Oynux was built by people frustrated with the status quo — where your email provider reads your messages, your cloud storage scans your files, and your data is the product being sold. We decided to build the alternative.
Make private, encrypted digital tools accessible to everyone — not just security researchers and cryptographers. The tools already exist (OpenPGP, IMAP, JMAP), but the experience has always been too technical.
Oynux wraps proven open standards in a clean, simple interface. You get the privacy guarantees of PGP with the convenience of a modern suite. Zero-knowledge design means we mathematically cannot read your data — even if compelled by a court order.
We operate with full transparency. Our threat model, privacy policy, and infrastructure choices are documented and public.
We've made deliberate technology choices. Here's why.
We use Secure Remote Password (SRP-6a) instead of traditional password hashing. Your password is never sent to our servers, even in hashed form. Authentication is a zero-knowledge proof.
All encryption and decryption happens in your browser using OpenPGP. We use X25519 for key exchange and Ed25519 for signing — modern, fast, proven algorithms.
Our mail backend runs on a modern, memory-safe Rust mail server with native JMAP support. It handles SMTP, IMAP, and JMAP on a single platform.
Account recovery uses a 12-word BIP-39 mnemonic phrase — the same standard as hardware cryptocurrency wallets. Your keys can always be recovered from this phrase.
Private keys are held only in memory (via React/Zustand state) and cleared on logout or tab close. They are never written to localStorage, IndexedDB, or any persistent browser storage.
Heavy cryptographic operations run in Web Workers, keeping the UI responsive. Key generation, encryption, and decryption never block the main thread.
Every Oynux product is built with end-to-end encryption from day one. Your data is encrypted client-side before it ever leaves your browser.
End-to-end encrypted email. Subject, body, and attachments encrypted client-side before storage. Inbound emails encrypted via SMTP proxy before reaching the mail server. Multi-key encryption for platform-to-platform messaging. WKD support for external encrypted email users. Drafts encrypted with your own key.
Files encrypted client-side before upload. Session key sharing — one encrypted copy on disk, tiny key envelopes per recipient. No file duplication for sharing. Zero server-side access to your files.
Every photo and thumbnail encrypted separately before upload. Client-side video thumbnail generation. Album-level encrypted key sharing. The server never sees your images — not even thumbnails.
Full E2EE across 5 document types: Notes, Documents, Spreadsheets, Presentations, and Diagrams. Real-time encrypted collaboration — AES-256-GCM encrypted Yjs CRDT deltas with HMAC message authentication and replay protection. The server never sees your content.
Per-field encryption of event details. Event times stored with day-level precision on the server, exact times encrypted client-side. Multi-recipient encryption for shared calendars with automatic re-encryption on share changes.
Per-field encryption of all contact information. Share contacts securely with re-encryption for recipients. Backward compatible — legacy plaintext contacts auto-encrypt on next edit.
Per-recipient encryption for messages and attachments. Group chat with multi-key encryption — each message encrypted individually for every participant. The server relays only ciphertext.
SRP-6a zero-knowledge authentication — your password never leaves your browser. Key Transparency with Merkle tree verification. BIP-39 mnemonic key recovery. DOMPurify XSS protection. HSTS, CSP, and comprehensive security headers across all services.
Our servers are located in Quebec, Canada on dedicated hardware. No AWS, no Google Cloud. Your data is subject to Canadian privacy law (PIPEDA and Quebec Law 25) and never leaves Canadian soil.
Questions, feedback, security reports, or just want to say hello.