J. R. Swab

Keep Your Email Private

Categories: [Technology]
Tags: [security], [review], [privacy], [encryption], [open-source], [email]

I have several email addresses that claim to encrypt my data and even the email sent if the other user has an account with the same provider. All of them work well, but Tutanota is my favorite by far for many reasons. The main reason is its open source, and we all know how much I love open source software.

Tutanota is derived from Latin and contains the words "tuta" and "nota" which mean "secure message." - tutanota.com


Yes, it is encrypted but what exactly is encrypted? All of our data in the Tutanota servers, this includes email content, email attachments, and the subject line. What they can see is who sent the email, who received the email, and the date. This unencrypted information is the metadata of the email and is never encrypted no matter the provider.

But the Tutanota team knows the value of privacy!

We are looking into possibilities to hide the metadata in the future as well. - Tutanota FAQs

That's epic. Tutanota was rated the best privacy email client by Information System students at Vienna University of Business and Economics. Read the PDF here.

No IP Logging

Another plus to using this email provider is that they do not log your IP address when logging in to read your mail. There is no way for me to check if this is true but based on everything else I would be surprised if this is a lie. If you are anxious about IP address logging than connect over Tor or a VPN.

The FAQ page also states that they strip out the IP address information of sent and received emails.

We log IP addresses only in the case that we are presented with a valid German court order for prosecuting a suspected criminal. - Tutanota FAQs

The past beta mail client did store IP address due to user request. This was to check and make sure that the user was the only one accessing the account. However, Tutanota did encrypt the stored information and automatically deletes data that is a week old. This was only enabled by default in the past beta client. Once the web client moved out of beta, the user had to turn on the IP logging feature manually.

Anonymous Use

We can use Tutanota anonymously since they do not require any personal information an sign-up and will give us the ability to pay for a premium account with Bitcoin shortly (donations are available in various cryptocurrency just not the paid features of the email service). Having the choice to stay anonymous and not give out private information about ourselves is very important.

The more information about our life that is online the more significant the risk of an attacker guessing our security questions or worse yet, having the ability just to look up that very information we should keep private. Being anonymous is not about hiding and doing illegal activities but staying safe in the digitized world.


Private Key Storage

Tutanota generates our keys when we sign up, and this is all done locally in our browser. The private key is then encrypted with the password we chose to make sure it's a good one. So in a sense, our login password nearly becomes our private key since we do not have to store the key ourselves.

Our password is the primary barrier between our data and an attacker. If they get our password, they will be able to decrypt all our email and send encrypted email to us. This is why I always stress that we need to create strong passwords and use a password manager such as Bitwarden to protect us against fishing attacks.

The Tutanota sign up page does have a password check so you can be well assured that your password at least passes their level of entropy confidence. If your password is not as secure as they would like the "create account" button remains un-clickable.

When logging in, our passwords are salted and hashed to keep any peeping eyes from seeing the password in plain text. They use bcrpyt locally in our web browser, so the server does not have access to the password and in turn the Tutanota team themselves.

Tutanota cannot reset any passwords due to the level of security they chose to give us.

Sending Encrypted Email

This is very easy when sending from one user to another when both use a Tutanota address. This is automatically done for us, and the user experience is identical to any other email service. But of course not everyone has Tutanota (yet...), and there is a way to send them encrypted emails.

To send an encrypted email to someone without a Tutanota address we first must exchange a password for decryption. When doing this, make sure to use an encrypted chat service to keep that password as safe as possible.

Now that the password is determined and shared, we write the email, add the email address, and subject line as we would normally. Before sending we need to enter the password in the box provided to set the password for decryption. This is now saved with the contact information in your address book so that the next email you send to that user we only have to tell Tutanota to encrypt and the app enters that password for us.

Once the intended recipient receives the email they will see a link to Tutanota, they enter the password, and can the read the message that is now decrypted. They can also save these messages on their computer if they desire.

Note: The link within the notification email contains a salt which is needed for decryption along with the password. Thus, someone who wants to intercept your encrypted messages needs the exact link and the password. (An old link gets deactivated as soon as you send a new email to the same email address.) - Tutanota

Click here for an in-depth how-to from Tutanota to learn all the ins and outs of the platform.

PS: I agree with this project so much that I am a paying customer of their 12 Euro per year premium tier. The added features are worth the price and we get to support a great project.

Email List <- For Updates.

Donations <- For Support.

Amazon Affiliate <- For Passive Support.