VESmailend-to-end email encryption proxy
for developers & self-hosters
any IMAP email account
any standard email client no plugins, no new address Get Started
The problem:
email is stored unencrypted on servers you don't control.
Learn more
Regular email
Regular email is encrypted by TLS only while
in transit between devices (blue arrows). VESmail
With VESmail, the message body and headers are encrypted before they
reach the outgoing server, and stay encrypted at rest on both
servers (blue boxes). The providers only ever store ciphertext. How
it works
Learn more
A transparent proxy
VESmail is a stream encryptor for RFC 5322 / MIME messages, wrapped in
transparent IMAP4rev1 and ESMTP proxy servers, written in C. Standards-preserving format The MIME structure is kept intact: each body part becomes application/vnd.ves.encrypted, encrypted headers travel as X-VESmail-Header, and a plaintext banner part is injected so clients without VESmail still render something sensible. The format is documented in the ves-mime specification. Run it where you want
An instance can run on your own machine, a home server, a company server,
or a cloud host. When the instance runs on hardware under your control,
encryption and decryption happen entirely on your side of the wire —
end-to-end encryption in the strict sense. Keys
& recovery, via VES
Learn more
Per-message keys Each message gets a random encryption key. That key is encrypted to every recipient's VES public key and deposited in the VES repository; each recipient unwraps it with their own keychain. Message content is never visible to VES — only wrapped keys are. Recoverable, without a backdoor Losing a device doesn't mean losing your mail. VESrecovery™ rebuilds a lost keychain through a network of friends, without any shared master key and without any party being able to read your content on their own. The mechanism is covered by US patent 10,911,237. See The Math for the failure-odds model. The dependency, stated plainly The VESmail proxy is open source (Apache-2.0). Key custody and exchange use the hosted VES repository at vesvault.com — a VESmail instance needs connectivity to the VES API to unlock keys. Developer documentation for VES and libVES is at ves.host. HideSNIF
trusted TLS for your instance
Learn more
The problem it solves Mail clients expect a server with a real hostname and a publicly trusted TLS certificate. A VESmail instance on your laptop or home server has neither — no public IP, no domain, no CA-issued cert. The connector
SNIF (Server Name Identification Forwarding) gives an instance a unique
public hostname with a publicly trusted, end-to-end TLS certificate —
the private key never leaves the instance, and the relay in the middle
sees only TLS ciphertext. The SNIF connector is built into VESmail. Enterprise
compliance & key inheritance
Learn more
Compliance audit Encrypted email without oversight doesn't work for organizations. A VESmail enterprise instance can designate audit accounts that receive a copy of every message key, giving compliance access to encrypted correspondence. Admission is by invitation and RSVP, restricted to the enterprise's own domain, so the mechanism can't be quietly pointed at outsiders. VESrecovery Inheritance An admin can pre-select the recovery network that every user inherits on joining, so the organization has a robust key-recovery net from day one without depending on each user to set one up. HideSpecs
& source github.com/vesvault/VESmail – source code, Apache-2.0
ves-mime – encrypted email format specification
application/vnd.ves.encrypted – IANA-registered MIME type
libVES – the VES client library
ves.host – VES developer portal
snif.host – the SNIF connector & relay
|