← Back to Home

How ENQ Works

A technical overview of the cryptographic architecture. Zero plaintext is stored at rest.

1. Key Generation & Alias Creation

On first visit, your browser generates a 256-bit userKey via crypto.getRandomValues() and stores it in localStorage. This key never leaves your device.

When you create an alias, the browser generates an ECDH P-256 key pair using the Web Crypto API. The private key is then encrypted client-side:

The server stores ciphertext. It cannot derive your wrapping key without your userKey.

2. Email Ingestion & Server-Side Encryption

When an inbound email arrives at the Cloudflare Email Worker:

The plaintext email body and metadata exist only in worker memory during processing. After encryption, they are unreachable.

3. Client-Side Decryption

When you open an email in your browser:

All cryptographic operations use the browser's native Web Crypto API. No third-party crypto libraries are loaded.

4. Data Retention & Deletion

5. Authentication Model

There are no passwords or accounts. Authentication is derived from your userKey:

Threat Model — What This Protects Against: Known Limitations: ENQ is designed for disposable signups and temporary communication — not for state-level adversary resistance.