[mnrasul]

So, can I keep the keys myself instead of storing them in the cloud? Or do I have to trust Virtru instead of google or some other company that they don't buckle when someone comes knocking for the keys?

Based on the feature list, I can't have the keyserver on my own server. I have to trust Virtru. This is no different than sending the text in plain IMO.

[higherpurpose]

Nope.

> However, you’re entrusting us to help you maintain your privacy; you should know how we will respond if the government asks us for access to your encryption keys. The government would need those keys if it wanted to read any encrypted files it does obtain. Without them, the files are useless.

> We won’t provide your keys to anyone without your consent — unless we are ordered to divulge them by a judge with jurisdiction over us. If we are ordered to divulge them, we will fight for you to have notice and an opportunity to object.

So I guess I'll keep waiting for a DarkMail client.

[znelson]

One of our core goals is to bring privacy to the masses without poeple needing to completely ditch their current accounts and infrastructure. We want to seamlessly integrate with the apps people already use so that even non-technical people can use it.

DarkMail would require people to completely ditch everything and jump to a new system.

But for the super-security minded folks we're researching ways we can seamlessly integrate PGP like capabilities into the product so that Virtru would never even be in a position to see the keys at all.

[gfodor]

so from a security standpoint, this is equivalent to the status quo, except transferring responsibility from Google to a small startup for maintaining keys? I'd be shocked if google doesn't encrypt emails at rest. Is there still plenty of inflight unencrypted SMTP traffic to worry about that this could address? I guess you have to worry about the recipient if you are sending email to a non gmail/hotmail/ymail address?

[conorgil145]

>> I guess you have to worry about the recipient if you are sending email to a non gmail/hotmail/ymail address?

Virtru allows you to send securely to any recipient, regardless of the email provider they use. The easiest way to read the secure message is to use the Virtru software to integrate with your existing email client.

Our iPhone client uses IMAP, so it works with any email provider that supports IMAP.

Our browser extension currently integrates with Gmail, Yahoo, and Outlook.com. If the Virtru browser extension does not integrate with your email provider, then we provide a mechanism to read the secure email in your browser without installing anything. However, you cannot reply securely without the Virtru software.

[conorgil145]

>> I'd be shocked if google doesn't encrypt emails at rest

Virtru encrypts email content on the client side, so your email is protected before it ever leaves your computer. That gives you protection in transit and at rest

[stormbrew]

The website does actually say advanced users can run their own keystore, but this does seem like the weak point in the service in general.

[jgilpin]

So as of this moment, you can't keep the keys yourself. Our technology absolutely allows for self-hosted keys. We do have private key managers being developed, which we intend to open source, and be for private use. It will be an option for the those that want the responsibility of keeping the keys safe, and also address your concern.

[conorgil145]

Also, our privacy policy contains details on how we handle user data: https://www.virtru.com/privacy-policy

And we have a blog post discussing some frequently asked questions on government surveillance: https://blog.virtru.com/faq-on-government-surveillance/

[mnrasul]

about blog: yeah, I agree you need to obey the laws and everything, but does the law state that you need to store the keys?

Until the law does, keeping all the keys in one place is an invitation for the bear to get the honey. If all the honey was in separate honeycombs, the bear might still get them all, but would probably have a tad bit more work to do.

Atleast hypothetically :).

[DHowitzer]

That is one reason why the underlying tech we're using, particularly the TDF, is designed to allow you to use any key server you want. Our hope is that we're the first of many TDF key servers out there, and are working to open source a key server under Apache license so anyone can use and contribute. If you're interested in helping make that possible or know people who might be, let us know.

[mnrasul]

great. Thanks. Will signup when it becomes available :)

[jgilpin]

Out of curiosity, on which platform would you want to run the self-hosted server?