Encrypted Email Hosting — Zero-Knowledge Mail Servers

AnubizHost encrypted email implements defense in depth with encryption at three distinct layers. Transport encryption uses TLS 1.3 with strong cipher suites for all SMTP, IMAP, and webmail connections, preventing interception of messages in transit. We enforce DANE and MTA-STS policies to prevent TLS downgrade attacks, ensuring that connections to and from your server always use the strongest available encryption.

At the storage layer, every mail server uses LUKS full-disk encryption with AES-256-XTS. Encryption keys are stored separately from the data volumes and are never written to persistent storage in plaintext. Even physical seizure of the server hardware yields nothing but encrypted blocks without the corresponding key material.

For end-to-end protection, we provide native PGP/GPG integration with automatic key discovery via WKD (Web Key Directory) and keys.openpgp.org. Messages encrypted with PGP remain encrypted throughout the entire delivery chain, from sender to recipient, and cannot be decrypted by anyone — including AnubizHost — without the recipient's private key.

Zero-knowledge means exactly what it says: we have zero knowledge of your mailbox contents. Our infrastructure is architected so that decryption of mailbox data requires credentials that only you possess. We do not store password hashes that could be reversed, we do not maintain recovery keys, and our operations team has no mechanism to access your email even with physical access to the server.

This is not a marketing claim — it is a verifiable architectural property. The encryption and decryption of your mailbox data happens client-side, and the keys never leave your device or session. If you lose your credentials, we cannot recover your data. This trade-off is deliberate: true privacy requires that no one — not even the hosting provider — has a way in.

For organizations that need key escrow or recovery mechanisms, we support customer-managed key servers where you control the recovery infrastructure entirely. This gives you the compliance benefits of key recovery without granting AnubizHost any access to your data.

Our encryption implementation follows current best practices from NIST, the IETF, and the European Union Agency for Cybersecurity (ENISA). We use only well-audited, open-source cryptographic libraries — OpenSSL and GnuPG — with no proprietary or homegrown encryption schemes. All cipher suites are reviewed and updated quarterly to remove deprecated algorithms and adopt stronger alternatives.

For regulated industries, our encrypted email hosting meets the technical requirements of GDPR Article 32 (security of processing), HIPAA encryption standards for email containing protected health information, and PCI-DSS requirements for secure communication of cardholder data. We provide technical documentation and architecture diagrams that your compliance team can include in audit packages.

Certificate management is fully automated via Let's Encrypt with ACME, ensuring your TLS certificates are always valid and renewed well before expiration. We also support custom certificates for organizations that use their own certificate authority or require Extended Validation (EV) certificates.

Getting started is simple. Select your plan, choose your server location, and pay anonymously with cryptocurrency. Your encrypted email server is provisioned in minutes with all encryption layers active by default. No configuration is required to achieve full transport and storage encryption — it works out of the box.

To enable end-to-end PGP encryption, upload your public key through the webmail interface or via WKD. Your contacts can then encrypt messages to you automatically, and your replies are encrypted with their public key. For organizations, we support automated key distribution across all mailboxes using WKD and SKS key servers.

All plans include unlimited email accounts on your domain, full IMAP and SMTP access, a Roundcube webmail interface with PGP plugin pre-installed, spam and antivirus filtering, and 24/7 server monitoring. Root access is available for custom configurations, and our support team can assist with encryption-specific setup questions.