{
"$type": "site.standard.document",
"bskyPostRef": {
"cid": "bafyreidaarfr35e7l7ko7azs7lbc4qgom4csrbdl4mbtloebfhpab37kre",
"uri": "at://did:plc:haakkg7y3xdghcdmprxeexso/app.bsky.feed.post/3medsog2tcpm2"
},
"path": "/t/aliasvault-open-source-e2ee-password-email-alias-manager/24436?page=8#post_164",
"publishedAt": "2026-02-08T11:02:44.000Z",
"site": "https://discuss.privacyguides.net",
"tags": [
"aliasvault.net",
"alaiasvault.net"
],
"textContent": "Dear lanedirt,\n\nI intended to write you an email. But this community seems awesome and committed, so maybe my ideas can be used/destroyed by the whole community.\n\nFirst, what you are doing is awesome, by its breadth (visuals, communication, website, front-ends) and its depth (from hosting to browser plugins). I wish there were more IT professionals of your caliber. But I guess you’d get bored to death if you had to do the sort of tasks that many IT people have to do, maintaining legacy stuff in corporate constrained environments\n\nAnyway, I fail to really see how AliasVault fits in the landscape, and wonder if it’s as safe as we’d like. I guess you didn’t need to know that I don’t use your tool yet. But maybe my point of view can be of interest to some users, and to you to define your “market”/target and maybe even prepare that future security audit.\n\nSo, AliasVault emphasizes things like\n“End-To-End Encryption. Your data is fully encrypted on your local device before backed up online. Your master password is never transmitted to the server. No one, except you, can see inside your vault.”\n\nAll this might be true. But you do get unencrypted emails from websites. So, all that technology only makes sense if we trust your promise that\n“Email Contents: When emails are received by the server, their contents are immediately encrypted with your public key before being saved. Only you can decrypt and read them with your private key.” I’m not sure how that architecture would be assessed in a security audit.\n\nYou seem to have an excellent track record. Spamok seems to be “old” and reputable. But E2EE is meant to create an environment where, if I trust the client, I don’t need to trust the backend. That reliance on those unencrypted emails mean that, if I don’t trust your back-end, then the whole system is not OK. Also, even if the back-end was OK in the past, if it/you go rogue, then because any future received email indicates a sender and a recipient; a “password reset” flow could be started at the site and the password that was so wonderfully protected by encryption can simply be replaced.\n\nI understand that spamok (or YOPmail) has users, even though those emails are almost “public”. So maybe that’s not a big concern for many people. But unless special circumstances, I never felt confortable with that approach. I have used spamgourmet since almost 20 years though. They could have been rogued too and kept the emails. But their promise was to simply forward and destroy the email. I was more confortable with that behaviour/promise.\n\nAlso, while people might be OK with the trade-off for some accounts, I feel that AliasVault somehow aims to be a solution that would replace Bitwarden and apply to all accounts. And I wouldn’t like to have that sort of mix between my high value accounts (for which the alias on your own controlled domain aliasvault.net would not be desirable in my eyes), and low value accounts. Probably I’m not forced to have an alias for all accounts, but I don’t feel confortable with that sort of mix.\n\nAnyway, I hope I’m just being paranoid/stupid, and your solution can be greenlighted by real security professionals, and liked by many users.\n\nBest regards\n\nPS: I also really appreciate you’re making it open source and self-hostable. Although self-hosting would only alleviate my fears if email was using another domain, not the alaiasvault.net domain that is controlled by you. And I’m not sure how it could integrate with a real email provider. (I have Fastmail in mind because that’s what I use.)",
"title": "AliasVault: Open-Source E2EE Password & (Email) Alias Manager"
}