Comparison · Verified July 2026 · Every claim links to its source
ASTIS Mail vs Virtru
Both encrypt email on top of Gmail and Microsoft 365 without migration. The difference is one question: who can produce your plaintext?
TL;DR. Virtru is the established player — $191M raised, FedRAMP Moderate, 6,000+ customers. In its default deployment, Virtru’s key infrastructure manages your decryption keys; their own ITAR page puts it plainly: “Microsoft will have encrypted content, Virtru will have the keys.” ASTIS Mail is built so that trust isn’t required: keys are generated and used on your devices, and ASTIS servers hold wrapped key capsules and a public-key directory — never your mail. Virtru counters with a smoother flow for unprepared recipients and a longer certification list. The honest version of both is below — with links to where each vendor says it themselves.
At a glance
The icon next to a claim opens its primary source — the vendor’s own page for their claims, our verifiable docs for ours. Security platforms shouldn’t ask to be believed.
| ASTIS Mail | Virtru | |
|---|---|---|
| Works on top of Gmail / Microsoft 365 | Native desktop apps (macOS · Windows · Linux) · any browser · Thunderbird add-on · Chrome extension | |
| Vendor can decrypt your mail | ||
| Zero-knowledge without add-ons | Default configuration | |
| Encryption standard | ||
| Subject lines encrypted | ||
| Attachment names encrypted | Filenames + MIME types sealed | |
| Calendar encryption | E2EE calendar built in | |
| Unprepared external recipients | One-time key invite, then frictionless | |
| Post-send control | TTL expiry + revoke | |
| Jurisdiction & infrastructure | ||
| Certifications issued today | ||
| Published pricing |
Where is the trust boundary?
Every product on this market draws a line: everything left of it cannot read your content; everything right of it you have to trust. The only question that matters is where the line sits.
Keys generated and used client-side. No service can produce plaintext.
Content encrypted, but a vendor-run key server authorizes every decryption.
Encryption and access control live in the vendor’s server-side platform.
TLS in transit; content readable at rest by providers and gateways.
Virtru encrypts client-side, but its Key Access Server authorizes and releases the key for every read. Private Keystore (add-on) moves the boundary left — at enterprise pricing.
Where your data lives
ASTIS Mail deliberately does not host message content: decrypted mail exists only on your devices, ciphertext rides your own mailbox. Compare where each product puts plaintext.
Who holds the keys?
ASTIS Mail’s model
The per-message key is generated on the sender’s device and encrypted to each recipient’s public key — on the device. ASTIS stores wrapped capsules keyed by address hashes, plus the public-key directory. No plaintext keys, no message content.
There is no read-time authorization service that could be compelled, compromised, or socially engineered into releasing a key — because no service holds a usable key. Zero-knowledge is the default, not the top tier. Verifiable: open SDK, GPG-signed builds, published specs.
Virtru’s model
Content is encrypted client-side into TDF objects; the data-encryption keys are managed by Virtru’s Key Access Server on AWS. When a recipient opens a message, Virtru’s infrastructure authorizes and releases the key — an authorization middleman for every message.
Their fix exists — Private Keystore, host the keys yourself — sold as an enterprise add-on with professional services attached.
“Microsoft will have encrypted content, Virtru will have the keys but no content.”— virtru.com/compliance/itar
Standards, not formats: OpenPGP vs TDF
Virtru’s TDF is an open specification (OpenTDF) — credit where due. But a TDF object is unreadable without a Key Access Server’s cooperation: the format is open, the access path runs through Virtru-style infrastructure. An OpenPGP message is self-contained: ASTIS Mail encrypts to a 30-year-old IETF standard (RFC 4880/9580), keys are discovered via standard Web Key Directory, and your private key decrypts your mail in any compliant implementation — including GnuPG, without ASTIS. If ASTIS disappeared tomorrow, your keys and your ciphertext still work. That is what “no vendor lock-in” means cryptographically, not contractually.
What stays readable
For a law firm, “Re: Smith v. Jones — settlement strategy.docx” in plaintext is the leak.
Virtru: subject/recipient list and attachment names per Virtru support documentation; attachment content encrypted, 150 MB combined cap. Calendar via Google Workspace CSE + Private Keystore only.
External recipients — the honest section
Repeat correspondents: one-time setup wins
ASTIS Mail sends the external recipient a one-time key invite — a free browser client, no install. Every exchange after that is frictionless true E2EE. No per-message verification dance.
For firms whose confidential mail goes to repeat correspondents — clients, counsel, auditors — the one-time setup beats every-time verification. For one-off blasts to strangers, it doesn’t. Choose accordingly.
One-off mail to strangers: Virtru is better today
Virtru’s Secure Reader lets an unprepared recipient verify by OAuth or a one-time email link and read in the browser. No account creation. For one-off mail, that beats ASTIS Mail. Full stop.
The same flow is Virtru’s #1 complaint theme in its own G2 reviews (~55 mentions): single-use links that expire in 24 hours and must open in the same browser on the same device, notifications landing in spam, replies losing the prior thread.
Pricing
ASTIS Mail
- Solo $179/year · Team $15/seat/mo · Organization $20/seat/mo
- Self-serve, 30-day trial, no services engagement
- 25-seat firm: ≈ $4,500–6,000/year
Two honest shortlists
Pick Virtru if
- US federal orbit: FedRAMP Moderate, ITAR carve-out, CJIS, CMMC positioning
- Daily one-off encrypted mail to unprepared external recipients
- Granular post-send control: disable forwarding, watermarking
- An issued SOC 2 report is a hard requirement today
Pick ASTIS Mail if
- The requirement is that no vendor can decrypt — legal privilege, board mail, trade secrets
- EU-regulated buyers (GDPR, NIS2, DORA) for whom a US key custodian is the problem
- Subjects, filenames, and calendars must be inside the envelope — not just bodies
- Teams of 5–200 that want published per-seat pricing, no services project
FAQ
Is Virtru end-to-end encrypted?
Virtru encrypts client-side, but in the default deployment its Key Access Server manages and releases decryption keys — Virtru sits in the trust path for every message. With the Private Keystore add-on, customers host keys themselves. ASTIS Mail is zero-knowledge in its default configuration.
Does Virtru encrypt subject lines?
No — subjects and recipient lists remain unencrypted; body and attachment contents are encrypted. ASTIS Mail encrypts subject lines and attachment filenames as well.
Which has better compliance certifications today?
Virtru — SOC 2 Type II, FedRAMP Moderate, FIPS 140-2 validated modules, HIPAA BAA from the entry tier. ASTIS’s SOC 2 Type II is in progress (July 2026); its architecture claims (open SDK, signed builds, no US hyperscalers in the stack) are verifiable now.
Can I try both without changing my email setup?
Yes — both are overlays. Virtru: extension/add-in, sales-assisted above entry tiers. ASTIS Mail: OAuth connect + PWA, 30-day self-serve trial.
Is ASTIS Mail a Virtru alternative for US government work?
No. If you need FedRAMP, ITAR, or CJIS, use Virtru or PreVeil. ASTIS Mail is built for European regulated business.
Sources — retrieved July 2026
- Virtru pricing packages
- Virtru Trust Center
- Virtru on ITAR key custody
- Secure Reader support docs
- Vendr — Virtru contract data
- G2 — Virtru reviews
- ASTIS security whitepaper
All trademarks belong to their owners. Prices and features change — verify before deciding. Found an inaccuracy? [email protected] — we fix verified inaccuracies within one business day.
Don’t trust either vendor — verify.
Read the security documentation, then run the 30-day trial on your existing Gmail or Microsoft 365 mailbox. Keep the provider. Protect the content.