End-to-end encryption
Retyc uses end-to-end encryption (E2EE) based on age, a modern and audited standard designed to replace PGP.
General principle
End-to-end encryption means your files are encrypted on your device before being sent, and decrypted on the recipient's device after download. At no point do Retyc's servers see the content in plain text.
Sender Retyc Servers Recipient
────── ───────────── ─────────
Plain file
↓ encryption (age)
Encrypted file ───────────→ Encrypted storage ─────────→ Encrypted file
↓ decryption (age)
Plain file
How does encryption work?
Asymmetric keys
Each Retyc user has a key pair:
- Public key: stored on Retyc's servers, shared with senders
- Private key: stored encrypted on Retyc's servers, never accessible in plain text by Retyc
Transfer process
- The sender generates a random session key for the transfer
- Files are encrypted with this session key (algorithm: ChaCha20-Poly1305)
- The session key is encrypted with the public keys of each authorized recipient
- Encrypted files and encrypted keys are sent to the servers
- The recipient decrypts the session key with their private key
- The recipient decrypts the files with the session key
Unlocking the private key
Your private key is stored encrypted on Retyc's servers, protected by your passphrase. It is only decrypted locally, in your browser, when you enter your passphrase.
Retyc never knows your passphrase or your private key in plain text.
Why age?
age is a file encryption format designed by Filippo Valsorda (ex-Google Go team). Its advantages:
- Simple and well-audited specification
- No complex cryptographic configuration (no risk of misconfiguration)
- Modern algorithms: X25519 for key exchange, ChaCha20-Poly1305 for symmetric encryption
- Open source reference implementation
What Retyc cannot do
Thanks to end-to-end encryption:
- Retyc cannot read the content of your files
- Retyc cannot recover your files if you lose your passphrase
- Even if Retyc's servers are compromised, the files remain encrypted and unreadable