PreVeil

Email is ubiquitous now, but when it first began, it was limited to a few academics and researchers. They had no reason to worry about keeping messages secret. Information wants to be free, right? Now that email is a mainstay of business, though, that laissez-faire attitude won’t fly. Businesses must secure their email traffic, both to protect trade secrets and to comply with the CMMC (Cybersecurity Maturity Model Certification) program. PreVeil was invented to serve those big businesses, but it’s also available for free to me, you, and other consumers. Top-tier encryption and very easy operation combine with its zero cost to make PreVeil an Editors' Choice for email encryption.

How Much Do PreVeil's Competitors Cost?

PreVeil offers native applications for Windows and macOS at no cost, as well as free apps for Android and iOS. In addition, you can log into your account directly without installing anything. And the benefits don’t stop with encrypting your email. Your PreVeil account also includes 5GB of online storage for your most important files, storage that’s secure, encrypted, and flexibly shareable.

Totally free is a great price. Like PreVeil, Virtru for Google Gmail is the free personal edition of a larger business-focused product. It works specifically for those accessing Gmail through Chrome, admittedly a large potential audience. You can set Virtru messages to expire after a fixed time and apply extra protection to attachments, and your recipients need not use Gmail. Virtru also offers this service as an Outlook add-in.

SecureMyEmail lets you keep your existing email, like PreVeil. It’s free to use with a Gmail, Yahoo, or Microsoft account. However, if you use an unsupported account type or want to protect multiple email accounts, you'll have to pay its $29.99 per year subscription fee.

Private-Mail offers a free tier, but it limits email and file storage to 100MB and omits some premium-level features. If you want the full 10GB of encrypted file storage and access to those premium features, you pay $69.99 per year.

There’s no limit on sending or receiving messages in Tuta Mail’s free tier, but your ability to securely search saved messages is limited. Paying the 12 euro ($13.22 at the time of this writing) yearly price lifts that search limit and lets you access premium-only features.

Proton Mail likewise has a limited free tier, with 500MB of storage and 150 messages per day. Paying the $48 per year subscription price raises those limits to 5GB of storage and 1,000 messages. It also unlocks some premium features, such as setting up auto-reply. With StartMail you don’t get free as a choice; it simply costs $59.95 per year.

Wrapped Keys Hide Security Details

Any serious encryption solution needs to operate with zero knowledge. That means that the provider has no possible way to access your data. Only you hold the key, only you can decrypt your personal data, and decryption happens only on your local device. When the provider has zero access to your data, it can’t be legally enjoined to provide access, and a disgruntled employee can’t illegally dig into your private information.

Here’s a simplified rundown of how PreVeil works. When you sign up, a large cryptographic key is created that resides only on your computer or mobile device. Other components of the encryption process have their own keys. For example, if you put a file in a folder shared with another user, the file, the folder, and the other user each have distinct keys.

It would be handy to store the file’s key on the server—handy, but insecure. Instead, PreVeil encrypts the file’s key using the key for the shared folder and stores that on the server. It encrypts the folder’s key with the keys belonging to each user and stores those. They call this system “wrapped keys,” and it ensures that any malefactor who breaches the system won’t have any access to data. All decryption happens on your local device, of course.

This wrapped key concept isn’t unique to PreVeil. Encryption tools AxCrypt Premium and Xecrets Ez Premium incorporate similar technology, protecting files rather than email messages.

Types of Authentication

When you use Preveil’s desktop app, you don’t need a password at all. Your key lives on the device. To use it, you first must log in to your device and then log into your email system. In a sense, that’s two authentication steps already, plus the need to have physical access to the device, giving you a form of multi-factor authentication.

Private-Mail, Proton Mail, StartMail, and Tuta Mail all support traditional multi-factor authentication using Google Authenticator or an equivalent authenticator app. Tuta Mail goes even further, allowing authentication using a Yubikey or another U2F (Universal Two Factor) security key.

