Can Encyro access my messages and files?

    Who can access my content? Can Encyro view my data? Is it different from Protonmail and other encrypted email services that claim they cannot access my data?

    Zero Data Access is Not Really True

    The encrypted email service providers that claim that they cannot access your data only mean that they do not store your encryption key to persistent storage (e.g. their server hard disks). They do have access to your encryption key each time you log in, and if they want, they can read your encrypted messages or files. That is how they display your encrypted messages for you to read. Since you are using their software to manage your encryption key, you are indeed trusting them with your data.

    In the past, there have been cases, where in response to law enforcement requests, the email provider used a backdoor in their software running on the user’s device to obtain the private key even though the key was never stored on the email provider’s server.

    To ensure that your encrypted email service provider cannot access your data, you could create and manage your own encryption keys and never provide that key to the encrypted email service provider. You will have to communicate the required encryption key to your recipients on your own. That is possible, but rather complicated. It involves getting your own public key and private key pair, as explained here, or getting a software tool that supports OpenPGP and does the encryption for you, as mentioned here. Your recipient will also need a compatible tool, of course. More detailed instructions with specific tools to use are given in this LifeHacker article.

    Forgotten Password Scenario

    If you choose a provider that does not store your key, you have to accept one major downside: if you forget your password, you will lose all your previously sent and received secure messages and files. As reported on their respective websites, if you forget your password, and need to reset it, your past email can no longer be decrypted (Protonmail) and is lost forever. A similar risk applies for Tutanota, Hushmail, Countermail, and LockBin.

    Another downside is that if you are sending a secure message to someone who does not have an account with the exact same encrypted email service provider, then you need to provide them with a secret pass-phrase or key, outside of email. For instance, Protonmail explains the process here:

    Also worth noting is that such an encrypted email account cannot be used to receive secure messages from others who do not have their own encrypted email account. For example, you cannot place your Protonmail email address on your business card and expect that received messages will be secure.

    Can Encyro Read My Data

    Technically, Encyro can access your data since Encyro manages your encryption keys for you. However we take the privacy of your data seriously and unless there is a specific need (such as concerns regarding abusive usage/profanity) we do not access your messages or files. Access is restricted to a very small number of personnel with high security clearance. Read more about our organizational security safeguards.

    With Encyro, you can reset your password if you forget it and will not lose access to your past data.

    Encyro also lets you receive securely from others without an Encyro account. You can place your Encyro upload page address on your business card or other paperwork with instructions such as “Submit completed form to …”

    Encyro is designed to keep your business secure and comply with the law. Where needed, such as for the GDPR, we can sign a data processing agreement (DPA), to show our commitment to the high data privacy and security standards that you wish to maintain for compliance.

    Encyro is not designed to avoid government surveillance or for use in scenarios where you want to hide your data from law enforcement agencies. For those kind of use cases, you could consider using an encrypted email service provider located outside the jurisdiction of your government (in a foreign country with no applicable treaty with your government) and one that does not store your encryption key to persistent storage.

    Related articles