SCRYPTmail is a relatively new encrypted email serivice launched on November 18, 2014. It is an open-source encrypted email web service with a focus on security and user privacy. You can use SCRYPTmail on any device which supports modern browsers like Chrome or Firefox. Currently there is no dedicated app for iOS or Android and no support for IMAP or POP at this time. These features are coming soon.
With SCRYPTmail, you can send encrypted emails and files of any type (doc, zip, mp3, etc.) to people who don’t even have a SCRYPTmail account or use encryption keys. The recipient of the email
will have to enter an agreed upon pin number or password to decrypt the message. You can also send an email to multiple people at the same time, and it will BCC to each of them so you never leak your recipients.
SCRYPTmail’s servers are located in the United States and they do have plans to locate future servers offshore for European clients. Some have raised the issue that US based servers and services are not a good place to be for strong privacy. Often sited as an example is the Lavabit issue as a reason why. I asked SCYPTmail founder Sergei Krutov about this and other issues with SCRYPTmail, here is the question and answer session:
Q: Can you compare the difference between SCRYPTmail vs. Lavabit in terms of its encryption policy and being forced to turn over user’s data in cleartext or the users private encryption keys?
A: Main difference with Lavabit and SCRYPTmail, is Lavabit used to encrypt data on the server using server encryption. We encrypt data on users computer. The problem with Lavabit was that a Federal agency was able to force the company to disclose any encryption keys they’ve used to encrypt user data. Another downside of it, is nothing stopped Lavabit from ability to read email of users by themselves, as they hold all keys.
In our particular case, when you create an account we are creating two different hashes of it. One is used to log user into system and second hash used to encrypt/decrypt users data. In particular, your PGP keys are encrypted with it. Making long story short, if we are forced to release any information that we poses regarding a specific user, we only can hand out encrypted data, each email saved in your inbox are encrypted with AES26 having a unique encryption key and random vector. Other services who also may claim themselves of being end-to-end encrypted, store emails in PGP encrypted format, which is getting obsolete much faster that AES-256, if other services are forced to give encrypted data in PGP, in 2 years or less it may be broken.
As you can see each private key is encrypted inside the user object, and encrypted with his password, so we do not need to maintain any private key for them.
Q: I see there is room to create encryption keys up to 5120 bits however everything above 2048bits is not an option. Why is that?
A: This option will be available as paid feature in the future.
Q: Will a user be able to use his/her own public & private key in the future? Will a user be able to upload a public key size in 8192 bits for instance?
A: You are able to import your own keys in Settings->PGP keys. Being able to use 8192 bit keys will be possible in future releases.
Q: Does SCRYPTmail have its own public keyserver repository?
A: We have our own keyserver for internal communication, which at some point we can convert to public for third party keyserver integration.
Conclusion: SCRYPTmail is still in beta but does offer more free options than most other private and security oriented email services. The “zero knowledge” encryption policy is great as well as SCRYPTmail making their code opensource. If you want additional benefits, they wont break the bank. SCRYPTmail has a well laid out bootstrap GUI. SCRYPTmail is definitely worth taking a serious look at if you are in need of a new email service.