Zero-knowledge · Outlook-compatible · Luxembourg sovereign

Your executive emails, sealed. Nobody can read them, except you.

Today, your Microsoft 365 administrator can read your emails. Legally. It is documented in your tenant's eDiscovery procedure: a Global Admin ticks a box, and your entire CEO or board chair mailbox becomes searchable. No alert. Same goes for your hosting provider, your MSP, your archiving subcontractor. And if their admin account is compromised, the attacker has the same power. Luxgap SealedMail solves this at the root: the server only stores encrypted blobs. Your private key is derived from your passphrase and exists nowhere in plaintext on our infrastructure. You open your usual Outlook, your emails display in clear after local decryption. Nobody else has access. Not your IT, not your MSP, not Luxgap, not an attacker who compromised our tenant. Designed and hosted in Luxembourg for executives who cannot afford their strategic negotiations, M&A dossiers or exchanges with legal counsel to be read by anything other than themselves.

Build my quote → Contact us
Main features

What the software actually does.

Zero-knowledge architecture: server only sees ciphertext

Every message stored in your SealedMail mailbox is encrypted with your X25519 public key the moment it reaches our servers. The corresponding private key never left your device. Concretely: at sign-up, your browser or local client locally generates a Curve25519 key pair (X25519 for encryption + Ed25519 for signing). The private key is immediately encrypted by AES-256-GCM with a key derived from your passphrase via Argon2id (OWASP 2024 params: 64 MB, 3 iterations, 4 parallel threads). The server receives only your public key and the encrypted version of your private key, which it cannot decrypt since it does not know your passphrase. This zero-knowledge architecture guarantees that even a Luxgap administrator with root server access cannot read your mailbox.

Incoming mail: encrypted on receipt, never stored in plaintext

When an external correspondent writes to you (from Gmail, Outlook 365, any standard SMTP server), the message logically arrives in plaintext on our incoming SMTP relay. We immediately encrypt it with your public key before persisting it to disk. The plaintext window lasts a few milliseconds in RAM, outside any snapshot, log or backup. The stored message is permanently unreadable by anyone but you. No plaintext archive window, no server-side content indexing. Search works via a server-side encrypted index (Encrypted Search Index architecture, ProtonMail-style) or client-side for mailboxes under 2 GB.

Outgoing mail: Ed25519-signed, encrypted if recipient has a key

When you send an email, your local SealedMail client (web or Outlook Bridge) encrypts the content with the recipient's public key if known: another SealedMail user, contact with OpenPGP key published on WKD servers, or established Autocrypt exchange. Otherwise, the email leaves in plaintext to the recipient (with an orange visual warning in the interface). In all cases, your Ed25519 signature is attached: the recipient can verify the email truly comes from you and has not been tampered with. For recurring exchanges with an external correspondent (your lawyer, your private banker), we offer a free SealedMail Companion invitation so they generate their own key pair and the conversation is end-to-end encrypted in both directions.

Works with your usual Outlook, via SealedMail Bridge

No question of asking a CEO to change their mail client. We provide SealedMail Bridge, a light program running in the background on your machine (Windows, macOS, Linux). It exposes a local IMAP/SMTP mailbox on 127.0.0.1, decrypts your messages on the fly for Outlook, and encrypts your sends before transmission to the server. You configure Outlook once (IMAP + SMTP account on localhost), and everything then works exactly as before: keyboard shortcuts, sorting rules, signatures, shared calendar, search, folders, archives. No functional loss. No habit change. Passphrase is requested at Bridge startup and stays in encrypted memory during the session (never persisted to disk). Also available as HTTPS web client for travel and iOS/Android mobile app.

Recovery in case of passphrase loss: your choice

Zero-knowledge architecture has a downside: if you lose your passphrase, nobody can recover your mailbox, not even Luxgap. For executives who want to guarantee continuity, we offer 3 optional mechanisms you activate or not in full awareness: (1) Paper recovery kit printed at sign-up: 24 BIP-39 words stored in your physical or notarial safe; (2) Shamir 3-of-5 key sharing: 5 trusted persons each receive a fragment, 3 are needed to reconstitute; (3) Board delegation with signed quorum: 2 directors out of 3 can authorise regeneration in case of incapacity. None of these mechanisms is activated by default. If you want no legal backdoor, you keep absolute responsibility for your passphrase.

Anti-coercion: forced opening detectable

For executives exposed to pressures (litigation, divorce, hostile negotiation, judicial control), SealedMail offers a decoy passphrase distinct from your real passphrase. If you are forced to open your mailbox in front of a third party, you enter the decoy passphrase: it decrypts a parallel side mailbox containing only innocuous emails you have prepared (administrative correspondence, invoices). Your real mailbox remains inaccessible and invisible. No server-side trace distinguishes a decoy opening from a normal one. Mechanism inspired by TrueCrypt and VeraCrypt plausible deniability, validated by our security engineering team.

