New message
Info
FAQ
Language
English
German
JavaScript is disabled!
This service applies encryption, which should take place in the web browser (end-to-end encryption).
JavaScript must be enabled for this. Please allow JavaScript to run and then reload this page.
FAQ
Isn’t a password with few characters insecure?
As short passwords do not withstand a brute force attack, regipost does not encrypt with the password that the user enters, but with a 256-bit key that is automatically generated from the user password and two other random passwords, each 256 bits long. An attacker would need all passwords to decrypt the message. The regipost technology inhibits access for any unauthorized user because the recipient receives the first of these passwords after correctly entering the user password and the second password is in the link. This technique also inhibits access from any unauthorized party including the service provider. And if a recipient enters the user password incorrectly more than three times, the document is immediately deleted. It's the same principle which you know from using credit card PINs.
Where does encryption and decryption happen?
All cryptographic functions are executed inside of your web browser. This also includes the generation of all used encryption keys.
Where are the keys stored then?
The message key is derived from the user password and two additional random passwords. One of them is stored on the servers of the service provider. The second password is transmitted to the recipient in the generated link. The user password is not stored anywhere.
Can I use any character as password?
In order to reduce the number of formatting issues, the following characters are ignored (removed automatically):
space
,
minus
,
slash
and
backslash
Is the service provider able to read my messages?
No, because the message is stored in encrypted form. This also applies to the sender information entered. The service provider does not have the key that is transmitted with the link. Therefore, he cannot gain access to your data.
But the link is opened in a browser. Doesn't the service provider get it then during opening?
No. The password part in the link is separated by a hash (#) character (called a URI fragment). A web browser does not submit any information behind that character to the webserver. Therefore, your service provider does not get this part of the password. It is read by the locally executed JavaScript, that decrypts the message on your local device.
What encryption libraries is regipost using?
Encryption and hashing is done using the webcrypto API of your web browser. It is designed to be used for secure encryption.
What encryption algorithms are used?
AES with 256 bit in GCM block mode and SHA256 for all hash codes.
When I want to encrypt, nothing happens?
This usually happens if you are using an incompatible web browser or a security tool is restricting or blocking access. Make sure you always use a modern web browser in the latest version. Make sure that JavaScript is not blocked.