The Encrypted Mailbox

In our first doodle video, we explained how to set up PGP and how to encrypt your e-mails with it. Still, many Internet users are not concerned with security and will keep sending you non-encrypted e-mails that are vulnerable to snooping by third parties.

Explained by video

(A click on the picture leads to Vimeo. The privacy policy of Vimeo applies.)


Why Don’t E-Mail Providers Just Encrypt Their Data Storage?

Many providers claim to be storing their users’ e-mails on encrypted hard drives. While this may suggest security, it actually means very little in practice. In order for the server to work, the hard drive needs to be remain open without encryption during operation – around the clock. No matter if it’s hackers, the government, or your provider: Whoever has access to the server also has access to your e-mails. The only way for your data to be safe would be to turn off the mail server.


How Does mailbox.org Do It?

mailbox.org is the first provider to have developed a system that can store your e-mails in an encrypted state during running operation, ensuring no one else can access them.

On request, we encrypt all incoming e-mails with your Public Key after receiving it. This makes the e-mail just as secure as if the sender had encrypted the message.

Without your Private Key, nobody can read the contents of your e-mails – not even us here at mailbox.org. Of course, there still is a risk that the e-mail may have been intercepted before it arrived at our server. This is unavoidable for as long as people keep sending each other non-encrypted e-mails. However, as soon as an e-mail reaches your mailbox, it’s secure. This may be more important than you’d first think; if you are storing e-mails over several years, there are many opportunities where third parties might attempt to access them. That’s something we can put a stop to now.


How Do I Set Up an Encrypted Mailbox?

  1. Check that you’ve set up PGP properly and know how to use it. Our first doodle video explained everything about this.
  2. You can set up an encrypted INBOX in the Settings section of our web interface. You can upload your Public Key here safely. You can also specify if this is to be used for encrypting all or only some of your incoming e-mails.
  3. Only you can decrypt the e-mails in your mailbox using your Private Key – which nobody else possesses.

All this is described step-by-step on mailbox.org.

When you are storing e-mails sent via your mail client in a Sent folder on the server, your mail client does not encrypt these. We are currently unable to encrypt such e-mails afterwards. While we have some ideas on how to tackle this problem, we still need to research the issue further. As a workaround in the meantime, you can send yourself BCC copies of your e-mails and get these sorted into your Sent folder via a Sieve filter. In this case, the e-mails will remain encrypted. Also, we’d like to point out again that e-mails with GPG encryption still have an unencrypted mail header revealing the sender, recipient, and subject. There currently is no secure end-to-end method for encrypting this information.


Sounds Great. Where’s the Catch?

Encrypted e-mails cannot be read on your smartphone or within the webmail client without your Private Key. This may be inconvenient when you’re on the road or on vacation. To address this issue, mailbox.org will soon be offering to store your Private Key on our server, thus enabling you to access your e-mails from anywhere. Of course, it seems to defeat the purpose to hand over your Private Key to someone else. Some would even describe this as irresponsible, and we don’t think it’s ideal either. But it is still a lot more secure than sending mails without any encryption at all.

And storing a key on a highly secure server at mailbox.org may actually be less risky than leaving it on an unprotected computer at home. But be aware that if your Private Key is held on our server, it could theoretically be accessed by us. You should make sure to protect it doubly well by using a strong password. Maximum security or more convenience in day-to-day use – ultimately, it’s up to you to decide which is more important.


Privacy made in Germany. mailbox.org.