The entire mailbox – emails, calendar and address book – are stored end-to-end encrypted in Tutanota. The only unencrypted data are mail addresses of users as well as senders and recipients of emails. Upon entering your login credentials, your mailbox is automatically decrypted locally on your device. You can easily login via a web browser, via the Tutanota apps for Android and iOS, or via the Tutanota desktop clients for Windows, MacOS and Linux.
Encrypted emails to anyone.
Tutanota uses symmetric (AES 128) and asymmetric encryption (AES 128 / RSA 2048) to encrypt emails end-to-end. When both parties use Tutanota, all emails are automatically end-to-end encrypted (asymmetric encryption). For an encrypted email to an external recipient, a password for encrypting & decrypting the email (symmetric encryption) must be exchanged once.
Tutanota’s automatic encryption works easily on all devices, even mobile. Tutanota automatically encrypts
Tutanota comes with an end-to-end encrypted calendar that lets you store all your appointments confidentially. The calendar is an outstanding achievement because not only all data is encrypted, but also the reminders are end-to-end encrypted. Even the time when a notification is sent to the user is obscured from our servers so that we remain in the dark about all our users’ appointments.
Encrypting these notifications is essential for your security and privacy: Notifications are sent to the user's device so that they know when a specific appointment is about to happen. If this information was not encrypted, we as the provider would have full access to the user's information along with all the information contained in the notification.
Highest level of TLS encryption with PFS, DNSSEC, DKIM, DMARC and MTA-STS.
On top of its automatic end-to-end encryption, Tutanota uses TLS, Perfect Forward Secrecy, DNSSEC, DKIM, DMARC and MTA-STS to secure your connection to Tutanota to the maximum.
Tutanota uses strict CSP (Content Security Policy), an HTML sanitizer for showing unknown content (in emails) to prevent XSS-attacks, and, by default, does not load external content from other servers (pictures and videos in emails).
Check here to see how Tutanota scores on Securityheaders.io.
Tutanota never transmits your password to the server.
When you login, Tutanota hashes and salts your password before transmitting the hash to our servers. It is impossible to derive the actual password from this hash, thus, no one can know your password, not even we at Tutanota. To protect your password, we use bcrypt and SHA256.
To further secure your login credentials, Tutanota enables you to activate two-factor authentication. For this you can use TOTP or U2F. We recommend using U2F with a security device as this is the most secure form of two-factor authentication.
Please check our online security guide on how to keep your emails safe from hackers.
Your password unlocks your private key.
Every Tutanota mailbox owns one private key that is used to automatize the exchange of encrypted emails. When you register with Tutanota, this private key is created locally on your client and encrypted with your password. This way, Tutanota can automatize the entire encryption process without ever having access to your private key.
A certain password strength is required to make sure that your private key is strong enough for encrypting your confidential emails. That’s why registration with a weak password is not possible with Tutanota.
To reset your password, you need your recovery code. We do not offer a password reset via email as this is inherently insecure.
You can read details about Tutanota’s key generation process and how we secure your private key on our blog.
Tutanota follows the principles of data minimization & privacy by design.
We are responsible for the protection of your personal data, and we take this responsibility very seriously. Therefore
Please read our full privacy statement for details.
Our built-in encryption and the ability to send an encrypted email to any recipient in the world make Tutanota a perfect fit when looking for a secure email solution. Under the GDPR, companies must always protect personal data, even when sent via email. Read our blog to find out how Tutanota can help you to always send GDPR-compliant emails.
Germany has one of the strictest data protection laws.
Data privacy regulations in the European Union (EU) are among the strictest in the world, and among all European member states, Germany has one of the strongest policies: the Federal Data Protection Act (Bundesdatenschutzgesetz). The EU General Data Protection Regulation (GDPR) was in large parts designed based on the German Federal Data Protection Act.
This law protects users of Internet services. It puts the user in charge of what should be done with their data: Companies (=we) are not allowed to collect any personal information without express permission from an individual (=you), (e.g. name, date of birth, IP address).
In addition, in Germany there is no law that could force us to submit to a gag order or to implement a backdoor.
You can find details about German data protection laws on our blog and in our Transparency Report.
Tutanota stores all data encrypted in highly secure data centers in Germany.
All data in Tutanota is stored end-to-end encrypted on our own servers in ISO 27001 certified data centers in Germany. No one has access to our servers except our permanent administrators, who need to pass multiple-factor-authentication before gaining access. All productive systems are monitored 24/7 for unauthorized access and extraordinary activity.
Tutanota is an anonymous email service that does not track you.