PreVeil has a lot of encrypting and decrypting to do, and most of these operations use secure Public Key Infrastructure (PKI) technology. That cryptographic key on your device? That’s your private key. For the nitty-gritty encryption of actual data, it uses a speedier symmetric encryption system. It breaks the data down into equal size blocks, encrypts each block with a different key, and stores the keys in encrypted form using PKI.

It's worth noting that Private-Mail, Proton Mail, SecureMyEmail, and StartMail all use PKI, specifically a key-sharing system called PGP, for Pretty Good Privacy. On the one hand, this isn’t nearly the hyper-thorough wrapped keys system used by PreVeil. On the other hand, it means these services can exchange secure mail with anyone who uses an email system that supports PGP (and has the technical chops to manage the necessary key exchange).

Proton Mail, SecureMyEmail, StartMail, and Tuta Mail also offer the ability to send encrypted messages to people who don’t use the service (and don’t have a PGP key). However, communication with nonusers relies on simple password-based encryption, so it’s significantly less secure. With PreVeil, recipients can choose between installing the free PreVeil app or reading and responding to messages using the free (and installation free) PreVeil Express, discussed below.

Shared Secrets for Key Recovery

Consumer-side security products frequently come with a disclaimer. You must acknowledge that if you lose the encryption key, you lose access to your account and its data. An early version of one security product laid out its policy thus: “I understand that if I lose my encryption key, I will be hosed.”

That doesn’t fly in a business environment. Suppose only the CTO has the key to unlock the company’s essential documents, and further suppose the CTO dies or absquatulates with the key. The company can’t just shut down, and yet sharing the key more widely is a security risk.

The solution is something called Shamir’s Secret Sharing. Perhaps you’ve heard of the ground-breaking RSA encryption algorithm named for its inventors? Adi Shamir is the S in RSA—the other two being Ron Rivest and Len Adleman.

The actual sharing algorithm uses finite field arithmetic in multiple dimensions…I think. Even I, a one-time math major, find it hard to grasp. But this is how it works, in simple terms. You give a partial secret to a recovery group of, say, six people. And you set a recovery threshold so that, for example, any four of them can recreate your lost key. It doesn’t matter which four, and the members of the recovery group have no access to your key. With all the mega-math happening behind the scenes, the recovery system seems simple.

In the CTO scenario, you might make the board of directors your recovery group. If you want to enable this kind of recovery for a personal account, you’ll need to round up a posse of friends who use PreVeil.

Getting Started With PreVeil

After hearing about the high-end cryptographic technology embodied by this program, you might expect it’d require a PhD to operate. Nothing could be farther from the truth, as I found when I set it up.

On the PreVeil website’s home page, you click Get Started and choose Create a Free Account. You now have a choice. If you plan to use PreVeil regularly on your Mac or PC, choose a free PreVeil Desktop account. If you can’t (or don’t wish to) install software on the computer you’re using, choose the equally free PreVeil Express account. The Get Started menu also links to apps for iOS and Android. I’ll discuss those apps and PreVeil Express below.

(Credit: PreVeil/PCMag)

As part of the installation process, PreVeil invites you to create a recovery file, a QR code that you can use as a last resort if you lose all your PreVeil-equipped devices. Do go ahead and save that file, then store it in a safe place. Using the shared secrets mode discussed above is technically preferable, of course, but the recovery file could save your bacon if you didn’t manage to set up a recovery pool. There’s an option to password-protect the recovery file; I don’t think that’s necessary.

The next step is to add PreVeil to your email client. For users of Gmail, it’s a simple matter of installing the plug-in for Chrome or Edge. There’s an Outlook plug-in as well. If you rely on Thunderbird or some other dedicated email client, you must engage in some tricky IMAP and SMTP configuration settings—a link on the PreVeil page shows the details.

(Credit: PreVeil/PCMag)

On the Mac, you see options to install in Gmail or Apple Mail. However, automatic installation in Apple Mail only works with seriously old versions of macOS. Assuming you keep your Mac up to date, you’ll have to follow the instructions to manually configure a profile for your encrypted account.

