When you send an email message, you
haven’t the slightest guarantee of privacy. Sure,
Gmail and most other webmail providers use secure HTTPS transmission between
your computer and their servers, but at the server it’s accessible to the
provider, or to anyone who hacks the provider. Big businesses know this, and
take steps to secure their email traffic, especially in light of the new
requirement for compliance with the CMMC (Cybersecurity Maturity Model
Certification). PreVeil is a solution devised for those big
businesses, but it’s also available for free to me, you, and other consumers.
PreVeil offers native applications
for Windows and macOS, and apps for Android and iOS. In addition, you can log
into your account directly, without installing anything. And the benefits don’t
stop with encrypting your email. Your PreVeil account also includes online
storage for your most important files that’s secure, encrypted, and shareable.
Totally free is a great price. Private-Mail offers a
free tier, but it limits email storage to 100MB and omits some premium-level
features. If you want the full 10GB of encrypted file storage and access to
those premium features, you pay $69.99 per year for Private-Mail.
has a limited free tier, with 500MB of storage and 150 messages per day. Paying
the $48 per year subscription price raises those limits to 5GB of storage and
1,000 messages. It also unlocks some premium features. such as setting up auto-reply.
With StartMail you don’t get free as a choice; it simply costs $59.95 per year.
Like PreVeil, Virtru
is the free personal edition of a larger business-focused product. It’s free, yes,
but it has some serious limitations. Virtru works only with Gmail, and it only
functions if you log into Gmail through Chrome. On the plus side, you can set
Virtru messages to expire after a fixed time, and apply extra protection to attachments.
Wrapped Keys and No Passwords
Any serious encryption solution
needs to operate with zero knowledge. That means that the provider has no
possible way to access your data. Only you hold the key, and only you can
decrypt your personal data.
Here’s a simplified rundown of how PreVeil
works. When you sign up, it creates a large cryptographic key that resides only
on your computer or mobile device. Other components of the encryption process
have their own keys. For example, if you put a file in a folder shared with
another user, the file, the folder, and the other user each have distinct keys.
It would be handy to store the
file’s key on the server—handy, but insecure. Instead, PreVeil encrypts the
file’s key using the key for the shared folder and stores that on the
server. It encrypts the folder’s key with the keys belonging to each user and
stores those. They call this system “wrapped keys” and it ensures that any
malefactor who breaches the system won’t have any access to data. All
decryption happens on your local device, of course.
Note, too, that there’s no need for
a password in this plan. Your key lives on the device. To use it, you first
must log into your device and then log into your email system. That’s two
authentication steps already, plus the need to have physical access to the
device, giving you a form of two-factor
authentication. Private-Mail, ProtonMail, and StartMail all support
two-factor authentication using Google Authenticator or an equivalent app.
PreVeil has a lot of encrypting and
decrypting to do, and most of these operations use secure Public Key Infrastructure (PKI)
technology. That big key on your device? That’s your private key. For the nitty
gritty encryption of actual data, it uses a speedier symmetric encryption
system. It breaks the data down into equal size blocks, encrypts each block
with a different key, and stores the keys in encrypted form using PKI. It’s similar
in some ways to the MicroEncryption system used by CertainSafe
Digital Safety Deposit Box, though CertainSafe ups the ante by
storing the different blocks on different servers.
It’s worth noting that
Private-Mail, ProtonMail, and StartMail all use PKI,
specifically a key-sharing system called PGP, for Pretty Good Privacy. On the
one hand, this isn’t nearly the hyper-thorough wrapped keys system used by
PreVeil. On the other hand, it means that these services can exchange secure
mail with anyone who uses an email system that supports PGP.
ProtonMail and StartMail also offer
the ability to send encrypted messages to people who don’t use the service (and
don’t have a PGP key). However, communication with non-users relies on simple
password-based encryption, so it’s significantly less secure. Since PreVeil is
free for individuals, there’s no problem with simply requiring each recipient
to install it.
Virtru, like PreVeil, doesn’t
require a password. The company manages your keys, and you just use Gmail
more-or-less like normal. There is the option to include a plaintext message
along with the encrypted content, and the recipient must click to decrypt. It’s
not quite as seamless at PreVeil.
