https://www.empiresec.co/tags/encryption/ Recent content in Encryption on EmpireSec Hugo en-us Fri, 03 Apr 2026 00:00:52 +0000 https://www.empiresec.co/audits/forwardemail/ Fri, 03 Apr 2026 00:00:52 +0000 https://www.empiresec.co/audits/forwardemail/ <h1 id="why-forwardemail-is-one-of-a-kind">Why forwardemail is one of a kind</h1> <p>here is exactly how it works in the 100% open-source codebase:</p> <p>The emails are encrypted with the SMTP password (the generated alias password). The SQLite database file is encrypted at rest using ChaCha20-Poly1305, and the encryption key is your password. The staff cannot access the mailbox contents.</p> <p>the code that enforces this:</p> <ol> <li> <p>SQLite Encryption (PRAGMA cipher + key): <a href="https://github.com/forwardemail/forwardemail.net/blob/d087cd6816be680d38f74c63fe1f5630a8c4741b/helpers/setup-pragma.js#L30-L41">https://github.com/forwardemail/forwardemail.net/blob/d087cd6816be680d38f74c63fe1f5630a8c4741b/helpers/setup-pragma.js#L30-L41</a></p> <ul> <li>Line 36 sets the cipher to ChaCha20-Poly1305</li> <li>Lines 37-41 set the PRAGMA key using your decrypted password</li> <li>Line 74 enables secure_delete=ON (overwrites deleted data with zeros)</li> </ul> </li> <li> <p>The encrypted SQLite driver (better-sqlite3-multiple-ciphers): <a href="https://github.com/forwardemail/forwardemail.net/blob/d087cd6816be680d38f74c63fe1f5630a8c4741b/helpers/get-database.js#L10">https://github.com/forwardemail/forwardemail.net/blob/d087cd6816be680d38f74c63fe1f5630a8c4741b/helpers/get-database.js#L10</a></p>