Now Reading
Tutanota: the Open-Source Encrypted E-mail Answer to Protonmail

Tutanota: the Open-Source Encrypted E-mail Answer to Protonmail

by P. H. MadoreMarch 20, 2015

For several years, and especially since the Edward Snowden revelations, there has been a need for an easy-to-use, automatically encrypted communications service.

Many people have flocked to Protonmail, the closed-source e-mail application based in Switzerland, which has seen a great deal of corporate backing and a rapidly expanding user base. The key word here is closed-source – meaning that the security researchers of the world are not immediately free to audit the viability of the secure algorithms used to encrypt messages on the service.

12-tutanota-logoEnter Tutanota, the German-based alternative to Protonmail, which is both open-source and as easy to use as Protonmail. Tutanota is Latin for “secure message,” at least if you separate the two words. The company was founded in 2011 and presently serves around 100,000 accounts. It is backed by two German private investors and has ambitions to expand into other areas, such as a secure calendar interface and a file sharing / storage service not unlike Mega.

Encrypting E-mails was Just Too Complicated

email encryptedCo-founder Arne Möhle explained in a phone call that the impetus for creating the service was that, in their previous lives, he and co-founder Mathieu Pfau found that it was overly complicated to securely communicate with business partners and customers.

Before we started with Tutanota, we were in some other jobs, and all of us, we always saw this problem that encrypting e-mails for communication with partners or with customers was just too complicated. And that’s when we said there must be some easier way to do that. That’s when we started to develop Tutanota, which hides all the stuff which is complicated like generating keys, exchanging keys, managing certificates, and so on.

In the same way that Mega easily encrypts files for users using client-side browser-based security, Tutanota does not require much of the user in terms of technical know-how. While Tutanota and Protonmail are hardly the first in this space, Hushmail was famously compromised several years ago. Further, Hushmail actively logs IP addresses and over the years, due to complicity with law enforcement and other mistakes, they have fallen off the radar as the go-to secure e-mail provider.

A nifty feature of Tutanota is its per-recipient password protection.

A nifty feature of Tutanota is its per-recipient password protection.

As stated earlier, Tutanota intends to expand into other markets, potentially even into instant messaging later on. The implementation of encrypted calendaring would be a first, and will be something that the next generation of businesses will truly appreciate. It is much easier to track someone’s whereabouts if you can easily access their calendar. In this vein, Tutanota already has a business application, Tutanota for Outlook, which is one of the ways they are already generating revenue. It is also open source so that companies can be sure things are working properly under the hood.

We also have a business product, which is Tutanota for Outlook. So you can just send and receive end-to-end encrypted e-mails directly with Outlook. It works with an Outlook plug-in. And that’s the business variant of Tutanota. […] We’re thinking about integrating it into Thunderbird, but it’s not yet decided if we’re going to do it but we have to see which is the highest priority to work on, and Thunderbird is not currently the highest priority, but it may become the highest priority in the future. […] For private users, we currently focus on the web application and the Android and iPhone applications.

Tutanota is encrypted with RSA/AES 2048 encryption. Hacked got in touch with Dr. Brian Sovryn, a technologist and podcaster based in New Hampshire, for his thoughts on the open-source alternative to Protonmail.

The fact is, we live in a surveillance state. But it’s more than that. It’s also a surveillance society, where people seem to just accept a lack of privacy in their lives and communications. I think the reason they accept this is because it appears that regaining privacy is hard. But that’s the beauty of services like Tutanota, where it takes some of the best open-source encryption devised and makes it easy to use with an app on your smartphone, in your web browser, and even in Outlook! Even if somehow that encryption were cracked, getting people used to encryption being the rule, and no longer the exception, is essential to human freedom.

In the modern age, you can almost bet that anything you send and received is being watched by someone, and governments are not the only third-party to be concerned about.

Hackers who traffic in financial and personal data, marketers who profit by knowing every click of your mouse within the browser, and those with even more nefarious purposes, such as terrorist organizations, all have a motive to know what goes on in the private lives of everyday people.

Möhle says that the state of mass surveillance we live under was a big concern, and the hope is that Tutanota gives people without a great deal of technical knowledge the freedom to communicate unmolested.

Images from Shutterstock and Tutanota.
Editor’s note: in the original article, we gave the impression that all of ProtonMail’s code is closed-source, which is not true. ProtonMail utilizes the open-source library OpenPGPjs. While ALL of TutaNota’s code is freely availably ( and they do intend to add PGP (, ProtonMail creator Andy Yen felt that we were unfair to ProtonMail. He wrote to say:

“It is often claimed that Tutanota is open source while ProtonMail is not, but that is actually quite disingenuous. ProtonMail’s client side encryption is based on the OpenPGPjs library ( and not only do we use that library, our developers are also active in contributing to it. OpenPGPjs is open source. But it is better than open source. It has also been audited and reviewed. And it has a very active developer community which is constantly improving it and making it more secure. In other words, it is an exemplary example of how to leverage the strengths of open source.”

Advertised sites are not endorsed by us. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
What's your reaction?
Love it
Hate it
  • I do believe the future of privacy is using existing systems and then having a plugin to achieve privacy. Right Now to achieve true privacy without anyone watching for all people is costly and political. But these small measures that this company is doing will get us on a path of acceptance by main stream audience. When they see that having their information is secure without a tech know how is achievable and easy to use.

  • Kelly Oshka

    This article is simply INACCURATE. I was an early donator to ProtonMail’s IndieGoGo campaign that got worldwide acclaim, and they have been transparent about their processes and their progress. If I wasn’t sure of this, I would not have made my donation. I don’t get anything for supporting them, except for knowing that my emails are protected.

    I KNOW that they use OpenPGP – which is THE STANDARD for encryption on the Internet. Not only that but they’ve mention they also contribute to it regularly!! Open source or not – TutaNota does not comply with OpenPGP, while ProtonMail does. OpenPGP is regularly reviewed and audited by crypto experts across the world. Who reviews Tutanota’s code?

    • P. H. Madore

      Am I able to download and run ProtonMail independently of ProtonMail’s servers?

    • Juan

      OpenPGP is just a tiny part of the code. While Protonmail is hopefully doing it right, you have no guarantee that the code does not contain any backdoor. That’s why putting the ENTIRE code open source it so important. Tutanota also uses trustworthy open libraries and has published their code on github: That’s a great plus, security-wise.

    • aa0145

      “audited by crypto experts” who inject backdoors into closed source code. There’s no way of knowing.

  • Azeem Katir

    Is the author an idiot? ProtonMail uses OpenPGPjs which is open source. Who the hell researched this piece?

    • P. H. Madore

      Yes, he is.

  • Why has everyone forgotten about mailpile?

  • the answer to protonmail? what was the question in the first place? heres another question for you. go do some research before writing your next blog post

  • P. H. Madore

    In hindsight, fucking ProtonMail shills are really obvious.