00 Application · uMail

Mail.
Encrypted by default.

Encrypted email

01 What you can do

What you can do

What you can do with uMail.

01

Folders, search, type-ahead contacts

Traditional folders — Inbox, Sent, Draft, Starred, Archive, Trash. The composer has To/Cc/Bcc with type-ahead contact suggestions. Global search across subject, sender and body.

Use case

Mail fits naturally into this flow.

02

Encrypted attachments and replies

Drag-and-drop attachments, threaded replies, full quoting. Every message and attachment is encrypted on your device before it reaches the server.

Use case

Mail fits naturally into this flow.

03

Zero-knowledge mail by default

The server only ever stores opaque ciphertext. We cannot read your mail — no matter who asks. Passphrase-based authentication means no password database to leak.

Use case

Mail fits naturally into this flow.

02 Security

Security

Security for uMail.

Every UltimaOS app shares the same post-quantum cryptographic stack, so the security properties below apply uniformly. App-specific considerations are noted where they apply.

01

Post-quantum cryptography by default

All authentication and key exchange uses NIST-standardized ML-DSA-65 (FIPS 204) signatures and ML-KEM-768 (FIPS 203) key encapsulation. There is zero RSA, zero elliptic-curve, zero classical-only crypto in the authentication path. Defeats store-now-decrypt-later attacks.

02

End-to-end encryption on your device

Every payload is encrypted in your browser using XChaCha20-Poly1305 (RFC 8439) with a 192-bit nonce and a Poly1305 authentication tag. The plaintext exists only in your tab's memory. When you close the tab, the plaintext is gone.

03

Zero-knowledge server

The UltimaOS server only ever stores ciphertext and public keys. We cannot read your data — by design, not by promise. There is no encryption backdoor, no master key, no key escrow.

04

Multi-device sync, single private key

Your private key is derived from your passphrase using Argon2id with high parameters. New devices derive the same key locally and can decrypt your entire history. The passphrase is never sent to the server — it is verified by an ML-DSA-65 signature on a server-issued challenge.

03 How it works

How it works

How uMail works.

  1. 01

    Open uMail in your browser

    UltimaOS runs in any modern browser — Chrome, Firefox, Safari, Edge. Nothing to install. Sign in with your passphrase-derived key, or restore from a 3-of-5 social recovery if you are on a new device.

  2. 02

    Your data is encrypted before it leaves your device

    Every action — sending a message, uploading a file, creating a task, scheduling an event — is encrypted with XChaCha20-Poly1305 and authenticated with an ML-DSA-65 signature before any byte crosses the network boundary.

  3. 03

    Server stores ciphertext, returns it on demand

    The UltimaOS server keeps an opaque blob per account and per conversation. When you open uMail, the encrypted blobs are streamed to your device, decrypted locally, and rendered. The server never sees plaintext.

  4. 04

    Changes sync to every device you sign in on

    Any change you make is encrypted and uploaded; every other device you are signed in on pulls the new ciphertext and decrypts it. Live multi-device sync, with the cryptography guarantee that only your devices can read it.

04 Inside the suite

Inside the suite

How uMail fits in the suite.

01

Contacts

Type-ahead contact suggestions in the To/Cc/Bcc fields. Each contact's address is encrypted to your key.

02

Calendar

Mail invites become Calendar events with one tap. Reminders fire from your device, not the server.

03

Files

Drag attachments into the composer. Files encrypts and streams them to recipients.

04

Tasks

Convert any mail thread into a task list. Tasks inherits the thread's participants and encryption.

05 Get started

Get started

Get started with uMail.

  1. 01

    Open uMail in your browser

    UltimaOS runs in Chrome, Firefox, Safari and Edge. Nothing to install. Sign in with your passphrase to derive your private key locally.

  2. 02

    Open the workspace and launch uMail

    The launcher shows every app. uMail is right there with its capsule video preview. Click to open.

  3. 03

    Connect it with the rest of the suite

    uMail works alone, but it shines when combined with the rest of the UltimaOS apps. Same private key, same encryption, one workspace.

07 Frequently asked

Common questions

Questions about uMail.

Is uMail end-to-end encrypted?
Short answer

Yes. All content in uMail is encrypted in your browser using XChaCha20-Poly1305 with a fresh key per item. The UltimaOS server only ever stores ciphertext and public keys — it cannot decrypt your data, no matter who asks.

What cryptography does uMail use?
Short answer

uMail uses the same post-quantum stack as every other UltimaOS app: ML-DSA-65 (FIPS 204) for authentication, ML-KEM-768 (FIPS 203) for key encapsulation, XChaCha20-Poly1305 (RFC 8439) for symmetric encryption, HKDF-SHA256 for key derivation, and Argon2id for passphrase hashing.

Can I use uMail on multiple devices?
Short answer

Yes. Sign in on any device with your passphrase and the same private key is derived locally. All your uMail content is then decrypted from the encrypted blobs the server returns. Changes sync live across all signed-in devices.

Is uMail GDPR-compliant?
Short answer

Yes. UltimaOS is built and operated in the European Union by an EU company. The architecture is GDPR-compliant by design — encrypted data, EU-only infrastructure, no US CLOUD Act exposure, no advertising, no third-party trackers. See the GDPR page for the full breakdown.

How much does uMail cost?
Short answer

During early access, UltimaOS is free for individuals and organizations. After early access, pricing will be per-seat with accessible family tiers and per-organization plans for businesses. There is no per-app add-on.

Can I export my uMail data?
Short answer

Yes. UltimaOS supports encrypted export of all your content for backup and portability. The export is encrypted to a key you control; you can store it on your own infrastructure or in a personal encrypted backup.

Can I use uMail with my existing email address?
Short answer

uMail works as a standalone encrypted mail client inside UltimaOS. Bridging to external mail providers (IMAP/SMTP) is on the roadmap for a future release — with the caveat that external providers cannot read your encrypted mail.

Does uMail support PGP / S/MIME?
Short answer

uMail does not need PGP or S/MIME because every message is already end-to-end encrypted at the protocol level. There is no public key to distribute, no certificate authority to trust — encryption is the default.