Custom address @yourcompany.com or @sealed.lu

You use your existing corporate domain (pierre.martin@yourcompany.com) by pointing MX records to our SealedMail Luxembourg servers. Zero-downtime migration from Microsoft 365 or Google Workspace: we first sync your history to SealedMail (encrypted on-the-fly during migration), then switch MX. External correspondents continue writing to your usual address. Your non-executive colleagues can keep using Microsoft 365 on the same domain, only sealed mailboxes route through SealedMail. Alternative for fast creation: you@sealed.lu addresses with optional custom subdomain (you@private.yourcompany.com).

Encrypted attachments, up to 500 MB per message

Attachments are encrypted with the same key as the message body. No 25 MB limit like Outlook: you send up to 500 MB per message, useful for M&A dossiers, audit reports, committee videos. If the recipient is another SealedMail user, direct encrypted transmission. If the recipient is external, the heavy attachment is replaced by a secure link to a single-use download (expires after opening or 7 days), with password transmitted via separate channel.

Calendar, contacts, distribution lists: all encrypted too

If only emails were encrypted, your calendar would reveal your meetings with your investment banker or M&A advisor. And your contacts would reveal your strategic address book. SealedMail encrypts everything: calendar events (subject, attendees, location, notes), contact entries (name, phone, address, notes), private distribution lists. CalDAV/CardDAV compatible via the local Bridge, so you keep Apple Calendar, Outlook, Google Calendar as visual client. E2EE multi-device sync between your devices (work laptop, personal iPhone, travel tablet) without anything being readable server-side.

Self-destruction and scheduled message expiry

At send time, you can schedule message expiry: 24 hours, 7 days, 30 days, custom date. After this delay, the message disappears simultaneously from your sent folder, the recipient's mailbox (if SealedMail user) and the server. Useful for ongoing negotiations, price indications, temporary commercial positions. The message leaves no exploitable trace once expired. For external recipients, encrypted content is rendered inaccessible but the envelope (sender, subject, date) remains visible in their mail client.

Luxembourg hosting, EuroPriSe certification in progress

Physical servers at two Tier IV Luxembourg datacenters (LuxConnect DC1 and DC2, geographic redundancy). No replicas outside EU, no US hyperscaler in the chain. GDPR, NIS 2 (important entity, digital services sector), Luxembourg 1 August 2018 law compliance. EuroPriSe certification targeted for 2026. Annual audit by independent firm with public report. Bridge and protocol source code published open source (community review) ; only server components remain proprietary (pricing logic, anti-spam).

Authority requests: total transparency, but nothing to hand over

In case of valid Luxembourg judicial request (rogatory commission, search warrant signed by an investigating judge), Luxgap is legally required to respond. But we can only hand over what we have: encrypted blobs. Without your passphrase, they are mathematically unexploitable. We publish a biannual transparency report (number of requests received, jurisdiction of origin, action taken) on the ProtonMail model. No non-EU request is honoured (no FBI, no US subpoena: we are a Luxembourg entity with no US presence).

Use cases

Who it is for, and in what context.

CEOs, CFOs, CMOs whose mailbox contains strategic arbitrations, reorganisation notes, budgets and team escalations, and who do not want the Microsoft 365 administrator (often an external provider or junior IT) to have technical access.

Board chairs and directors exchanging draft resolutions, voting positions, confidential audit analyses before board meetings. These exchanges should never be visible to operational management.

M&A and corporate finance teams negotiating sensitive deals (acquisitions, disposals, fundraisings, restructurings). A leak via a compromised IT account can cost millions in price renegotiation.

Lawyers, fiduciaries, notaries bound by professional secrecy (Article 458 of the Luxembourg Penal Code, Article 226-13 of the French Penal Code). Professional secrecy is not guaranteed if your email hosting provider can technically read correspondence with your clients.

Private bankers and family offices managing sensitive family wealth whose correspondence reveals the identity and strategies of UHNWI clients.

Internal auditors and compliance officers conducting investigations on fraud or harassment suspicions, whose investigation emails should never be read by investigated persons (typically the CIO with access to the M365 tenant).

Whistleblowers and investigative journalists protecting sources who cannot afford a leak via their media organisation's admin.

Regulatory compliance

Regulatory compliance and alignment with executive obligations.

  • GDPR Article 32: end-to-end encryption is explicitly cited as appropriate technical measure. Using SealedMail demonstrates state-of-the-art confidentiality implementation.
  • GDPR Article 25: data protection by design. Zero-knowledge architecture is a textbook implementation of the principle.
  • Professional secrecy: Article 458 of the Luxembourg Pénal Code (lawyers, doctors, notaries), Article 226-13 of the French Pénal Code equivalent. SealedMail eliminates the risk of access by unauthorised third parties.
  • Banking secrecy: Article 41 of the Luxembourg law of 5 April 1993 on the financial sector. No disclosure possible from Luxgap since we cannot technically read.
  • DORA Article 9: ICT risk management for financial entities. SealedMail drastically reduces leak risk from corporate IT infrastructure compromise.
  • NIS 2: we are ourselves an important entity per Annex II (digital services), with risk management and incident notification obligations.
  • AI Act: no AI component has access to your message content (technically impossible). Anti-spam runs on headers only and sender reputation.
Architecture · Hosting

Technical stack and data sovereignty.

