Skip to main content
The Encryption tool manages GPG (GNU Privacy Guard) keys for your domain. GPG is the open standard for encrypted and signed email — also known as PGP. With keys set up, mail you exchange with people who also have GPG keys can be encrypted end-to-end and signed so the recipient knows it really came from you. Open it from cPanel home → EmailEncryption.
GPG Encryption page with key generator form and existing keys
GPG email encryption is niche outside developer and security-conscious circles. Most casual mail doesn’t need it. Use this if you specifically have a use case (legal correspondence, journalist sources, technical communication with security teams).

Two key types

GPG uses asymmetric crypto. Every user has two keys:
  • Public key. Shared freely. People use your public key to encrypt mail to you, and to verify your signatures.
  • Private key. Kept secret. You use it to decrypt incoming mail and to sign outgoing mail. Loses all security if it leaks.
cPanel generates both as a key pair.

Generate a key

1

Click Generate a New Key

On the Encryption page.
2

Fill in the fields

  • Your name and Your email address — embedded in the public key as identifiers.
  • Key passphrase — protects the private key. You’ll be prompted for it whenever you decrypt mail. Use a strong, memorable phrase.
  • Comment — optional. Often used to label keys (e.g. “work”).
  • Expiration date — default is no expiration. Setting an expiration (1 or 2 years) is good practice; it forces you to refresh the key periodically.
  • Key size — 4096 bits is the modern standard. Stick with the default.
3

Click Generate Key

Generation takes a few seconds. The new key pair appears in the list.

Export the public key (share with senders)

Click View next to the public key to see the full ASCII-armored block. Copy and paste it where senders need it: a contact page, your email signature, a public keyserver.

Import an existing key

If you already have a GPG key from elsewhere, paste the ASCII-armored block into the Import Key form. Use this when migrating from another mail host.

Configure your mail client

cPanel generates and stores the keys, but encryption happens at your mail client when you send and decrypt mail. The general flow per client:
Thunderbird ships with native OpenPGP support since version 78. Settings → End-to-End Encryption → import your private key from cPanel (export it from the Encryption page first), import correspondents’ public keys, and enable encryption per-message in the compose window.
Apple Mail doesn’t ship with GPG. Install GPG Suite (gpgtools.org), import your keys via the Keychain, and Apple Mail will gain encrypt/sign options in the compose window.
Outlook supports S/MIME natively but not OpenPGP. For OpenPGP in Outlook, install Gpg4win (gpg4win.org), which bundles GpgOL — an Outlook plugin that adds encrypt/sign buttons.
Roundcube has an Enigma plugin for GPG that some hosts enable. Whether it’s available on Noxity webmail depends on the build; check SettingsEnigma when logged into webmail. If absent, encryption is desktop-client-only.

Tips

  • Back up your private key. If you lose the cPanel account or the key file, encrypted mail is unreadable forever. Export and store the private key block somewhere safe (encrypted backup, password manager).
  • Use expiration dates. A key without an expiration is harder to retire if compromised. 1- or 2-year expirations force healthy rotation.
  • The passphrase is the last line of defense. A leaked private key with a weak passphrase decrypts in minutes. Use a strong one.

Need a hand?