The term forwarding has no specific technical meaning, but it implies that the email has been moved “forward” to a new destination.
I am sure it is subtle across servers, but I’d count on there being a copy at least “passing” though each server it interacts with. Sending a plaintext message is sending that message into the public, to be read by anyone glancing at the traffic between servers (so, a lot of machines doing that for a lot of humans for good and bad reasons (like monitoring for service quality, or stealing the secrets).
I don’t think that is how it works, exactly. ProtonMail uses OpenPGP, so messages encrypted to a key can be decrypted with the corresponding private key, as usual. It is just the interface to do that is built in a way that isn’t apparent.
The good news, you can give folks your public key generated on ProtonMail, and they can encrypt it as they usually would. And I don’t know exactly how it pieces together as a process, but that ought to work even if someone encrypts it but sends it to a forwarding address, it should be encrypted (except for subject line, per usual) and be able to be decrypted by ProtonMail.
Something I don’t quite understand, and maybe you can test this with someone that has a public key available (I do not, but maybe could test this with ya), is how to send an encrypted message to a non-ProtonMail user using GPG. According to their docs, they do not support sending PGP/GPG messages (though it is unscheduled on their road map).
So in digest:
- ProtonMail uses standard crypto tech
- ProtonMail users see end to end encryption, in both transit and storage
- One can decrypt mail encrypted to their ProtonMail public key, though that needs to be downloaded and shared manually.
- There is currently no way to encrypt a message in the ProtonMail UI
It is worth noting that there is a way to send encrypted text without integrating fully into the email specs. For instance, just by including cyphertext in the body of a message. Not the best experience for sending or receiving, but still viable.
I’ve seen it around, and noted their encrypted git hosting (though I ought to make an actual note about it…). But as a communications platform I am not interested. I don’t know all that much about the technical details, but from what I’ve seen it is interesting in theory, but not practice.
Nothing against Keybase! It is just the focus on “proving identity” via corporate media, and reinforcing that those companies are somehow qualified to vouch for real humans, it is not a game I am personally playing. I am more interested in Matrix and blockchain tech, which I see filling the space Keybase is working in.
I guess it is worth mentioning that services like ProtonMail and Keybase are valuable for simplifying the techniques we’ve used to communicate securely, and it increases adoption. But it does put everyone in a basket, a single point of failure, even if the tech says everything will be fine. What I mean is, there are non-technical ways to shut down those services, whereas that is much hardy against autonomous individuals deploying the tech in pieces, like anonymous users use GPG natively.