG installation for use in Mailvelope.
  • Extend Mailvelope to provide end-to-end encryption for HTML forms
  • Improve OpenPGP.js to provide all features necessary to be compatible with GnuPG on OpenPGP and likely updates.
  • Design and implement a secure way of exchanging public keys with Mailvelope.
  • Pass an external security review.

Principal BSI

The German Federal Office for Information Security (BSI) contracted Intevation and Mailvelope GmbH via a public tender.


The team consists of the German companies Intevation GmbH and Mailvelope GmbH. As subcontractors Passbolt, g10 Code and Tankred Hase help implementing the features in Mailvelope, Openpgp.js and GnuPG. The subcontractor Cure53 helps verifing the security properties of the design and implementations of this contract. During the project Protonmail also got subcontractor and implemented most features in OpenPGP.js


Send email to (OpenPGP pubkey EFF5D42A) from Intevation
or (OpenPGP pubkey 79701934) from Mailvelope GmbH.


2018-11-15: The development phase of this project is almost done. Current results:


The GnuPG language binding library GPGME has a new component called gpgme-json. This is a binary wrapper providing a JSON API for a large part of the GnuPG functionality. In the project we use this API combined with the new gpgme.js JavaScript language binding over Native Messaging. As a browser extension Mailvelope can communicate with the native gpgme-json application to embed GnuPG as a crypto backend in Chromium and Firefox browsers.

Is included in GPGME releases since 1.12.0 from 2018-10-09


The featureset of OpenPGP.js is now more compatible with the OpenPGP reference implementation GnuPG. New features are

  • ECC support for P256, P384, P521, SECP256K1, Ed25519/Curve25519 and NIST curves
  • ECC support for Brainpool curves
  • Modern implementation of BigInteger and public key algorithms
  • bzip2 support (decompression)
  • Revocation certificates
  • AEAD (EAX and OCB)
  • V5 keys

Is included in OpenPGP.js releases v4.2.0 from 2018-11-05 or newer


Mailvelope got a redesign of the keyring presentation including a new keyring for GnuPG as crypto backend if GnuPG is natively available on the system. To be able to find public keys of recipients more automatically, Mailvelope supports the WKD public key lookup using either OpenPGP.js or GnuPG.

As a completely new feature Mailvelope provides encryption of web forms embedded in a webpage. The shown form is a signed HTML element that will be encrypted before submission. Only the recipient is able to decrypt the submitted data, which allows for somebody else to operate the web server. To have an easier way to create a signed form element, Mailvelope provides a tool to convert an HTML form into a Mailvelope compatible encrypted form element that can be embedded in any webpage.

This is published with Mailvelope 3.0 beta versions and is to be included with the upcoming Mailvelope 3.0 release (planned for 2018-11-19).

You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.