With PreVeil installed and optionally integrated into your regular email client, you’re ready. You don’t have to change to a new email address the way you do with StartMail, Proton Mail, Private-Mail, or Tuta Mail.

Sending Encrypted Messages from PreVeil

Even though you’ve installed PreVeil on your desktop computer, you still access it through the browser at the somewhat peculiar URL 127.0.0.1:4003/mail/inbox/1. Don’t worry; you don’t have to remember that. Clicking the PreVeil desktop icon or launching it from the start menu takes you right to that page.

(Credit: PreVeil/PCMag)

PreVeil looks and works just like any of the popular webmail systems. A menu down the left side offers access to Inbox, Starred, Drafts, Sent, Trash, and Unread messages. A list of messages in the selected folder fills the main part of the window, and you can click one to read or reply to it. All as expected.

Composing a new message also works as you’d expect, except that all messages are encrypted. If you enter a recipient address that’s not associated with a PreVeil account, a small banner notifies you that the recipient will receive an invitation to join PreVeil.

(Credit: PreVeil/PCMag)

You can create folders and use them to organize messages, but before you start doing that, consider whether you’d prefer to use your familiar email client instead.

Using PreVeil With Your Email Client

When you install the PreVeil plug-in, it creates a separate inbox for Secure Messages. Encrypted mail comes to this folder and replies to secure messages are encrypted automatically. Sending a new encrypted message is just a matter of making sure the Encryption toggle is turned on. Like the main inbox, Secure Messages has subfolders for things like Drafts, Sent, and Outbox.

(Credit: PreVeil/PCMag)

Other than the Secure Messages folders, the big visible difference is a toggle at the bottom of a new message that identifies whether encryption is on. It’s off by default when sending from the regular inbox and on if you’re sending with Secure Messages active. You don’t have to accept the default; you can toggle it either way.

(Credit: PreVeil/PCMag)

If you’ve chosen to use PreVeil with an unsupported email client, your configuration efforts will create a secondary profile for encrypted messages. Encrypted messages come to this profile, and messages you compose are automatically encrypted. The only real difference from using, say, Gmail, is that encryption is controlled by which profile you choose, not by a toggle.

Receiving a PreVeil Message

For your correspondents who are already PreVeil users, encrypted mail is seamless. Your encrypted messages go to their secure folder or profile, and their responses come to your secure folder or profile. Simple!

(Credit: PreVeil/PCMag)

A recipient who doesn’t already use PreVeil gets an invitation from PreVeil Admin to start a free account. They go through the full download process described above or create a PreVeil Express account without having to install anything.

With a full PreVeil installation, authentication is tied to your email account and device. There’s a system I’ll describe later for extending authentication to new devices or removing old devices from your trusted list. As noted above, no password is required.

(Credit: PreVeil/PCMag)

Creating a PreVeil Express account is rather different. You start by supplying the existing email account that will be your username and verifying your ownership of that account. This type of account does require a password, which PreVeil suggests you keep in your password manager. At present, there’s a note stating that you can’t change the password after initial creation. That’s no longer true; I verified that a password change is available. You must also choose a multi-factor authentication option, either using an authenticator app or the less secure method of receiving codes via SMS.

As with PreVeil Desktop, you save a recovery code during setup. This is doubly important because other recovery options, such as using another trusted device or using the shared secrets method, are not available.

Once you complete the setup process, you’ll find your first encrypted email waiting in the PreVeil inbox. With an Express account, you do all your messaging in PreVeil’s web console. It doesn’t integrate with your email client. You don’t add other devices; rather, you simply log in on any device you wish.

Add and Manage Devices

When you install PreVeil on your device, you’ll typically integrate it with your regular email client and manage your secure messages there. However, you do need to launch the full PreVeil app to do other things, such as manage devices.

I mentioned earlier that your lengthy cryptographic key resides on your device, nowhere else. So how do you ever use encrypted email on a different device? The answer is built right into the application.

