This page is rather technical. See Improve security of your system for a more user-focused guide.
FlowCrypt uses OpenPGP to encrypt messages and attachments on user’s device before transferring it over the network or storing with email provider, providing end-to-end encryption at rest as well as in transit.
This ensures that nobody other than the intended recipient and sender are able to read email contents.
Our software uses OpenPGP.js which is receiving regular security reviews. We also contribute some of our code back to OpenPGP.js for the benefit of other software vendors.
What is encrypted
The following table shows which email parts are encrypted for outgoing messages.
|Email text body||✓|
|Subject||✕||Enterprise customers can customize|
|Attachment name||✕||Enterprise customers can customize|
|Email footer||✕||Enterprise customers can customize|
|Recipients and other headers||✕|
The same applies to encrypted drafts. Drafts are encrypted using sender’s Public Key.
Key strength and default options
When creating a new key, the default is
ECC curve25519 for keys created in the FlowCrypt Browser Extension, Android and iOS Apps.
Enterprise customers may choose their desired key type and strength across their organisation.
When importing a key, FlowCrypt will use any compatible key supplied by user.
We are planning to add support for hardware tokens (smartcards) such as Yubikey, ZeitControl or any other pkcs#11 compatible security token that can handle OpenPGP keys.
If you are an enterprise customer looking to deploy FlowCrypt and you are blocked on missing hardware token support, please email us at
email@example.com about your organization, amount of seats required and what kind of smartcard and opearating system you use. We will do our best to cater to your needs.
Published in 2018, EFAIL describes a class of attacks affecting email encryption software. FlowCrypt is safe from these attacks. When user receives a modified (potentially dangerous) encrypted message, such message will not be automatically rendered. Instead, user will see a security warning, and an option to decrypt such message manually.
Public Source Code
Our source code is publicly available for review at github.com/FlowCrypt .
Bug Bounties & Public Contributions
FlowCrypt believes in transparency and extensive collaboration as a foundation for robust and secure systems. We run a public bug bounty program with up to $5,000 USD in rewards. You can check it our on our Bug Bounty page. Or, for a list of vulnerabilities that have already been found and fixed, check out our Vulnerabilities Catalogue.
firstname.lastname@example.org if you have any security related questions.