Security & Encryption

SipherMail is built with security as the primary design constraint. This section covers end-to-end encryption, two-factor authentication, and session management.

• End-to-End Encryption (SIPHER-E2EE-V1) — How E2EE works, key generation, and recovery.
• Two-Factor Authentication — TOTP setup with Google Authenticator or compatible apps.
• Session Management — View active sessions and revoke access from any device.

Security at a glance

• RSA-OAEP 4096-bit + AES-256-GCM end-to-end encryption
• PBKDF2 with 310,000 iterations for key derivation
• All crypto operations run client-side via Web Crypto API
• IMAP passwords encrypted at rest with AES-256-GCM
• TLS 1.2+ enforced for all connections
• Servers in Falkenstein, Germany (Hetzner dedicated hardware)

For a full overview of our security architecture, see the Security & Privacy page.

Next steps

• Set up end-to-end encryption →
• Enable two-factor authentication →