Your messages can only be read by you and your recipients. Not even by us.
At EchoPass, we cannot read your messages. This is not a marketing promise — it is a technical constraint. Your messages are encrypted with a key derived from your password before being stored. We never store your password or your decryption key.
In the event of a legal request or a breach of our infrastructure, the data stored on our servers is useless without your password.
Authenticated encryption for messages and files. The algorithm chosen by Google for HTTPS on mobile, used in WireGuard and Signal. Extended 192-bit nonce (safe even for many encryptions with the same key). Libsodium via PHP 8.3.
Key derivation from your password. Winner of the Password Hashing Competition (2015). Resistant to GPU and ASIC attacks thanks to its high memory consumption. A unique random salt is generated for each user.
All communications between your browser and our servers are encrypted via TLS 1.3 with Let's Encrypt certificates. Transport is secured on top of the data encryption.
Attached files are encrypted chunk by chunk (in 64 KB blocks) before being stored on the server. A unique file key is randomly generated for each file, then that key is itself encrypted with your master key.
As a result, even if an attacker gains access to the file storage, they cannot link a file to a user or decrypt it.
If you discover a security flaw, please report it responsibly. We treat all reports seriously and in strict confidence.
Contact security@echopass.app