We built an encrypted email client with post-quantum cryptography

We have been building an unprecedented end-to-end encrypted email service where we, by design, cannot read your mail. No other encrypted email service has post-quantum cryptography in production that works with any email provider, not just their own users. Client-side encryption with post-quantum cryptography, zero-knowledge architecture, fully open source under AGPL v3, servers in Germany. We're releasing soon and you can join the waitlist today: https://astermail.org/

We built Aster Mail because we wanted end-to-end encrypted email that's actually private. All encryption and decryption happens client-side. We encrypt email content, subjects, contacts, folder structure, search indices, timestamps, and attachment data before anything touches our servers. Minimal routing metadata (sender/recipient addresses) is required for SMTP delivery, but we encrypt everything we can beyond that. On top of standard PGP, we include post-quantum cryptography by default, protecting against store-now-decrypt-later attacks.

Aster's feature set includes things like: free aliases & ghost aliases (auto-generated anonymous addresses), free custom domains, encrypted contacts with device syncing, burn-after-read messages, scheduled send, email snooze, encrypted search, and subscription management.

We've been running a closed beta since early Feb and have gone through 150+ revision cycles based on tester feedback, so the product is now stable and feature-complete for launch. The entire codebase will be public on GitHub at launch under AGPL v3. Longer term, Aster is building a full encrypted communications suite with drive, chat, and authenticator. On launch Aster Mail will be available on Web, Windows/Mac, Linux, and iOS/Android.

Side note, since it'll come up: "why not just use Proton?" Proton's architecture exposes metadata to the server, which means it can be handed over in response to legal requests, and has been, repeatedly. Aster encrypts email content, subjects, contacts, and most metadata client-side. Between Aster users, we use a Signal-inspired protocol (X3DH + Double Ratchet + ML-KEM-768) that provides forward secrecy, so even if keys are compromised in the future, past messages stay protected. External emails use RSA-4096 PGP. Our architecture is designed so that even under legal compulsion, there's very little useful data to hand over.

We're not anti-Proton. We just think there should be an alternative that actually protects users' privacy and is practical, in an increasingly monitored world.