Every email we handle is encrypted in transit and at rest. Here's exactly how — in plain language.
All connections to TempMail — web UI, API, SMTP relay — use TLS 1.3. We've disabled TLS 1.0 and 1.1. TLS 1.2 is accepted for legacy clients but deprecated.
Our TLS configuration scores A+ on Qualys SSL Labs. We support forward secrecy on all connections, meaning session keys cannot be retroactively decrypted even if our private key were later compromised.
Protocol: TLS 1.3 (preferred), TLS 1.2 (fallback) Ciphers: ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 Key Exchange: X25519 (ECDH) HSTS: max-age=31536000; includeSubDomains HPKP: enabled
Every email stored on our servers is encrypted with AES-256-GCM before being written to disk. Encryption keys are stored separately from the data they protect, in a hardware security module (HSM).
Keys are rotated every 24 hours. Old keys are securely wiped after a brief grace period to allow in-flight decryptions to complete.
Algorithm: AES-256-GCM Key storage: HSM (hardware security module) Key rotation: Every 24 hours IV: 96-bit random per message Auth tag: 128-bit GCM tag
All web, API, and SMTP connections. A+ rating on Qualys SSL Labs. HSTS enforced.
Every message encrypted before disk write. Keys in HSM, rotated every 24 hours.
Ephemeral keys per session. Compromise of our long-term key cannot decrypt past traffic.
Encryption keys stored in certified hardware security modules — never in software.
On expiry, messages are overwritten with random data before deallocation — unrecoverable.
Our encryption implementation is reviewed in every annual third-party penetration test.
Military-grade encryption applied to every byte, every time.
View audit reports