Cryptography: Curve25519 (X25519 for ECDH key exchange, Ed25519 for signatures), AES-256-GCM for symmetric envelopes, Argon2id for key derivation from passphrase (64 MB, 3 iterations, 4 threads, OWASP 2024 recommendation). Implementation based on libsodium server-side and Web Crypto API + WebAssembly browser-side.

Server stack: hardened Postfix + Dovecot on Debian 13, LXC containers isolated per tenant, encryption at rest on LUKS2-encrypted disks (second defensive layer), daily Borg backup to second LU datacenter (encrypted by your public key, therefore unusable even for us).

SealedMail Bridge: signed Rust binary, ~12 MB, 2-minute setup. Source code published on GitHub for community audit. Available Windows / macOS (Intel + Apple Silicon) / Linux (deb, rpm, AppImage).

No hyperscaler dependency: no AWS, no Azure, no Google Cloud. Self-hosted Rspamd anti-spam, RBL lists maintained in-house, no external DKIM relay.

FAQ

Frequently asked questions

How is this really different vs Microsoft 365 or Google Workspace with "encryption" enabled?
Microsoft 365 and Google Workspace encrypt your emails at rest on their disks, and in transit between servers. But they hold the keys. Concretely, any Global Admin of your M365 tenant can open an eDiscovery procedure and read your entire mailbox. This is documented and used daily in companies for litigation, internal audits or HR requests. Even Microsoft, under US court order (CLOUD Act), can be compelled to hand over your emails in plaintext. With SealedMail, these accesses are mathematically impossible: without your passphrase, the disk blobs are random noise. You recover cryptographic ownership of your mailbox.
Different from ProtonMail or Tutanota?
The zero-knowledge architecture is similar and we explicitly draw inspiration from them, they are serious references. SealedMail differentiates on 4 axes: (1) Strictly Luxembourg hosting instead of Swiss/German, relevant for the Luxembourg financial place and DORA requirements; (2) Native Outlook compatibility via Bridge, where ProtonMail Bridge rather targets Thunderbird and Tutanota has no official bridge; (3) Coupling with a compliance firm: we are external DPO and CISO of 200+ organisations, the service is designed for the executive obligations we see daily; (4) Executive pricing per seat (no consumer freemium to monetise by metadata resale).
What if Luxgap goes bankrupt or gets acquired by a non-EU player?
Legitimate concern. Three safeguards: (1) Our Luxembourg legal status with capital held by Luxembourg founders makes a hostile non-EU acquisition complex and reportable to the government (foreign investment screening in NIS 2 critical infrastructure); (2) Bridge and protocol source code is open source : a community fork is possible if we disappeared; (3) We provide a complete encrypted export of your mailbox on request, plus a migration guide to another OpenPGP-compatible provider. You are never cryptographically captive.
How does it interact with my internal DPO and IT audit?
Positively. An internal DPO should recommend that executive mailboxes containing special category data (health, internal investigation criminal data) or trade secrets be under zero-knowledge encryption. This is strict application of data protection by design (GDPR Article 25). For your IT audit, SealedMail reduces auditable scope: executive mailboxes leave the Microsoft 365 tenant, so are no longer in scope of M365 admin access controls. It is simpler to attest in audit, not more complex. We provide a technical note for your auditors on request.
How much does it cost?
Pricing per sealed mailbox and month, no commitment (30-day cancellation).

Sealed Personal (independent executive, individual lawyer): 39 EUR / month / mailbox with @sealed.lu address, 5 GB storage, 1 device.
Sealed Executive (CEO, CFO, chairman): 79 EUR / month / mailbox with custom domain, 50 GB storage, unlimited devices, Bridge included.
Sealed Board (board, M&A, internal audit committees): 149 EUR / month / mailbox with encrypted distribution list sharing, E2EE shared calendar, 24/7 priority support, quarterly configuration audit.
On-premise on your infrastructure (Article 41 LSF or strict DORA actors): custom quote starting at 6 figures yearly.

All plans include: M365/Google Workspace migration, passphrase training + recovery kit, FR/EN/DE support, 99.95% SLA guarantee with compensation. Free 30-day trial on a test subdomain.
Time to operational?
Sealed Personal: 1 hour. You create your @sealed.lu address, install the Bridge, configure Outlook. Live.
Sealed Executive with custom domain: 2 to 5 days. We configure MX, migrate history, train your assistant.
Sealed Board (full committee or board deployment, 5 to 15 members): 2 to 3 weeks with collective training session.
On-premise: 6 to 12 weeks depending on complexity.
Combine with

Our complementary services.

Try this software on your real data.

POC with no long-term commitment. Tailored quote within one business day.

Build my quote →