Shared Secrets for Key Recovery
Consumer-side security products
frequently come with a disclaimer. You must acknowledge that if you lose the
encryption key, you lose access to your account and its data. An early version
of one security product laid out its policy thus: “I understand that if I lose
my encryption key, I will be hosed.”
That just doesn’t fly in a business
environment. Suppose only the CTO has the key to unlock the company’s essential
documents, and further suppose the CTO dies, or absconds with the key. The company
can’t just shut down, and yet sharing the key more widely is a security risk.
The solution is something called Shamir’s
Secret Sharing. Perhaps you’ve heard of the ground-breaking RSA
encryption algorithm, named for its inventors? Adi Shamir is the S in RSA, the
other two being Ron Rivest and Len Adleman.
The actual sharing algorithm uses finite
field arithmetic in multiple dimensions…I think. Even I, a one-time math major,
find it hard to grasp. But this is how it works, in simple terms. You give a
partial secret to a recovery group of, say, six people. And you set a recovery
threshold so that, for example, any four of them can re-create your lost key. It
doesn’t matter which four, and the members of the recovery group have no access
to your key.
In a business setting, you might
make the Board of Directors your recovery group. The personal edition suggests
you name three friends and allow recovery with the help of any two. With all
the mega-math happening under the hood, the recovery system seems simple.
After hearing about the high-end
cryptographic technology embodied by this program, you might expect it’d
require a PhD to operate. Nothing could be farther from the truth, as I found
when I set it up.
Near the top of the PreVeil website’s
home page, you find a big button titled Get PreVeil Personal. When you click
the button, the site serves up the appropriate download for your Windows,
macOS, Android, or iOS device. There’s one minor exception—at the moment it
doesn’t handle iPadOS
correctly. On an iPad, you must go to the App Store for your download, which is
no great effort.
During the install process you
create a PreVeil account and add PreVeil to your email client. PreVeil automatically
connects with Gmail and Outlook on Windows and Apple Mail under macOS. It also integrates
with the native mail app on your mobile devices. If you use Thunderbird or some
other email client, the program explains how to set up a profile for your
That’s it. You don’t have to change
to a new email address the way you do with StartMail, ProtonMail, and
Private-Mail. You don’t have to do anything special. Encrypted mail comes to a
profile with “(Encrypted)” before your name, and sending encrypted mail is just
a matter of sending from that profile. I did hit one minor snag in that I
couldn’t even tell PreVeil was present in Outlook. I needed a nudge to scroll
down past my dozens of Inbox folders to see the new encrypted profile at the
Of course, your email recipients
must also use PreVeil. A recipient who doesn’t yet have it gets a message
containing a link and instructions for installation. As soon as the new account
is set up, your encrypted message appears in the Inbox.
The best experience, I found, comes
with installing PreVeil’s Chrome extension and using Gmail. With the extension
active, encryption is automatic for messages whose recipients all use PreVeil. Adding
a non-PreVeil recipient triggers a warning that this recipient will get an
invitation to install PreVeil. And you can click a switch to turn encryption on
or off. A plugin for Outlook, available to businesses and coming soon to the
free edition, works in much the same way.
When you launch PreVeil, it opens a
page in your browser with the unusual URL http://127.0.0.1:4003/mail/inbox/1. Those
with some network experience may recognize 127.0.0.1 as the address for
localhost, meaning your own computer. The odd address shouldn’t be confusing,
because what you see in the browser looks like any other webmail system.
You can click to compose an
encrypted email, of course. A menu down the left offers access to Inbox,
Drafts, Sent, Trash, and any email folders you’ve created. The main area of the
screen lists the messages in the selected folder, and clicking a message gets
you a view of the message body. Simple!
Add a Device
Since PreVeil integrates with your regular
email process, you probably won’t use it to just read and compose email
messages. But you do need to launch PreVeil to do other things, such as manage
I mentioned earlier that your
lengthy cryptographic key resides on your device, nowhere else. So how do you
ever use encrypted email on multiple devices? The answer is built right into
Start by selecting Add a Device
from the Settings menu. The program prompt you to install PreVeil on the device
before continuing. On the new device, you choose Add Existing Account. Once you
enter the email associated with your account, PreVeil on the new device
generates an eight-character one-use password that you enter on the old device,
at which point PreVeil loads your crypto key onto the new device. In testing, I
had no trouble adding an Android device from a Mac.
