Elusive is open source now, and mail seals itself both ways.
We opened the whole thing up: the server, the browser crypto, the storage layout, all public. You told us closed source was a dealbreaker, and you were right, so we listened. Mail now auto-encrypts in both directions when a key is published, every message gets forward secrecy, identity and read-state columns are ciphertext, deletion is permanent, self-hosters get a full admin dashboard, and recovery plus outbound mail both got hardened.
The whole thing is open
Every line that runs Elusive is public now: the server, the browser crypto, the storage layout. You no longer have to trust our claims, you can read them. Fork it, self-host it, or just check that the page in front of you matches the code we ship.
Mail now seals itself, both ways
You could already send and receive mail, but now the encryption happens automatically on both sides. Any sender whose app speaks OpenPGP encrypts to you before the message ever leaves them, and we never touch that plaintext at all. Send to someone who's published a key of their own and your message is sealed to them before it leaves us too, over forward-secret TLS. Everything else still gets sealed to your key the instant it lands.
Forward secrecy, per message
Each message you receive is sealed to its own one-time key, and that key is gone the moment you decrypt it. Even if your private key were ever exposed down the line, mail already read stays unreadable with it. Once your one-time keys run low, we fall back to a signed key that rotates weekly.
Admin panel for self-hosters
A full server administration dashboard: view real-time stats on users, messages, storage usage and process health. List every account, suspend or delete users; destructive actions require your TOTP code or password as a second check, and the last admin cannot be deleted. Manage reserved usernames to prevent address squatting. Everything an operator needs to run the service responsibly.
Folders and contact groups
Organise your mail into folders with names that are encrypted at rest, nothing on disk reveals your filing system. Colour-coded contact groups let you tag addresses and find people fast. Mark messages as junk, file them away, and keep your inbox exactly how you want it. Folders, groups, and nicknames all share the same privacy: ciphertext until you unlock them.
Choose where your key lives
Private mode stores your key encrypted on the server with recovery, so you can sign in from any device. Keyfile mode never lets the server hold it at all; you manage the key yourself. Switch between them with fingerprint verification so the server proves it has the right key. Your inbox works the same either way; only the custody changes.
Before, a raw row told you everything
Your username, your aliases, and whether you'd read a message used to sit in the database as plain text. Now those columns are ciphertext, with blind keyed-HMAC indexes the server computes on the fly to still route mail and enforce uniqueness. The server finds your inbox by your name. Reading the raw files, nobody else can.
Burned means burned
Deleting a message now removes its attachments too, and the database overwrites the freed space so old mail cannot be dug out of the raw file. The same cleanup runs when you burn an address or a temp alias expires. An expired burner also stops accepting new mail the moment its timer runs out.
Recovery and outbound mail, hardened
Recovery codes now run through bcrypt, slow on a GPU, with existing accounts upgrading on first recovery from the old unsalted sha256. Outbound mail used to let you opt out of TLS verification. Now it can't, verification is always on. The outbound WKD lookup is fenced by an SSRF allowlist so a forged key location can't reach inside our network.
Also in this update
- Your PGP public key is published at a standard WKD address, so any sender whose mail app supports OpenPGP can encrypt to you before the message reaches us.
- A nickname system for your account, encrypted at rest, shown on your profile.
- Security.txt and MTA-STS policy endpoints served at standard well-known locations, so other servers and researchers can verify your mail infrastructure.
- Every server image is now built and signed by GitHub Actions itself, keylessly, with the signature recorded in a public transparency log; the security page has a live widget to verify what's actually running.
- Build-info endpoint returns the deployed commit hash and repository URL for deployment verification.
- Permissions-Policy header blocks camera, microphone, geolocation, and advertising APIs site-wide.
- Onboarding flow marks first-run setup so new users get a guided start.
- Prekey auto-refill keeps forward secrecy working without manual intervention, the client tops up when supplies run low.
- Database migration system preserves all data through four schema upgrades with no downtime.
- Reserved username system prevents squatting of system addresses, with both built-in and admin-managed custom blocks.
- Backup tool with configurable retention and dry-run mode; admin CLI for promoting users and seeding system mailboxes.
- Burner aliases are never published to key discovery, so nobody can tie a temp address to your main one by looking up its key.
- Turning end-to-end on or off now converts your attachments along with your messages.
- Backup codes are longer, account recovery signs out every other session, a copy of the database alone can no longer stand in for a recovery code, and re-running two-factor setup asks for a current code first.
- The symmetric crypto and TOTP moved into a small, auditable Rust core, with an identical pure-JavaScript fallback.
- Passwords now run through native bcrypt, and every API response is marked no-store so nothing sensitive is cached.
- Outbound mail over STARTTLS is pinned to forward-secret cipher suites only, so that hop stays unreadable later even if a key is ever exposed.
- Settings now has an actual Export and Delete account: export downloads everything on your account as one JSON file, delete asks for your password and permanently wipes your mail, addresses, and keys.
- Safer error handling everywhere: a failure returns a clean message, never a stack trace or a hung request.
- Inbound SMTP now throttles per-IP recipient volume.
- The unlocked PGP key lives only in JS memory. Closing the tab clears it; it's never written to web storage.
- Defense-in-depth CSP meta tag on every page, plus X-Frame-Options: DENY.
- The X-Enc attachment header was removed; downloads use a small JSON envelope.
- Inbound mail that can't be authenticated is now flagged unverified, not silently trusted.
- MASTER_KEY and SESSION_SECRET are required to boot in any environment, with optional rotation support.
- The repo is now properly git-tracked; live DBs, backups, and agent artifacts were purged; AGPL LICENSE, SECURITY.md, a non-root Dockerfile, and a CI workflow were added.
- Dependency floors bumped; mailauth is now a declared dependency.
- Everything from launch is still here: the sealed envelope, hover and right-click actions, burn-on-read, and the printable recovery QR card, all still built on the same Rust crypto core.
Elusive just got its first update.
Encryption got deeper, managing mail got faster, and losing your recovery code got harder. Everything below shipped in the first update.
The envelope is sealed now
Mail bodies were always encrypted to your key. Now the stored sender and recipient are too, and persona names, folder names, nicknames and attachment filenames are ciphertext at rest. Above is what a message row on disk actually looks like. There is nothing else to see.
Actions where your cursor already is
Hover any message and a small panel appears: mark it read, reply, junk it, or delete it. Right-click the panel to choose which buttons live there. Your picks stick.
Right-click, everywhere
Messages, folders, addresses and personas all answer to a right-click now. Reply, forward, file, copy an address, mark junk, delete. Whatever the thing is, what you can do to it is one click away.
Your recovery code, on paper
The recovery code is no longer just a long string to lose. Save it as a QR card, print it, and put it wherever the passports live. Scanning it opens the recovery page with the code filled in for you.
Also in update 1
- Links inside messages are clickable, and they open in a new tab with no referrer.
- Keyboard shortcuts on the message list: u toggles read, ! flags junk, # deletes.
- Marking mail as read from the list never triggers burn on read. Only opening a message does.
- Forward is in the reader now, next to reply.
You will not be sent here again. The page stays at /updates whenever you want it back.