"Current notices about Posteo: News, developments, background information and media appearances."


New: Posteo introduces crypto mail storage

Created at 09.April 2015, 16:15 | Category: Info

New: Posteo introduces crypto mail storage

Dear Posteo users,

We have news:
Today we have introduced a new encryption option for you: Posteo crypto mail storage. The new function was already made available to users this morning. In the coming weeks, we will progressively make crypto mail storage available for all accounts. With crypto mail storage you have the ability to personally encrypt all email data you have saved with Posteo at the click of a button. The encryption is comprehensive. It encompasses the content and attachments of all emails saved at Posteo as well as their corresponding metadata (for example, the subject and email header). As well as your existing email storage, all newly-arriving emails will be encrypted.

We are making this new encryption feature available to you at no additional charge. It is important to us that all Posteo users obtain maximum security. You don’t need any special technical knowledge, either: the encryption is activated at the click of a button. It occurs in the background without you needing to do anything.

The data within the crypto mail storage is no longer readable by us. We can not deactivate the encryption; only you can do this yourself. You can see whether this new encryption option is already available for your account via “Encryption” > “Posteo crypto mail storage”. If it is not yet available, we ask for your patience. Crypto mail storage will be made available to all users in the coming weeks.

Encryption at the click of a button – with the help of your password:

As soon as you have activated crypto mail storage in the settings of your account, Posteo creates a personalised key pair for you. Using this, we encrypt all the email data (content, attachments and metadata). This occurs with the part of your key that is responsible for “encrypting”. Each email is encrypted individually. The key that can make an email “readable” again is stored in the Posteo database, protected by your password. Thus, only you can access your encrypted email storage. Nothing changes in the workflow in your account: if you click on an email when crypto mail storage is activated, it is made readable for you in the background – and only for the moment of access. You manage your emails just as simply and conveniently as before.

Password must be taken special care of
When you have activated crypto mail storage, you need to take special care with your password. The password is the key to your data. If crypto mail storage is activated and you forget your password, you will lose access to your encrypted email storage. The password reset function is no longer available to you, as your data is encrypted using your forgotten password. Posteo support can no longer reset your password or deactivate the encryption.

Crypto mail storage is a plug-in we developed for the open-source email server Dovecot. Asymmetrical encryption occurs with the help of RSA; symmetrical encryption and authentication happens with AES and HMAC. Hashing occurs with bcrypt.

Further information can be found on our encryption info page.

Comprehensive tests and external security audit
Your personal email data is a sensitive commodity and worthy of protection. For this reason, extensive preparation work has been done prior to making crypto mail storage available. We not only comprehensively tested our encryption plug-in internally: the feature was also submitted to an external, multi-level security audit (by Cure53).

Transparent code and legal check
In addition, we had the legal situation clarified in advance. The result was that in Germany, email providers can not be compelled to “break” encryption.

We have implemented the crypto mail storage such that from a technical standpoint, the encryption initiated by Posteo users can not be removed by Posteo. In addition, the code for the encryption is openly viewable for reasons of transparency. This conforms to our open-source strategy and is an essential trust-building measure in the post-Snowden era.

Can be combined with all other encryption options
Posteo crypto mail storage can be combined with all other Posteo encryption features without issue. Thus, you can encrypt all your calendar and address book data at the click of a button. Posteo inbound encryption, which encrypts all newly-arriving emails with OpenPGP or S/MIME, can also be combined with crypto mail storage without issue.

If you already use inbound encryption, we recommend also activating crypto mail storage, as crypto mail storage encrypts not only newly-arriving emails but also all emails in all folders of the account as well as their corresponding metadata.

If you already use end-to-end encryption, you will also profit from crypto mail storage. The end-to-end process such as OpenPGP will generally only encrypt the content of individual emails, and not your saved emails or the emails’ metadata. Our password-based crypto mail storage constitutes comprehensive encryption, which distinctly increases the security level at Posteo. For maximum security, we recommend securing access to your crypto mail storage with Posteo two-factor authentication. Then, at login, not only your regular password will be required, but also a current one-time password. Such is the overall security level further increased. If you create local, insecure copies of your email data, we recommend securing all devices used for this.

We have made numerous pages with information and help instructions on Posteo crypto mail storage and our other encryption options available on our website.

Best regards,

The Posteo team