TL;DR tried to leave Gmail for Proton Mail, but ended up running them both simultaneously which created a mess. Later added Proton Pass over Bitwarden and SimpleLogin, but run into autofill bugs and a growing sense of vendor lock-in. I’m planning to consolidate everything into Mailbox.org, Bitwarden and either SimpleLogin or Addy and use a personal domain this time to avoid being locked in again. My fumble was never fully committing to one solution.
Sometime in 2018 I wanted to get off Google (Gmail). I did research and created a Proton account. I imported all my email from Gmail to Proton. It looked good. I bought a domain name, attached it to Proton, redirected all future Gmail emails to Proton to catch them all and update the addresses in the services that I use. I was also using Bitwarden at the same time.
After a few months I needed to look up some purchases in my email archive. I couldn’t find them. I was doing it on my Android phone. I tried various combination. I KNEW what I bought and the keywords to find it. It was not there. Did Google lose my email?! Was I going crazy? No, it’s just that the mobile Proton Mail app does not support fulltext search. I know why, but I still think it’s doable the same way as in the web browser. Anyway… that was a deal breaker to me. But now I already had Gmail + Gmail imported into Proton Mail + emails I received while already on Proton. I started to look for ways to go back to Gmail but also to take my Proton mail with me. I set up Thunderbird with IMAP and started to move them around. I didn’t finish that process because it was manual and there was just too much, I couldn’t keep track of it properly. I just created a mess for myself with doubled emails, etc. Sigh. I went back to Gmail for a few years.
Then as I started using Thunderbird more and more I realized its fulltext search works across all inboxes even if the provider doesn’t support it. I had the urge to give Proton another go. This time I was also already using SimpleLogin (before Proton bought them). I had a different personal domain. What I now created is that I have TWO inboxes (Gmail and Proton) and never moved fully away from Gmail. But I do use SimpleLogin for both. It was because I wasn’t sure if I could commit 100% to Proton, given my past experience.
At this stage, I was still using Bitwarden. So I had Bitwarden + Proton Mail + Gmail + SimpleLogin. But I knew of Proton Pass, which a couple years earlier was lacking compared to Bitwarden, but supposedly has improved. I decided to give it a try after Proton bought SimpleLogin, because it seemed like it would be cheaper to user Proton Mail + Proton Pass + SimpleLogin, I wouldn’t need Bitwarden anymore. I really like the UX of Proton Pass. The desktop app is pretty and functional. I love how 2FA codes in desktop web browsers are displayed automatically in a notification and I can use them by clicking a single button. Autofill on Android also works 90% of time. So I imported everything from Bitwarden into Proton Pass and decided to “test drive” for a bit. Part of the test was creating new logins in PP. At first I manually added them to Bitwarden. After some time, I didn’t. I created a bunch of passkeys in PP, also part of the functionality test. So they are now not in Bitwarden.
Meantime, I started to be bothered by some Proton things. Some login forms don’t autofill, for example a bank website that I use many times every month. I reported it to Proton on November 6 last year. They said they forwarded it to their team and that it will get fixed in the next release. It didn’t. It still does not work 5 months later. In the meantime I stumbled upon several other websites where Proton Pass’ autofill does not work. But at least Proton launched a few half-baked products since then. Fulltext search on Android doesn’t work, either. It’s been only 8 years or so, I can wait.
I also realized that I probably don’t need an encrypted inbox. It’s not even E2EE, because that’s simply impossible in email domain (unless it’s something like S/MIME or PGP, but both parties have to use it). It’s only encrypted on rest. I am no activist nor a journalist. I just add extra work for myself, having to run Proton Bridge, having to use their apps, not having a working fulltext search in the mobile app, not having normal IMAP.
I feel like them launching more and more apps and services is going the way of creating an “ecosystem”. I was happy having SL as an independent service, now it’s also Proton. I feel like an Apple customer (been there), I see the garden walls being built around me and have an encroaching feeling of vendor lock-in.
I regret my choices. I did fumble. I want to go back.
