Outlook Add-in GpgOL/Web
Encrypt Your Emails – Now in the New Outlook
The new generation of Outlook is built on modern web technologies—and the GpgOL/Web add-in keeps your email encryption secure and seamless. It integrates proven GnuPG email encryption directly into Outlook, whether you're working in your browser or on Windows. All encryption and decryption happen locally, and your keys never leave your device. This way, your confidential communication remains fully protected.
Why a New GnuPG Add-in for Outlook Web?
The new Outlook
Microsoft is transitioning Outlook to a modern, web-based platform. Legacy COM add-ins—extensions for the classic desktop app—are no longer supported.
To ensure that GnuPG email encryption continues to work in the new Outlook, we're developing GpgOL/Web—a new add-in that takes security to the next level. It clearly separates Outlook from all cryptographic processing: encryption and decryption take place entirely on your local system.
How GpgOL/Web Protects Your Communication
Send and Receive Encrypted Emails
Keep your confidential messages protected right inside Outlook. All encryption and decryption happen locally–your private keys never leave your system.
Automatically Protected When Forwarding
Forwarding emails? GpgOL/Web can automatically re-encrypt them for you. Your data stays encrypted at every step—even if a message changes mailboxes.
Re-Encrypt Entire Mail Folders
Need to hand over a mailbox or update permissions? The re-encrypt feature secures entire folders with new keys in one go, keeping all sensitive emails protected.
Simple Setup
GpgOL/Web is installed through the Outlook manifest–no complex setup required. Just activate it, and start encrypting your emails.
Architecture and Security of GpgOL/Web
GpgOL/Web is built on a modular architecture that cleanly separates Outlook from all cryptographic processing. This preserves GnuPG's core security principle: private keys and plaintext data never leave your local system.
The add-in consists of two main components:
- GpgOL Service: The proxy service acts as an intermediary between Outlook and the local GnuPG environment. It provides the JavaScript components that the Outlook add-in uses and manages all connections over local port 5656. Both HTTP and WebSocket communication run on this port, secured by a TLS certificate. Even with self-signed certificates, the content remains protected thanks to an additional layer of OpenPGP encryption.
- GpgOL Client: This component performs the actual cryptographic operations—decryption, signing, and re-encryption. The client runs locally and processes all sensitive data exclusively on the user's own machine. Even when opening signed or unencrypted emails, private keys always remain protected.
When GpgOL/Web starts, Outlook (Web) and the local client register with each other through the proxy service. Any new connection—for example, when another device tries to access the service—must be approved manually before messages can be encrypted or decrypted. This keeps full control in the user's hands and prevents unauthorized systems from accessing sensitive information.
The communication model is also protected against external attacks:
- Fake clients cannot register, as every connection must be explicitly verified.
- The proxy uses Cross-Origin Resource Sharing (CORS) to allow requests only from authorized Outlook web clients or the Windows web-based app. The browser recognizes legitimate calls and blocks attempts from untrusted websites.
- Exchange Web Services (EWS) access is handled exclusively by the authorized GpgOL client, which manages OAuth tokens securely on the local system. The proxy acts only as a relay—it never handles or sees plaintext data.
With this combination of strict separation, local key management, and a secure proxy service, GpgOL/Web meets GnuPG's high security standards even in web-based Outlook environments.
Try GpgOL/Web
See how easy secure email encryption can be in the new Outlook. The GpgOL/Web add-in is now available in the Gpg4win 5.0 Beta and will later become part of GnuPG VS-Desktop®.