Every email credential is protected with XChaCha20-Poly1305 encryption via libsodium. Envelope encryption ensures your data stays safe — even if the server is compromised.
A layered encryption architecture designed to keep credentials secure at rest and in transit.
All sensitive credentials are encrypted using the XChaCha20-Poly1305 authenticated encryption algorithm, powered by libsodium. Fast, secure, and resistant to timing attacks.
A unique Data Encryption Key (DEK) encrypts each credential. The DEK itself is encrypted by a Key Encryption Key (KEK), providing an additional layer of protection.
The master Key Encryption Key is stored outside the database in a file with strict 0600 permissions. Only the application process can read it — not the web server or other users.
Your email credentials are the keys to your inbox. We treat them with the highest level of care.
Even if an attacker gains access to the database, encrypted credentials are useless without the KEK stored separately on the filesystem.
The Key Encryption Key can be rotated without re-encrypting every credential individually. New DEKs are wrapped with the new KEK on next access.
Passwords and OAuth tokens are never stored in plaintext. They exist in encrypted form at rest and are decrypted only in memory when needed for mail operations.
XChaCha20-Poly1305 provides both confidentiality and integrity — any tampering with the ciphertext is detected and rejected.
A simple three-step process secures your credentials from the moment you enter them.
When you add an email account, your password is received over HTTPS and immediately passed to the encryption service.
A unique Data Encryption Key is generated for the credential. The DEK encrypts the password using XChaCha20-Poly1305.
The DEK is then encrypted (wrapped) by the master Key Encryption Key and stored alongside the ciphertext. The plaintext password is discarded.
Clacks uses XChaCha20-Poly1305, an authenticated encryption algorithm provided by the libsodium cryptographic library. It offers both confidentiality and integrity protection for all stored credentials.
Envelope encryption is a two-layer approach: each credential is encrypted with its own Data Encryption Key (DEK), and the DEK is then encrypted by a master Key Encryption Key (KEK). This means the KEK never directly touches your data, and key rotation is efficient.
Yes. The KEK can be rotated by an administrator. When rotated, DEKs are re-wrapped with the new KEK on next access, without requiring all credentials to be re-encrypted at once.
Bridge your email accounts to Gmail in minutes. Free plan available, no credit card required.