Thoughts on StartMail as a email service

jonah · February 18, 2024, 5:18am

github.com/privacyguides/privacyguides.org

Remove Startmail, as it's not zero-knowledge

main ← pr-remove_startmail

opened 03:34PM - 21 May 23 UTC

Changes proposed in this PR: As per the requirements of "Zero Knowledge" we s…houldn't really be listing Start Mail. - https://discuss.privacyguides.net/t/minimum-tls-requirements-for-email-providers/11830/18 Closes: https://github.com/privacyguides/privacyguides.org/issues/1433 Summary: - Uses 3072 ElGamal/DSA keys which are not default anywhere. No option for RSA, ed25519 etc. ElGamal hasn't been the default in [GnuPG since 2009](https://lists.gnupg.org/pipermail/gnupg-devel/2009-May/025079.html) - You cannot import your own PGP Keypair - Mail which is received while you're logged out, is encrypted with a separate keypair, and then when you log in, copied to a LUKS volume. That means all of your email is available to the server when you log in. It is only zero knowledge if you stay logged out. - [x] I have disclosed any relevant conflicts of interest in my post. - [x] I agree to grant Privacy Guides a perpetual, worldwide, non-exclusive, transferable, royalty-free, irrevocable license with the right to sublicense such rights through multiple tiers of sublicensees, to reproduce, modify, display, perform, relicense, and distribute my contribution as part of this project. - [x] I am the sole author of this work. - [x] I agree to the [Community Code of Conduct](https://www.privacyguides.org/en/code_of_conduct/).

github.com/privacyguides/privacyguides.org

StartMail: Add a warning explaining drawbacks of the User Vault

opened 03:03PM - 09 Jun 22 UTC

closed 11:40PM - 24 May 23 UTC

TrashPandaCodingGarbage

c:providers status:research required

Hello there, I am a happy StartMail user - however, their "user vault" has s…ome drawbacks, which should be mentioned on PG with a warning, to make users more conscious about the product. **Link affected:** https://www.privacyguides.org/email/#startmail **The issue:** Privacyguides decription of StartMail does not mention the fact that if you are logged in, LUKS container with your data is mounted and readable by StartMail. In short, when you are logged-out, your data is encrypted and not cannot be accessed. This changes with the moment you log into StartMail - LUKS container is decrypted - which store user emails, PGP keys (including private key, which is NOT additionally password-protected, like in Protonmail), recovery codes etc., which can be accessed by StartMail employee, or an unsolicited person if the StartMail servers have been compromised. **Outcome of the issue:** False expectations. **Solution:** Describe User Vault somewhere in the StartMail section.

Topic		Replies	Views
When was Startmail removed? Questions	1	874	June 2, 2023
Encrypted mail black.com General website	11	1399	October 8, 2024
Skiff Mail (Email Provider) Tool Suggestions completed	348	28609	July 10, 2023
What do you think about Migadu? Off Topic	9	1591	March 19, 2025
Is the use of 3rd party email clients a privacy threat? Questions	2	917	December 26, 2023

Thoughts on StartMail as a email service

Related topics