Lavaboom - a secure email service -

Lavaboom – a secure email service

Douglas Crawford

Douglas Crawford

April 23, 2014

Update 19 November 2015: Lavaboom folded in August this year, and its technology has been acquired by Invacio. Operating under the Invacio umbrella, Invmail can now be signed up at

A new web email service has just entered beta stage, and is garnering a great deal of interest thanks to its promise of high security and ‘zero knowledge’. Billing itself as the spiritual successor to Lavabit, the secure email service that shut down rather than hand over its encryption keys to the feds, Lavaboom has no links to that service or its founder Ladar Levinson, other being ‘a fan’.

The basic service is free, but premium options will be available (at what are in our view very reasonable prices).


Key features of the service include:

  • Zero-knowledge – all mail is end-to-end encrypted
  • Strong encryption – using ‘a variety of free and Open-Source libraries, notably there is the OpenPGP-library’
  • Two or three factor authentication – in addition to using a password + key pair (two factor authentication), paid-for subscribers can choose to be sent randomly generated code, or use the OTP-feature of a YubiKey. Or even both!

The developers freely admit that a web based email service cannot ever be as secure as encrypting emails locally, but aim to strike a useful balance between security and usability that will make sending encrypted emails as easy as sending ordinary ones.

It will be possible to communicate securely with non-Lavaboom users by exchanging public keys, and while sending unencrypted texts will be possible, users will receive strong warnings before being allowed to do so.

Encryption keys are generated clientside using JavaScript, and private encryption keys are stored in a browser’s JavaScript cache. This means the service cannot be used if NoScript is installed in a browser, and can only be used on one browser on one computer. Lavaboom is hoping to address these limitations, and is keen to point out that the service is still in beta. This also means that if that computer is compromised (for example it is seized by the authorities) so will the encryption keys be.

Lababoom uses Perfect Forward Secrecy and ‘will use bcrypt as a password pre-hashing tool, which will prevent any plain text passwords flying through the cloud.’ At present the source code is not open, but Lavaboom ‘are currently considering making the code partially OpenSource’, and are keen for security researchers who wish to vet the code to contact them. When an open source version of the code is available, ‘we’ll consider DarkMail implementation’.

A far as jurisdiction goes, Lavaboom is proud of being based in Germany where there are strong privacy laws. We are not so sure about this though, as Germany also has some nasty surveillance laws and a reputation for server raids, but as Lavaboom points out, since encryption is end-to-end, they do not have users’ private keys and so therefore cannot hand over any plaintext emails.

Further details about Lavaboom are available in both a standard and a technical FAQ. We have signed up for the beta service, and will fully review it when issued with an account.