ProtonMail can do encryption to non ProtonMail domains, despite all my google queries turning up how to do that ridiculous password-protected email feature that ProtonMail supports. I arrived at this through a very oddly serendipitous exploration of Gemini.
I strongly dislike medium-style articles and recipe sites that bury the information I actually care about around a bunch of fluff, so I’ll start with the steps and then I’ll go back to the fluff/context.
=> very oddly serendipitous exploration of Gemini
Almost every other resource will do a better job than this at describing it, but if any frustrated visitors somehow land here, I don’t want to compound your frustration, so here are some steps that will get you a solution. Or, more realistically, when I come back in the future to do this again I want this all in one place.
These steps assume you are using apache and the document root is /var/www/html. Adjust as needed. Also, I don’t prefix anything with sudo, so pay attention to what things say they should be done as root…
# command to generate keys gpg --full-generate-key
# commands to create hierarchy and files mkdir -p .well-known/openpgpkey gpg --list-options show-only-fpr-mbox -k YOUR_EMAIL_ADDRESS | /usr/lib/gnupg/gpg-wks-client -C .well-known/openpgpkey -v --install-key mv .well-known/openpgpkey/*/hu .well-known/openpgpkey/ touch .well-known/openpgpkey/policy
Pick your favorite way to become root and move the directory to your http root:
# as root, move and set permissions
mv .well-known /var/www/html/
find /var/www/html -type d -exec chmod 755 {} \;
find /var/www/html -type f -exec chmod 644 {} \;Header set Access-Control-Allow-Origin "*"
Some more caveats: this was the directory method and it assumed just one user, if you start adding more users/keys you will need to adjust step two to copy just the relevant files, copying a directory when it exists will fail.
The solution is setting up something called WKD or Web Key Directory. It’s documented all over the place, but I couldn’t find it while searching for information on ProtonMail until I was clued in to WDK and started putting that in my search.
Per a message on mailarchive.ietf.org, high-volume email providers like Proton would probably need to look for a policy file as the first step to avoid more intensive work like trying to fetch and use a key that might not be present. I’m paraphrasing a bit, so my words, not theirs.
That bears repeating as it was the first problem I had:
I had created one, but I put it in the wrong directory. Per the very excellent WKD wiki, and damn near every guide I read, said it should be at .well-known/openpgpkey/policy but somehow I put it adjacent to the key file. Oops.
What some of the guides do not cover is the need for configuring CORS (Cross Origin Resource Sharing) to set the Access-Control-Allow-Origin header, but luckily, some guides do. I assume this has to do with accessing the policy and the key, but I don’t really understand it. The files are accessible via HTTP, why would this need to be set? Perhaps some day I will find out.
=> WKD | mailarchive.ietf.org | WKD wiki | guides
=> #protonmail
=> 2022-12-05 - md2gemini eats newlines in code blocks in item lists | 2022-12-03 - ProtonMail and E2E Encryption to Private Domains (backstory)
created: 2022-12-03
(re)generated: 2025-01-29
text/geminiThis content has been proxied by September (3851b).