> ## Documentation Index
> Fetch the complete documentation index at: https://help.noxity.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Encryption

> Generate and manage GPG keys for end-to-end encrypted email.

The Encryption tool manages **GPG (GNU Privacy Guard) keys** for your domain. GPG is the open standard for encrypted and signed email — also known as PGP. With keys set up, mail you exchange with people who also have GPG keys can be encrypted end-to-end and signed so the recipient knows it really came from you.

Open it from cPanel home → **Email** → **Encryption**.

<Frame caption="Encryption page with Public and Private key lists">
  <img src="https://mintlify.s3.us-west-1.amazonaws.com/noxity/images/cpanel/email-management/encryption/page-light.png" alt="GPG Encryption page with key generator form and existing keys" className="block dark:hidden" />

  <img src="https://mintlify.s3.us-west-1.amazonaws.com/noxity/images/cpanel/email-management/encryption/page-dark.png" alt="GPG Encryption page with key generator form and existing keys" className="hidden dark:block" />
</Frame>

<Note>
  GPG email encryption is niche outside developer and security-conscious circles. Most casual mail doesn't need it. Use this if you specifically have a use case (legal correspondence, journalist sources, technical communication with security teams).
</Note>

## Two key types

GPG uses asymmetric crypto. Every user has two keys:

* **Public key.** Shared freely. People use your public key to encrypt mail to you, and to verify your signatures.
* **Private key.** Kept secret. You use it to decrypt incoming mail and to sign outgoing mail. Loses all security if it leaks.

cPanel generates both as a key pair.

## Generate a key

<Steps>
  <Step title="Click Generate a New Key">
    On the Encryption page.
  </Step>

  <Step title="Fill in the fields">
    * **Your name** and **Your email address** — embedded in the public key as identifiers.
    * **Key passphrase** — protects the private key. You'll be prompted for it whenever you decrypt mail. Use a strong, memorable phrase.
    * **Comment** — optional. Often used to label keys (e.g. "work").
    * **Expiration date** — default is no expiration. Setting an expiration (1 or 2 years) is good practice; it forces you to refresh the key periodically.
    * **Key size** — 4096 bits is the modern standard. Stick with the default.
  </Step>

  <Step title="Click Generate Key">
    Generation takes a few seconds. The new key pair appears in the list.
  </Step>
</Steps>

## Export the public key (share with senders)

Click **View** next to the public key to see the full ASCII-armored block. Copy and paste it where senders need it: a contact page, your email signature, a public keyserver.

## Import an existing key

If you already have a GPG key from elsewhere, paste the ASCII-armored block into the **Import Key** form. Use this when migrating from another mail host.

## Configure your mail client

cPanel generates and stores the keys, but encryption happens at your mail client when you send and decrypt mail. The general flow per client:

<AccordionGroup>
  <Accordion title="Thunderbird">
    Thunderbird ships with native OpenPGP support since version 78. Settings → End-to-End Encryption → import your private key from cPanel (export it from the Encryption page first), import correspondents' public keys, and enable encryption per-message in the compose window.
  </Accordion>

  <Accordion title="Apple Mail (macOS)">
    Apple Mail doesn't ship with GPG. Install **GPG Suite** (gpgtools.org), import your keys via the Keychain, and Apple Mail will gain encrypt/sign options in the compose window.
  </Accordion>

  <Accordion title="Outlook">
    Outlook supports S/MIME natively but not OpenPGP. For OpenPGP in Outlook, install **Gpg4win** (gpg4win.org), which bundles GpgOL — an Outlook plugin that adds encrypt/sign buttons.
  </Accordion>

  <Accordion title="Webmail (Roundcube)">
    Roundcube has an Enigma plugin for GPG that some hosts enable. Whether it's available on Noxity webmail depends on the build; check **Settings** → **Enigma** when logged into webmail. If absent, encryption is desktop-client-only.
  </Accordion>
</AccordionGroup>

## Tips

* **Back up your private key.** If you lose the cPanel account or the key file, encrypted mail is unreadable forever. Export and store the private key block somewhere safe (encrypted backup, password manager).
* **Use expiration dates.** A key without an expiration is harder to retire if compromised. 1- or 2-year expirations force healthy rotation.
* **The passphrase is the last line of defense.** A leaked private key with a weak passphrase decrypts in minutes. Use a strong one.

## Need a hand?

<CardGroup cols={2}>
  <Card title="Open a ticket" icon="life-ring" href="https://members.noxity.io/submitticket.php">
    Best for anything that needs an account check or a config change on our end.
  </Card>

  <Card title="Live chat" icon="messages" href="https://noxity.io/contact">
    Faster for quick questions during business hours.
  </Card>
</CardGroup>