We built post-quantum encrypted email that works with Gmail. Here's how.
Most encrypted email services have a glaring problem: their privacy guarantees only apply when both people use the same service. Email a Proton user from Gmail and you get standard TLS, not end-to-end encryption. That's the gap we built Aster Mail to close.
The cryptography stack
For Aster-to-Aster messages, we use a Signal-inspired protocol: X3DH for key agreement, Double Ratchet for forward secrecy, and ML-KEM-768 (CRYSTALS-Kyber) for post-quantum key encapsulation. This means every message gets a fresh encryption key, past messages stay protected if future keys are compromised, and the key exchange itself is resistant to quantum attacks.
For external recipients (Gmail, Outlook, anyone), we use RSA-4096 PGP. Not post-quantum, but the best practical option for interoperability with the broader email ecosystem today.
The rest of the stack: Argon2id (128MB, 3 iterations) for key derivation, AES-256-GCM for symmetric encryption, ECDH P-256 for additional key exchanges, and HMAC-SHA256 blind indexes for encrypted search.
Zero-access architecture
Everything encrypts client-side before it touches our servers. Not just message bodies -- subjects, contacts, folder structure, search indices, timestamps, and attachment metadata. The only plaintext we ever handle is the sender/recipient addresses that SMTP delivery physically requires. We can't read your mail even if we wanted to, and even under legal compulsion there's very little useful data to hand over.
The stack
- Web app with Cloudflare Tunnel on the web layer only (SMTP/IMAP does not route through Cloudflare)
- Native desktop via Tauri/Rust
- Mobile via Capacitor (iOS/Android)
- Servers on Hetzner in Germany
- Fully open source under AGPL v3 -- GitHub repo going public at launch
Where we are
Closed beta, 150+ revision cycles, waitlist open at astermail.org. We're launching soon on web, Windows, Mac, Linux, iOS, and Android.
Happy to answer questions about implementation decisions in the comments -- especially if you've thought about the tradeoffs between PGP interoperability and a modern ratchet protocol.
You can join the waitlist @ https://astermail.org/
Top comments (1)
Feel free to ask questions and answer them all!