[PLUG] Proton Pass

Ben Koenig techkoenig at protonmail.com
Fri Mar 21 08:07:25 UTC 2025 

My understanding is that the key is kept in a keyring on their servers in an encrypted state. When you log in via the web interface, it gets downloaded to your browser and your password unlocks the keyring on the client side application. Technically it never exists in an unencrypted state on their servers. 

However, this means it is not truly end-to-end, since the "application" is a website served by their servers. They own both ends.

Proton's approach is kind of bogus, but it is a solid step forward since it gives users visibility of their key and the ability to import/export. Significant improvement over other webmail implementations. Baby steps I guess...
-Ben


On Thursday, March 20th, 2025 at 9:25 PM, Russell Senior <russell at personaltelco.net> wrote:

> One question I've had for a while is: how does key management work at
> Proton. Public key encryption rests on a foundation where your private
> key is exclusively known to you, and that all reasoning about what is
> private is directly tied to "who has access to your private key". One
> thing I have been unable to discover, which doesn't seem to be well or
> transparently documented, is "where is my private key and how is
> access to it managed?" Does anyone know?
> 
> My vague understanding is that, supposedly, proton stores an encrypted
> version of your private key and supposedly when you type in your
> password to the random javascript they send you, you get a copy of the
> encrypted key and unlock the key in your browser, but ... and stick
> with me here, what if they send you javascript that leaks your
> password to them. In that case, they have the encrypted key and the
> unlocking password and therefore, they have possession of your private
> key and all privacy guarantees provided by the math of PK encryption
> are lost. Can someone please help me understand why or how that isn't
> possible?
> 
> Thanks!
> 
> --
> Russell Senior
> russell at personaltelco.net
> 
> On Thu, Mar 20, 2025 at 8:23 PM King Beowulf
> kingbeowulf at linuxgalaxy.org wrote:
> 
> > On 3/20/25 17:41, Michael Ewan wrote:
> > 
> > > I saw that Proton Pass sponsored a YouTube channel I enjoy (All The
> > > Gear is in the UK). It looked good on the surface. I know some of you
> > > use Proton Mail, any experience with Proton Pass?
> > 
> > I've been using proton pass on my main linux box for a 2+ years with 90+
> > password stored (mmm....I should check on some of those sites!). Works
> > well, easy and transparent, with goo feature set. Only sloth has
> > prevented me from migrating it to other devices.
> > 
> > Highly Recommended.
> > 
> > Diclaimer: I am a paying proton mail customer
> > 
> > -Ed

More information about the PLUG mailing list