How does ASTIS work with my existing email provider?

ASTIS integrates seamlessly with your current email setup through our plugins for Outlook and Thunderbird. You continue using your existing email address and provider - ASTIS handles the encryption and decryption in the background.

What is the difference between BYOK and HYOK?

BYOK (Bring Your Own Key) means your encryption keys are stored in ASTIS-managed infrastructure, but you retain full control and ownership. HYOK (Hold Your Own Key) means the keys never leave your infrastructure - perfect for highly regulated industries that require on-premises key management.

Is there a free trial available?

Yes! We offer a free tier for individual users or small teams getting started with encrypted email. No credit card required.

How do I send encrypted email to someone who doesn't use ASTIS?

ASTIS supports secure escrow onboarding: the encrypted capsule is protected during delivery and re-wrapped to the recipient's key once they register. Recipients can install a free ASTIS plugin to decrypt messages. A web-based decryption option is on our roadmap.

What happens to my emails if I cancel my subscription?

You retain access to all your encrypted emails during your data retention period. You can export your keys and encrypted messages before canceling. We provide migration tools to help you transition smoothly.

Is ASTIS compliant with GDPR, HIPAA, and other regulations?

ASTIS is designed with compliance in mind. We provide audit logs, data retention controls, and encryption aligned with GDPR requirements. For HIPAA, ASTIS supports aligned controls and can sign a BAA on Enterprise plans. SOC 2-aligned controls are in progress.

Documentation

Everything you need to integrate, deploy, and manage ASTIS for secure email communication.

Getting Started

Create an account

Access ASTIS Mail or install a plugin

Open mail.astis.io — the ASTIS Mail web/PWA app works on PC, mobile, and tablet. Or install the ASTIS plugin for your email client (Thunderbird, Outlook, or Gmail).

Send your first encrypted email

Compose an email as usual. ASTIS automatically encrypts the message and manages keys.

Recipient reads securely

Recipients with ASTIS decrypt automatically. Others receive a secure link or onboarding invitation.

How It Works

Architecture Overview

ASTIS is a security layer, not a mail server. Your existing email provider handles delivery and storage. ASTIS adds:

End-to-end encryption — messages are encrypted with OpenPGP before leaving your client
Session key capsules (SKEY) — encrypted key material that controls access to each message
Policy enforcement — TTL, sharing rules, and access requirements defined by the sender or organization
Zero-knowledge for email content — ASTIS never sees or stores plaintext email content; session keys are stored as encrypted capsules (transient in-memory plaintext only during Key Rewrap)

Message Flow

1. Sender composes email → ASTIS plugin encrypts content with SKEY

2. SKEY is wrapped into an encrypted capsule → sent to ASTIS service

3. Encrypted email is delivered via your normal email provider

4. Recipient's ASTIS plugin requests capsule → decrypts SKEY → reads message

5. Access is governed by TTL, policies, and recipient key verification

Plugins & Clients

ASTIS Mail

Early Access

The primary ASTIS client — a web/PWA app at mail.astis.io. Works across all devices. Early Access — Invite Only.

Web, PC, Mobile, Tablet

Thunderbird Plugin

Available

Full PGP support and key management for Mozilla Thunderbird.

Windows, macOS, Linux

Gmail Web Plugin

Beta

End-to-end encryption directly in Gmail web interface.

Chrome, Firefox, Edge

Outlook Web Plugin

Beta

Enterprise-grade encryption for Outlook Web / Office 365.

Chrome, Firefox, Edge

Mobile (Android/iOS)

Coming Soon

Native mobile clients with biometric authentication.

Android, iOS

Encryption & Keys

OpenPGP (RFC 4880)

All messages are encrypted using OpenPGP. Each user has a public/private key pair. Public keys are discoverable via WKD (Web Key Directory) protocol.

