How it works

End-to-end encryption. We can't read your emails.

1

Registration & Keys

When you register, your browser generates a keypair locally:

  • Public key — uploaded to our server, used to encrypt incoming mail
  • Private key — encrypted with your password (Argon2id), stored on server
  • Recovery phrase — 24 words (BIP39), only way to recover if you forget password
password → Argon2id → master_key → encrypt(private_key) → server

Important: We don't store your password or recovery phrase. Lose both = lose access forever.

2

Receiving email

Incoming emails are encrypted with your public key before storage:

incoming_email → crypto_box_seal(your_public_key) → encrypted_blob → database

Only your private key can decrypt. We don't have it. Database leak = useless encrypted blobs.

3

Sending email

To defnd.email users:

your_message → crypto_box_seal(recipient_public_key) → server → recipient decrypts

To external recipients (Gmail, etc.):

They don't have keys. Instead:

  1. You set a password for the message
  2. Recipient gets a link to defnd.email/s/{token}
  3. They enter the password → decrypt and read
  4. Can reply (also encrypted)

We store only password hash for verification. Share the password separately (Signal, phone, etc.).

4

How it works

Mail
What we can see
Encrypted blobs, metadata for delivery
What we can't see
Email content, subjects, attachments
Calendar
What we can see
Encrypted event data
What we can't see
Event titles, descriptions, locations
Notes
What we can see
Encrypted note data
What we can't see
Note content, titles
Passwords
What we can see
Encrypted vault entries
What we can't see
Passwords, usernames, URLs
How is my data encrypted?
All data is encrypted client-side using your password-derived key. We never see your plaintext data.
What if I forget my password?
Use your 24-word recovery phrase. Without it, data cannot be recovered — by design.

Cryptography

Key exchange
X25519
Curve25519, libsodium
Encryption
XChaCha20-Poly1305
Authenticated, 192-bit nonce
Key derivation
Argon2id
Memory-hard, GPU-resistant
Recovery
BIP39
24 words, 256-bit entropy

FAQ

Forgot password?
Use your 24-word recovery phrase. It derives the same master key as your password. No recovery phrase = no access.
Lost recovery phrase AND forgot password?
Your data is gone. Forever. We can't decrypt it. This is the tradeoff for real zero-knowledge encryption.
Where is my private key stored?
Encrypted copy on our server. Decrypted only in your browser memory during login. We never see it in plaintext.
Can I change my password?
Yes. Your private key gets re-encrypted with the new password. Recovery phrase stays the same.
Why not PGP?
PGP is legacy. X25519 + XChaCha20 (libsodium) is modern, faster, smaller keys, better defaults. No config needed.
Is it open source?
Not yet. The crypto is standard libsodium — you can verify in browser devtools.

Try it

Free tier. No credit card.

Create mailbox