Luxgap SealedMail: the first email server where your CIO cannot read you

When you are a CEO, board chair or CFO, your mailbox is your organisation's biggest security hole. Not because it would be technically poorly secured, but because it is by construction readable by your Microsoft 365 administrator, your MSP, your archiving provider, and anyone who compromises a single one of their accounts. Today, Luxgap launches SealedMail, the first Luxembourg email server designed so that nobody, not even us, can read your messages.

The problem nobody wants to face

In a Microsoft 365 tenant, the eDiscovery Manager role allows an administrator to open a search procedure that browses the entirety of a mailbox without alerting its owner. It is legal, documented by Microsoft, and used daily by legal, HR and compliance departments for internal audits, litigation and investigations. This power exists because Microsoft holds the encryption keys for your mailbox. Encryption "at rest" and "in transit" only protects from external attackers, not from internal administrators nor from Microsoft itself under US court order (CLOUD Act 2018).

In Google Workspace, it is exactly the same architecture. In most "sovereign" European hosts, it is still the same: their administrators technically have the capacity to read your mailboxes. This capacity is not exercised daily, granted, but it exists. And as long as it exists, your CEO mailbox is not confidential. It is confidential by contract and good faith, which is not the same as being confidential by cryptographic construction.

What SealedMail changes

SealedMail applies a zero-knowledge architecture to the email protocol: our servers only store encrypted blobs with your public key. The corresponding private key never left your device and is nowhere in plaintext on our infrastructure. Without your passphrase, data stored at our facility is mathematically random noise.

Concretely, here is the chain:

1. At sign-up, your device locally generates a Curve25519 key pair (X25519 for key exchange, Ed25519 for signing).
2. The private key is immediately encrypted by AES-256-GCM with a key derived from your passphrase via Argon2id (OWASP 2024 recommended parameters: 64 MB memory, 3 iterations, 4 threads).
3. Our servers receive only your public key and the encrypted version of your private key. Without the passphrase, neither we nor an attacker who would have compromised our tenant can decrypt.
4. When an incoming email arrives (from Gmail, Outlook, any standard SMTP), we encrypt it in a few milliseconds in RAM with your public key, then persist it encrypted. No message is ever stored in plaintext on disk.
5. When you read your mailbox, your local SealedMail Bridge (or the WebAssembly web client) decrypts messages with your private key. Outlook displays them normally, you see no usage difference.

Compatible with your usual Outlook

SealedMail's bet is that we never ask an executive to change their mail client. The SealedMail Bridge is a small signed Rust program running in the background on your device (Windows, macOS, Linux). It exposes a local IMAP/SMTP mailbox on 127.0.0.1, handles incoming decryption and outgoing encryption on the fly, and remains totally transparent for Outlook, Apple Mail, Thunderbird or any standard IMAP client. You configure Outlook once on the localhost account, and everything then works as before: search, folders, sorting rules, signatures, calendar, contacts, keyboard shortcuts. No functional loss.

On mobile, native iOS and Android applications with Outlook-inspired interface. On browser for travel, HTTPS web client with Web Crypto API + WebAssembly: all decryption happens in your browser, never on our servers.

Who it changes everything for

SealedMail is designed for profiles where mailbox confidentiality is not a luxury but a professional obligation:

• CEOs, CFOs, CMOs, CHROs whose strategic arbitrations, restructuring notes and management committee escalations should never be accessible to the Microsoft 365 administrator or their MSP.
• Board chairs and directors exchanging draft resolutions, voting positions, confidential audit analyses ahead of board meetings. These exchanges should never be visible to operational management.
• M&A and corporate finance teams negotiating sensitive deals. A leak via a compromised IT account can cost millions in price renegotiation or lost opportunity.
• Lawyers, fiduciaries, notaries bound by professional secrecy (Article 458 of the Luxembourg Penal Code, Article 226-13 of the French Penal Code). Secrecy is not guaranteed if the email hosting provider can technically read client correspondence.
• Private bankers and family offices managing sensitive family wealth whose correspondence reveals the identity and investment strategies of UHNWI clients.
• Internal auditors and compliance officers investigating fraud or harassment suspicions, whose investigation emails should never be readable by investigated persons (typically the CIO with access to the company's M365 tenant).
• Whistleblowers and investigative journalists protecting sensitive sources who cannot afford a leak via their media or employer's administrator.

Aligned regulatory compliance

Using SealedMail is not just a security decision, it is also strict alignment with several texts:

• GDPR Article 32: end-to-end encryption is explicitly cited as appropriate technical measure. SealedMail demonstrates state-of-the-art confidentiality, which weighs favourably in case of supervisory authority audit.
• GDPR Article 25: data protection by design. The zero-knowledge architecture is a textbook implementation of the privacy by design principle.
• Luxembourg law of 5 April 1993 on the financial sector, Article 41: banking secrecy. SealedMail eliminates involuntary disclosure by technical third party since Luxgap has no cryptographic capacity to read.
• DORA Article 9: ICT risk management for financial entities. SealedMail drastically reduces leak risk from IT infrastructure compromise.
• NIS 2: Luxgap is itself an important entity per Annex II (digital services), subject to risk management and incident notification obligations.

Concrete sovereignty, not marketing

Physical servers in two Tier IV Luxembourg datacenters (LuxConnect DC1 and DC2, geographic redundancy). No replicas outside EU. No US hyperscaler in the chain. No AWS, no Azure, no Google Cloud, no Cloudflare. Self-hosted Rspamd anti-spam. Bridge and protocol source code published as open source for community audit — you can verify we don't lie about the encryption. Annual audit by independent firm with public report. EuroPriSe certification targeted for 2026.

What if I lose my passphrase?

That is the flip side of zero-knowledge. Without your passphrase, we cannot recover your mailbox, it is mathematically impossible and that is precisely what gives the service its value. For executives wanting to guarantee continuity, we offer 3 optional mechanisms you activate or not in full awareness: paper recovery kit (24 BIP-39 words to keep in your notarial safe), Shamir 3-of-5 key sharing among 5 trusted persons, or board delegation with signed quorum of 2 directors out of 3. You choose your operational risk vs absolute confidentiality trade-off. No legal backdoor is enabled by default.

How much and when

SealedMail is available from today on invitation and supervised deployment by our team. Three plans according to your profile: Sealed Personal (independent executive, individual lawyer) at 39 EUR per month per mailbox, Sealed Executive (CEO, CFO, chairman) at 79 EUR per month with custom domain and SealedMail Bridge included, Sealed Board (board, M&A, internal audit committees) at 149 EUR per month with encrypted distribution list sharing, E2EE shared calendar and 24/7 priority support. For actors under Article 41 LSF secrecy or strict DORA requirements, on-premise deployment on your infrastructure with custom quote.

All plans include migration from Microsoft 365 or Google Workspace, passphrase training and recovery kit, trilingual FR/EN/DE support, and a 99.95% SLA guarantee with contractual compensation. Free 30-day trial on a test subdomain, no commitment.

Going further

Full technical details (cryptography, server stack, Bridge architecture, recovery mechanisms, compliance, exhaustive FAQ): dedicated page Luxgap SealedMail. For a personalised demo on a test mailbox or a migration scoping from your current Microsoft 365 tenant, contact our SealedMail team. Reply within 24 hours.