The first is to use a password. This is a basic protection that has some advantages and drawbacks.
The most important thing to keep in mind is – this type of protection is easy to use but it's cannot use the full strength of the encryption algorithm. Since we use AES-256 to protect a message, the key length is 256 bits. To get a true 256-bit password you need to memorize a bit more than 40 characters of random symbols or about 70-100 meaningful symbols. Pretty hard, isn't it?
To use that type of protection just type-in a pin for a message.
As a remedy for the short passwords we introduced a single 256-bit key. You generate that key and exchange it with a receiver of your mails. This key is stores on a device encrypted with a dedicated password. That is much better, but still, there's a flaw in this approach. Although every sender-receiver pair has it own key, that key is always the same for them. Yes, we use random salt to produce different cypher-texts and you can change that key every day, but if someone gets the key somehow he would be able to read all your past and future correspondence. Better, but not so good...
To use this type of a certificate add a receiver to the address book, tap a "View or add a new certificate" button and follow the instructions. You will end up with getting a QR-code that other party should scan to get a key. That QR-code is protected by a password that the other party should enter as well. You cannot see a password and a QR-code at the same time on the screen for security purposes.
So, we've introduced a One-Time certificate. Basically, it is the same as previously described key, but we use it for one message only. Bingo! Full strength, perfect forward secrecy and even key expiration. But (there are always some buts) you have to exchange that keys with your correspondent. And you have to do it in person. Get both devices together, then generate and exchange the keys. By default we generate one hundred keys that should be enough for a few months of moderate use.
Setting up OTC is a bit trickier, so read here how to do it