If you lose your device, or if it
gets stolen, PreVeil can deal with that. When you select Manage Devices from
the Settings menu, you get a list of associated devices. Here you can rename
the device, remove the software, or lock the account without removing PreVeil.
That last option is handy if you just can’t find the device. You can unlock it
when found, or remove PreVeil when you give up looking.
Web Access, With Care
In the event you want to connect
with your PreVeil mail without installing the app, you can log in to
web.preveil.com. You enter your email account, as you might expect, and then
get some help from a mobile device that has PreVeil installed.
On the mobile device, you tap Login
to Web Portal. At that point, a QR code appears in the browser on the device
you’re trying to connect. Snap it with the mobile device and you’re in. You can
now manage your PreVeil secure messages.
I worried about the security of this
operation, so I checked in with PreVeil’s CEO. He explained that the handshake
process described above shares a temporary copy of your all-important key. The
copy lives in the browser’s cache and vanishes when the browser closes, or
after 24 hours. He clarified that if you use a compromised PC to connect,
there’s a possibility the key could be captured, but even then, it could only
be used on that same device. “That is why users should not use the capability
to log in on public computers,” he explained.
Secure, Sharable Cloud Storage
But wait! There’s more! Your
PreVeil account comes with 10GB of cloud storage for your most important files.
That’s the same amount you get free from Box, and quite
a bit more than Dropbox’s paltry 2GB. If you want 10GB of storage from
Private-Mail, you need an expensive premium account. Of course, the security of
your files is paramount with PreVeil, unlike with standard cloud storage services.
PreVeil gives you easy access to
your cloud storage by creating a folder in Windows Explorer. I didn’t spot the
folder at first because it doesn’t have a simple name like “Google Drive File
Stream.” Rather, the folder name is PreVeil followed by your email address, for
example, “[email protected]” You can treat this folder like any
other, moving files into and out of it, creating and editing files, and so on.
But the files reside in encrypted cloud storage.
You can also access your files by
opening the PreVeil app and selecting the Drive tab rather than the Mail tab.
This is the spot to set up and manage sharing folders. Just point to a folder
and click the Share button that appears. Anybody you share with can edit the
contents of the folder; you decide whether they also get the ability to share
it with additional users. As with the email system, a recipient who doesn’t yet
have PreVeil gets an invitation to set up a free account.
Private-Mail’s secure file sharing
defaults to using simple password-based encryption. If you want to share files
with the protection of PKI, you must set up PGP again, with a separate set of
keys from those used for email.
As noted, if a device with PreVeil
installed gets lost or stolen, you can disable the app. But if you lost all
your devices that have PreVeil, you’re in trouble. You can’t add a device
without the aid of an existing installation. That’s where the key recovery
system comes in.
As mentioned earlier, PreVeil
encourages you to set up a recovery group of friends who also use the product. A
common group setup would be three friends, with two required for recovery. The
key recovery process is similar in many ways to establishing PreVeil on a new
device. As in that situation, you start by installing the product and choosing
to add an existing account. But instead of choosing to transfer the existing
private key, you click Recover Key.
At this point, you enter your email
address and wait for a message from PreVeil. After a couple of confirmations,
you get a list of your recovery group members. One at a time, you have PreVeil
send them a notification that you require account recovery help. When they approve
the request, you use the phone or a secure IM app to tell them an
eight-character password displayed by PreVeil. Don’t send that password via
email or a simple text! Once you’ve reached the threshold that you set for
number of approvals needed, you click to re-create the key.
The process is a little bit
involved, it’s true, but the PreVeil website lays it out step by step. And
being able to get your key back is certainly better than losing all access to
your messages and files.
High-Tech Privacy for Free
uses security technology that’s suitable for protecting the most important
business data (and complying with government regulations), but completely hides
any complexity from the user. You don’t have to set up a new email address, you
don’t have to change your email client. And for individuals, it’s totally free.
Other encrypted email solutions we’ve reviewed come with significant baggage such
as a high price, limits on features, or the need to use a special email
address. With PreVeil, you just start using it and get world-class protection
for your email privacy. Combining top-tier technology, ease of use, secure file
sharing, and no cost, PreVeil is our new Editors’ Choice for encrypted email.