Encryption & Security

MyEmailVault implements multiple layers of security to protect archived data, user credentials, and system access.

Encryption at Rest

All stored files -- including raw .eml messages, attachments, and exported documents -- are encrypted at rest using AES-256-CBC. Encryption is applied automatically during the storage process and decryption occurs transparently when authorized users access the data.

Encrypted Credential Storage

Email provider credentials (passwords, OAuth tokens, API keys) stored in the database are encrypted. Credentials are decrypted only at the point of use and are never exposed in logs, API responses, or administrative interfaces.

Authentication

MyEmailVault supports two authentication mechanisms:

JWT (JSON Web Token) -- used for interactive user sessions. Tokens are issued at login and validated on each request. Tokens have a configurable expiration time.
API Key -- used for programmatic access and integrations. API keys can be scoped and revoked independently of user sessions.

Rate Limiting

API endpoints are protected by rate limiting to prevent abuse and brute-force attacks. Limits are applied per client and can be configured to match your deployment requirements.

Role-Based Access Control

Access to features and data is governed by roles and permissions. Administrators define roles that control which users can view, search, export, or manage archived mail and system settings. See Roles & Permissions for configuration details.

Audit Logging

All significant actions -- logins, data access, configuration changes, exports -- are recorded in an immutable audit log. The audit log supports compliance requirements by providing a verifiable trail of who did what and when. See Audit Log for details on viewing and filtering log entries.

Encryption & Security ​

Encryption at Rest ​

Encrypted Credential Storage ​

Authentication ​

Rate Limiting ​

Role-Based Access Control ​