Session Key Capsules (SKEY)

Each email is encrypted with a unique session key. The session key is then wrapped into an encrypted capsule:

Capsule is encrypted to the recipient's public key
Plaintext SKEY is never stored or logged by ASTIS
TTL and policies are enforced at the capsule level

Key Discovery (WKD)

ASTIS uses the Web Key Directory protocol (RFC 8605) for automatic public key discovery. When you send an email, the recipient's public key is automatically retrieved via their email domain's WKD endpoint.

BYOK

Bring Your Own Key — customer-controlled key governance. Import your keys and manage lifecycle (rotation, revocation) while ASTIS handles encrypted capsules.

HYOK

Hold Your Own Key — decryption authority stays under customer control. For regulated/sovereign environments requiring on-premise key operations.

Organizations

Organization Management

Business and Enterprise plans include organization-level controls:

Roles — Admin, Auditor, Member roles with granular permissions
Policies — Organization-wide TTL defaults, external sharing rules, access requirements
Audit logs — Security-relevant events: policy changes, admin actions, access decisions
Team key governance — Centralized key management across the organization

Licensing & Seats

You only pay for users who send encrypted emails
Receiving and reading emails is unlimited and free
Per-seat price is locked for the full annual subscription term
Seats can be added mid-term at the locked price
Seat reductions take effect at next renewal

Infrastructure Services

WKD Service

Web Key Directory — RFC 8605 compliant public key discovery via email domain. HTTPS-based, HKP support.

SKEY Service

Session key capsule management — secure storage, retrieval, TTL enforcement, and policy-based access control.

BYOK Service

Bring Your Own Key — import keys, automated rotation, cloud HSM integration, audit logging.

HYOK Service

Hold Your Own Key — on-premise key authority, HSM support, zero-knowledge for email content, data residency compliance.

CryptoVault Service (CVS)

PrivatePGP key vault and BYOK/HYOK gateway. Stores password-encrypted private keys with binding-based access control — CVS never has access to the password or plaintext key material. Routes BYOK/HYOK operations to customer-controlled key endpoints.

WALEP

Cross-platform client-side cryptographic engine powering ASTIS plugins on Windows, macOS, and Linux. Handles encryption, decryption, key generation, and capsule operations locally on the device.

WALES

Wall Encryption Service — server-side cryptographic processing designed for mobile users who want the simplest, fastest way to use encrypted email — no plugin installation required. Plaintext is processed transiently in a controlled environment and never persisted.

Frequently Asked Questions

Do I need to change my email provider?

No. ASTIS is a security layer that works with your existing provider (Microsoft 365, Gmail, SMTP, etc.). Keep your current setup.

What happens if the recipient doesn't have ASTIS?

ASTIS supports secure escrow onboarding. The message stays encrypted, and once the recipient registers and publishes a public key, the capsule is re-wrapped to their key.

Does ASTIS store my emails?

No. ASTIS servers do not store your emails. Your email provider handles storage and delivery. Plaintext email content is handled only within the ASTIS client application on your device — it is never seen or stored by ASTIS servers.

What encryption standard does ASTIS use?

ASTIS uses AES-256-GCM for email content encryption and OpenPGP (RFC 4880) for session key (SKEY) capsule protection. Each message is encrypted with a unique session key, which is then wrapped into an OpenPGP capsule. Plaintext session keys are never stored.

Can I use ASTIS for my team?

Yes. Business plans support 15–2,000 senders with organization policies, audit logs, and team key governance. Enterprise plans are designed for larger organizations or regulated environments — they include BYOK/HYOK key custody, extended audit retention, dedicated onboarding, priority support, SLA options, and custom pricing. Contact sales for a tailored deployment.

What is TTL (Time-to-Live)?

TTL controls how long a recipient can decrypt a message. After the TTL expires, the session key capsule is no longer accessible. Free: up to 14 days. Plus: up to 90 days. Business/Enterprise: custom TTL.

Need help?

Can't find what you're looking for? Our team is here to help.

Contact support Talk to sales