I’m thinking of subscribing for Mailbox.org. I looked at Tuta (have to use their apps, not easy to export), Posteo (doesn’t allow for custom domains) and FastMail (I had issues in 2018, don’t remember what exactly, besides I want an EU product). Because of how butchered my Proton inbox is, I think the best approach will be to delete all Gmail messages from it (after I confirm they are still in Gmail) and then export all and import to Mailbox.org. Separately, export all from Gmail and also import into Mailbox.org. That should give me a clean slate. I will also change ownership of aliases in SL. Sadly, I used many passmail.com aliases which are probably bound to Proton Mail and I am not sure I can continue using them if I pay for SL, but not for Proton (though, my subscription is still valid for many months).
I want to migrate back to Bitwarden. Based on my search it’s not possible to selectively import entries from Proton Pass to Bitwarden. Currently my Bitwarden vault is outdated, Proton Pass has many newer logins and other items and several passkeys. I think what I have to do is backup my Bitwarden vault (just in case) and then create a new empty vault and import everything from Proton Pass. I also need to re-create any PP passkeys in Bitwarden and either switch the websites to use that or add Bitwarden passkeys if a website supports more than one passkey.
I am also not sure about staying on SL. I am considering Addy, but it’s run by just one guy, so I’m not sure about it. This time, I plan to buy another personal domain and use it for email aliases rather than to rely on the domains provided by the service. This way I can migrate in the future if I need to.
btw I also switched from Windows 11 to Linux
The core issue here is that I couldn’t commit . I wanted to try things and instead of committing to one and sticking to it, I used both at the same time. Chaos.
I just need to get this off my chest. Thanks for reading. I appreciate if you have anything constructive to say.
Instead of completely moving to 1 service, I would try to compartmentalize the digital life better. For me I tried:
-
all banks and very sensitive stuff => Proton Mail
-
every other emails => Gmail.
-
Password Manager: yes Proton Pass is nice but i like things to work offline and access whenever i can => KeePass. I secure my database with a password and a keyfile. I transfer and uodate my database with Syncthing.
-
2 FA stuff: i had Authy but it is a piece of shit app now. So I am moving to Keepass. Yes, you can add TOTP to anything in Keepass. The only thing i still need Authy for is Steam.
Aegis Authenticator is a good alternative to Authy on Android.
-
Skimming through most answers I’d like to add my own solution for password management. This will likely take you a bit of time the first time, but after that I think it’s trivial to manage (or migrate to a solution provided by others)
Basically I have a master password tied to an identity file (or KEY), and use this key to encrypt and my passwords to keep on local drive (1 file 1 password). This leverages age, an encryption program and protocol by FiloSottile, so that every password uses post-quantum encryption (if you care for that), and can be stored on-device or on cloud without worrying for data leaks.
To give some details:
- i made a KEY identity file using a passphrase (which is thus my master password)
- then I simply wrote my username and passwords into txt files, each named after the service which covers (i.e. amazon.txt has my amazon username and password)
- as third step I encrypt each file using the KEY, so that to view the content I need both the KEY file and the passphrase
- last, i copied each encrypted file on a cloud service, for backups, and moved the key file to a usb
Therefore to decrypt a file (to see my logins) I plug in the usb (acting as a yubikey of sort, but I’m poor), via the age cli I insert the passphrase and voilà… This seems bothersome at first, but I can securely manage password and ifnI were ever to switch to bitwarden or something else, I just need to batch decrypt my pass files (a for loop does the job, pastinf the same passphrase each time)
Generally the rule of thumb is: if a service (including one focused on privacy and/or security) actively advertises itself (which Proton does a lot: especially through content creator sponsor-deals), be extremely wary. I was once also considering migrating to Proton, but luckily tried integrating the account into Thunderbird first; which led me to second-guess Proton’s intentions. It really didn’t sit well with me, they’re baiting users into (over-)committing to their service, encrypt their (primary) mailbox’s contents, and as a result paywall the process of data-migration (including to third-party email clients).
I instead went with a humble Disroot mailbox (I make a yearly donation to), and use fully separate Proton addresses as effective aliases: as I’m not interested in them being associated to my personal email anyway. Other than that, I’ve simply integrated all email accounts (I care about) into Thunderbird. For the big-tech accounts, I’ve backed-up their contents in Thunderbird, re-imported them locally (to be able to search them), and deleted all contents from the servers. I’ve changed the email of more important services to the Disroot account, and listen for any others I might’ve forgotten, on the empty big-tech accounts (which rarely receive anything).
