TrulyMail Logo

Truly Better
Skip Navigation Links

Encryption Details

TrulyMail uses a combination of encryption technologies to ensure your data is completely safe. This text should help you to understand the details. Warning, this topic may be a bit dry.

The most important aspect of TrulyMail's encryption is that your decryption keys are NEVER stored on, or sent to, our servers. While other services will store your keys and encrypt them with a password you choose, we take a different stance. We feel that storing your key on any server (even if it is encrypted) only increases the risk of that key being compromised. Accordingly, your TrulyMail key is only used on your computer.

Now, there are three types of encrypted communications from TrulyMail. We will talk about the details of each.

Encrypted Messages to TrulyMail Recipients

When you send a message to another TrulyMail recipient, the body and subject of that message are encrypted via RSA with a 4,096-bit key. If you have attachments, those attachments are encrypted via AES with a random, one-time, 256-bit key and that key is encrypted with the 4,096-bit RSA key.

TrulyMail cannot read the contents of the message because they are encryped with a very large key and we never have the key. We have the encrypted contents but not the key.

Encrypted Packages to Email Recipients

When you send to email recipients and you choose an encrypted package, then your message body, subject, and all attachments are encrypted with a random, one-time, 256-bit AES key. That key is then encrypted and sent to the TrulyMail servers. The package is sent via email and must be opened using TrulyMail. The recipient will open the package in TrulyMail and will retrieve the key from the TrulyMail servers.

TrulyMail cannot read the contents of the message because we do not have the contents. We only have the key.

Encrypted Web Message to Email Recipients

When you send via an Encrypted Web Message (Secure Web Message), the body is encrypted with a random, one-time, 256-bit AES key. This key is derived from the password you enter. All the encryption happens on your computer and only the encrypted message is sent to the server - the key is NEVER sent. The recipient receives a link emailed to them and when clicking on the link the entire encrypted message is downloaded into their browser. They then enter the password to decrypt the message. Again, all decryption happens within their browser.

Attachments for Encrypted Web Messages are AES256-encrypted zip files. Your recipient will have the choice of downloading the attachment as either a zip file or an exe (self-extracting zip) file. The exe file does require Windows XP or higher with .Net 2.0 being already installed (most Windows XP machines have had .Net 2.0 installed for many, many years now). The zip file (or the exe file) can be opened with any AES256-supporting zip utility (e.g., WinZip, 7-Zip, WinAce, WinRar, etc.) but the user will still need the password to the zip/exe file before they will be able to read the contents.

TrulyMail cannot read the contents of the message because we never have the key.

Why use RSA for the subject and message body for messages sent to TrulyMail recipients when we could use AES? The reason is that someone could send the same message to both TrulyMail and email recipients (as an encrypted package). In this case, if we used AES for the body and subject we would have both the key and the encrypted contents, which means we could read your message. To avoid this, we use RSA for your message body and subject. Note: There is still this risk for message attachments. To avoid this, we recommend you never include TrulyMail recipients when sending an encrypted package if you have attachments. Don't worry if you forget this rule - TrulyMail will remind you when you try to do it.