Back to Dashboard
CenterLeapDocs
Back to Encryption Tiers

Server-Side Encryption

Zero-Access Architecture

Server-Side Encryption (SSE) provides zero-access encryption at rest. Your emails are encrypted with keys that CenterLeap cannot access, similar to how ProtonMail and Tutanota protect your data.

Speed

Fast

~50ms decryption

Similar To

ProtonMail

Zero-access standard

Provider Access

No

Cannot read emails

Password Reset

Risky

Loses email access

How Server-Side Encryption Works

1

Unique Key Generated Per Account

When you create an email account, a unique AES-256 encryption key is generated. This key is encrypted with a key derived from your password and stored securely.

2

Emails Encrypted Before Storage

When an email arrives, the server encrypts it using your account's content key before storing. The plaintext email is never written to disk.

3

Decryption Requires Your Password

When you log in and unlock your vault, your password-derived key decrypts the content key, which then decrypts your emails. Without your password, the emails remain encrypted gibberish.

Incoming Email
TLS Encrypted
CenterLeap Server(Encrypts with your key)
AES-256 Encrypted
Storage(Encrypted)

What is Zero-Access Architecture?

Zero-access means that CenterLeap mathematically cannotread your emails, even if we wanted to. Here's why:

  • Your encryption key is derived from your password, which we never see
  • Only the encrypted version of your key is stored on our servers
  • Decryption happens only when you authenticate with your password
  • Even database administrators see only encrypted content

Advantages

  • CenterLeap cannot read emails - True zero-access architecture
  • Protected from breaches - Stolen data is useless without your password
  • Fast decryption - Server handles the heavy lifting (~50ms)
  • Works on any device - No special software needed
  • Legal protection - We cannot provide readable emails even if compelled

Disadvantages

  • Password reset loses emails - Cannot recover without your password
  • Slightly slower than TLS - Decryption adds ~50ms per email
  • Server-side search limited - Cannot search email content
  • Key temporarily in memory - During decryption, key exists on server RAM

SSE is Best For

Business Communications

Sensitive business emails that need protection from unauthorized access

Personal Privacy

Users who want strong privacy without client-side complexity

Compliance Requirements

Organizations needing encryption at rest for regulatory compliance

Balanced Security

When you want strong security with fast performance

Critical: Password Recovery

With SSE, your password is the only way to access your emails. If you lose your password AND your recovery key:

  • - Your encrypted emails are permanently inaccessible
  • - CenterLeap cannot help you recover them
  • - This is by design for your security

Always save your recovery key in a secure location!

Technical Specifications

Encryption AlgorithmAES-256-GCM
Key DerivationPBKDF2 with SHA-256
Key Size256 bits
IV GenerationRandom per encryption
Decryption Time~50ms average
Storage Overhead~20% (metadata)
← Previous: TLS EncryptionNext: End-to-End Encryption →