For password managers I’ve always used KeePassXC: synced across devices by having the (encrypted) database on Google Drive, and later synced locally using Syncthing. The KeePassXC-Browser extension does the filling on the browser, and I’ve always used Keepass2Android for mobile (through the keyboard). Nowadays I just use my laptop for anything requiring login, and rarely use secondary (mobile) devices to begin with: eliminating the need for cross-device syncing altogether. The KeePass database lives on my secondary hard drive, and make sure to create backups periodically (which also goes for Thunderbird contents).
Limiting the services you depend upon also helps tremendously, so that even if all passwords are lost, you rarely feel affected. I’m confident I could lose 99% of my passwords, and wouldn’t care whatsoever. In fact, I’ve effectively been through that process already (when changing all recursive passwords to stronger, unique ones: through the “forgot your password?” fields), and could easily do it for important services once more. The most valuable piece of advice I could give, is to identify the important parts, and start from there. If you care enough for the emails effectively held ransom by Proton, perhaps configure the bridge once and extract the data; never to return.
Thank you for sharing your story and journey! The following is a comment from a meta perspective. Absolutely no pun intended… If it’s any consolation at all, I think this illustrates how a lot of digital industry giants have purposefully created ecosystems that are hard to leave, with the sole purpose of reaping your data, of course. It also shows how attaining even small steps towards digital privacy, which should not be this complicated, requires social and economic sacrifices, which in itself is insane, considering that privacy is supposed to be a universal human right.
Now, a more direct comment. Always keep in mind that the end user is NEVER to blame for such back and forth struggles as you describe. You “wouldn’t” commit, you say. Did ANY of the big tech giants ever make it easy for you, I ask?
Personally, I’m using Tuta, SimpleLogin and KeepassXC (and it’s fork for Android). My setup won’t really give you any good hints though, since I’m not trying to achieve that smooth and dynamic workflow and ecosystem with easy credential sharing, exports and inter device operation. I log in and out of every instance every time on every device and manually update my password database and manually synch it to all my devices. It’s a hassle, but then again, it takes just a few more minutes and I like “fiddling”…
Thanks to OP for sharing this cautionary tale and thanks to everybody in here giving helpful advice.
I would like to self-host everything but y’all are scaring me off email.
Self hosting email goes in one of 3 directions:
- fuck, half of my critical services think I am spam
- fuck, why did I spend so much time for this shitty inherently unprotectable shit (email is unencrypted)
- this is great and I love it! (Who are you people??)
fuck, half of my critical services think I am spam
that goes away after your dns gets older and your mailserver gets “reputation”… also configure your dmarc and dkim, that tends to help a lot
another reason could be that your public ip is “dirty”, check the reputation of it and maybe request a different one from your hoster
How/where would you check if your public ip is dirty?
i usually rely on https://mxtoolbox.com/ for quick checks good overview about mail and dns related issues
I can’t offer any good advice, just take consolation in the fact that I have done some of the same, but likely worse. I try to switch to a new email, don’t fully migrate or close the old one, end up with a convoluted mess, end up just checking emails individually. I have protonmail, 4 gmails and a yahoo account. Yes yahoo. Part of that is sentimental, I signed up for it in 1998 and it’s hard to let go. I have a folder of email bookmarks and just right click ‘open all in new tabs’ to check them. As for passwords, well, I wont talk about that. It’s not good but still not worst practices at least.
As for passwords, well, I wont talk about that. It’s not good but still not worst practices at least.
Paper notebook? ;)
Sticky note on the monitor. Not like I’ll forget “Password12345!”
@steel_for_humans Sounds familiar, honestly, I did similar. I’m also on Mailbox.org (great service) since email is… not a private form of communnication. You only get the benefits of E2EE if you’re sending emails to the same e2ee email provider (proton > proton, tuta > tuta, etc), so it didn’t feel worth it to me to stick with tuta over mailbox because I also wanted an email client, which tuta didn’t offer at the time, but mailbox did.
None of your choices were wrong, you just bounced around a lot, which isn’t super uncommon in the beginning. I went from KeePass, to Google’s passwords (this was like… 10 years ago when google first offered password management), back to KeePass, to Nextcloud, now moving back to KeePass. I have passwords in 3 separate password vaults (two keepass, one nextcloud) that I need to sort through at some point.
The biggest recommendation I have: Don’t switch again until you have stuff sorted out on your current one. Switching multiple times before you have everything setup is the worst. Besides that just take your time