Our business model is different from most email services: Due to the encryption, we can not scan your emails. We do not track you. We do not send targeted advertisements to your mailbox.
By default, Tutanota does not log IP addresses when you login or when you send an email. Upon registration you do not need to provide any personal data (e.g. no phone number is required), even when you register via Tor.
Tutanota strips the IP addresses of emails sent from the mail headers so that your location remains unknown.
Tutanota is an email service built with privacy at its heart.
Companies love email for marketing campaigns. Because email by default does not respect your privacy. When you receive a marketing newsletter, the email usually loads external content (e.g. images). In this instance you are being tracked: IP address, browser you are using, and more information is being transmitted to the sender.
Tutanota offers you an email service that automatically protects from those tracking methods:
Check if anyone has accessed your encrypted Tutanota mailbox.
Tutanota lets you check active and closed sessions as an opt-in feature. This allows you to verify that no one but yourself has logged into your account. Closed sessions are automatically deleted after one week.
Tutanota’s session handling also enables you to close sessions remotely. When you lose your mobile phone and you are still logged in with the Tutanota app, you can close this session from any other device. By closing the session remotely, you make sure that no one can access your secure emails on the lost phone.
IP addresses of open and closed sessions are always stored encrypted and automatically deleted after one week. Due to the encryption only you can access this information. We at Tutanota have absolutely no access to this information.
Free and open source emails for everyone.
Tutanota focuses on security and privacy. To us, open source is essential to achieve both. We have published the Tutanota web client, the Tutanota desktop clients as well as the Android and iOS apps as open source software on GitHub.
This way everyone can check the code and verify that there are no bugs in the code base. By being open source potential bugs can be noticed and fixed much faster than it is the case with closed source applications.
Tutanota encrypts as much data as possible directly on your device. You can verify this yourself: When logged in in a web browser, press F12 to open the developer console. Then click on 'Network' and 'Preview' to see what data is sent to the server. This view is updated every time you open an email, a contact or a calendar entry. All texts that are rendered in non-readable form by humans are sent to the server end-to-end encrypted and Base64-encoded.
The screenshot shows the encrypted email contents. Similar to PGP, Tutanota encrypts the data of an email end-to-end with a hybrid encryption protocol based on AES and RSA.
Your signature is appended to new mails automatically. With Tutanota, your signature is stored end-to-end encrypted on our server and synchronized to all of your devices.
As Tutanota does not use PGP, it can encrypt a lot more data of an email than just the contents. This is illustrated by the next screenshot.
Distinguishably, Tutanota encrypts the "subject" as well as the names of the "sender" and the recipient ("toRecipients").
The only data that is not encrypted in a Tutanota email are the email addresses and the date of an email sent or received.
Regarding email security, there are two different cases:
In both cases, all emails are stored fully encrypted on our servers. We never store unencrypted emails on our servers. However, the non-encrypted emails are not protected with end-to-end encryption, but are only encrypted once they reach our servers.
The Tutanota Calendar is a true zero-knowledge calendar because our servers know nothing about your encrypted events. All data that you store in the calendar is encrypted: The "description", the "endTime", the "location", the "startTime", the "summary", the "uid" (the ID of the event), the "alarmInfos" (which are the reminders that you can define to be notified about upcoming events), and the "repeatRule" (which is the rule to define in what interval and until what date the event should be repeated).
The Tutanota Calendar also encrypts notifications, which is a very innovative approach. The encrypted Tutanota alarms are stored locally on your devices to completely hide them from our servers. This means we do not know anything about your calendar events, not even when an event is taking place.
In contrast to that, current standards such as iCal do not encrypt any data. If you store your events with an online service for easy access and syncing, you can be sure that someone else is seeing all your calendar events.
In the zero-knowledge Tutanota Calendar all your data is always encrypted so that no one, not even we as the developers, can see your private appointments.
Tutanota Contacts are encrypted entirely, just like the Tutanota Calendar. You can store all your contacts details in Tutanota knowing that no one but yourself can get access to this very personal information of your family members, your friends or your business contacts.
Tutanota automatically encrypts the "birthdayISO", the "comment", the "company", the "firstName", the "lastName", the "nickname", the "role", the "title", the "addresses", the "mailAdresses", the "phoneNumbers", and the "socialIDs".
Tutanota offers more than just easy email encryption. Tutanota makes sure that all your data is always encrypted and can only be accessed by one single person: You.
Tutanota automatically encrypts all your emails, calendars and contacts.
Tutanota brings automatic encryption to all your devices. Whether you're at home, at work or on the go, encrypting all your data has never been easier.