(Credit: PreVeil/PCMag)

Start by selecting Add a Device from the Settings menu. The program prompts you to install PreVeil on the device before continuing. On the new device, you choose Add Existing Account. Once you enter the email associated with your account, PreVeil on the new device generates an eight-character one-use password that you enter on the old device, at which point PreVeil loads your crypto key onto the new device. There’s also an option to scan a QR code with a trusted device. In testing, I had no trouble on Windows, macOS, Android, or iOS.

(Credit: PreVeil/PCMag)

If you lose your device or it gets stolen, PreVeil can handle that. When you select Device Management from the Settings menu, you get a list of associated devices. Here, you can rename the device, remove the software, or lock the account without removing PreVeil. That last option is handy if you can’t find the device. You can unlock it when found or remove PreVeil’s trust when you give up looking.

Web Access, With Care

As noted, a PreVeil Express account is strictly online. You visit web.preveil.com and log in with your username, password, and multi-factor authentication code. You can also log into a device-based PreVeil account at this same address without needing to install the app.

After entering your username, which is your account email address, you are prompted to activate using another trusted device. The process is almost precisely the same as adding a new device. Once you’ve entered the 8-digit code (or scanned the QR code), you’re in and able to access your PreVeil mail in the online console.

(Credit: PreVeil/PCMag)

I worried a little about the security of this operation, so I checked in with PreVeil’s CEO. He explained that the handshake process described above shares a temporary copy of your all-important key. The copy lives in the browser’s cache and vanishes when the browser closes or after 24 hours. He clarified that if you use a compromised PC to connect, there’s a possibility the key could be captured, but even then, it could only be used on that same device. “That is why users should not use the capability to log in on public computers,” he explained.

Secure, Sharable Cloud Storage

In addition to encrypted email, each PreVeil account comes with 5GB of cloud storage for your most important files, down from 10GB when last reviewed. 10GB is the same amount you get free from Box, and quite a bit more than Dropbox’s paltry 2GB. If you want 10GB of storage from Private-Mail, you need an expensive premium account. Of course, the security of your files is paramount with PreVeil, unlike with standard cloud storage services.

(Credit: PreVeil/PCMag)

PreVeil creates a folder in Windows Explorer that links directly to your cloud storage. I didn’t spot the folder at first because it doesn’t have a simple name like “Google Drive File Stream.” Rather, the folder name is PreVeil followed by your email address, for example, “[email protected].” You can treat this folder like any other, moving files into and out of it, creating and editing files, and so on. However, the files reside in encrypted cloud storage.

You can also access your files by opening the PreVeil app and selecting the Drive tab rather than the Mail tab. This is the spot to set up and manage sharing. With PreVeil, you share folders, not files. To share just one file, simply create a folder to hold it. Now point to a folder and click the Share button that appears. As with the email system, a recipient who doesn’t yet have PreVeil gets an invitation to set up a free account.

(Credit: PreVeil/PCMag)

You can choose between four levels of sharing. At the Edit & Share level, the recipient has full access to view or change the file and can also share it with others. If you just choose Edit, the recipient can still make changes to the file but can’t pass it along to others. Read Only naturally means the recipient can read the shared item or download a copy but can’t modify it in any way. Finally, if you opt for View Only the recipient can look at the file in a browser-based viewer, with no download option. At present, only Office documents and PDFs support the View Only mode.

By contrast, Private-Mail’s secure file sharing defaults to using simple password-based encryption. If you want to share files with the protection of PKI, you must set up PGP again, with a separate set of keys from those used for email.

You’ll find a link icon next to each file that lets you perform a different kind of sharing. Clicking it copies a direct link to the file into the clipboard. However, the only people who can use that link are those who already share access to the folder containing that file.

Verdict: Easy High-Tech Privacy for Free

PreVeil uses security technology that’s suitable for protecting the most important business data—and complying with government regulations—but hides its complexity from the user. You don’t have to set up a new email address, you don’t have to change your email client, and it’s totally free for individuals. PreVeil is an Editors’ Choice winner for email encryption, along with Proton Mail. Proton Mail does offer a free tier, but paying customers get more.