korax/korax-public
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity
Files
8609055deaa661e4d346985deda4cdaab99ad09b
korax-public/README.md

8.7 KiB
Raw Blame History

Korax

Korax

PGP-First Email. Private by Default.

License: PolyForm Noncommercial Platform Status

Korax is an email client built around a single principle: encryption should be the default, not the exception.

Most clients bolt PGP on as an afterthought — a plugin, a hidden setting, a third-party extension. Korax is designed from the ground up so that signing, encryption, and key management are a seamless part of your everyday workflow. Your mail stays between you and the people you write to.

Why Korax?

Default mail apps (like Apple Mail) cannot read or compose PGP encrypted emails natively. Korax was born out of simple frustration: the inability to easily read encrypted emails (such as Kraken emails) out of the box. Instead of fighting with extensions, Korax provides a first-class, zero-friction PGP experience.

Motivation

I started using email in the late 90s — around 1997. Back then it felt like magic: POP, SMTP over a dial-up modem, and nearly instant communication. My brother had moved to England, and for the first time we could exchange messages almost in real time. At the time, that felt revolutionary.

Email was originally designed as a communication tool, not a secure system. Security simply wasn't part of the original architecture. Later, in the early 2000s, companies started trying to patch this problem with tools like PGP. At work we used Microsoft Exchange, and PGP was officially required for transmitting sensitive information. In reality, though, almost nobody enforced it consistently.

More than 20 years later, the situation has not fundamentally changed.

Yes, we now have TLS/SSL protecting connections “to the server.” But that does not solve the actual problem. Messages are still accessible at rest, still processable by providers, and still vulnerable to filtering or censorship. In some countries, emails containing PGP-related headers may even be blocked outright.

Meanwhile, the need for secure communication has only increased. PGP is still actively used by platforms like Kraken and many other security-conscious services. The problem is usability.

In practice, reading encrypted mail often still requires highly specific desktop setups. In my case, my Linux laptop running Evolution with GPG became the only device capable of reading encrypted email properly. Not my MacBook. Not mobile devices. Not while traveling.

That completely breaks modern expectations of communication.

Today, users expect access everywhere — desktop and mobile, at any time, on any device. But as soon as encryption enters the picture, the experience collapses back to the early 2000s.

This project exists to close that gap.

The goal is to build a PGP-first email client where:

  • encryption is a default capability, not an afterthought
  • key management does not require a separate toolchain
  • encrypted mail works naturally across desktop and mobile devices
  • usability does not have to be sacrificed for security

Features

  • PGP encryption and signing — native, not a plugin. Compose encrypted mail as naturally as plain text.
  • TOFU trust model. "Trust On First Use" with visual indicators: see at a glance whether a contact's key is known, trusted, or changed.
  • No tracking pixels. Remote images are blocked by default. Autoload only for contacts whose public key you have saved.
  • Local-first. All messages cached in SQLite on your device. Instant load, works offline, nothing sent to any cloud.
  • Multi-language. English, German, Spanish, Finnish, Russian, Swedish.
  • Linux: always free, always fully unlocked. No paywall, no nag screens. Honor system.

Download

Linux (AppImage)

The Linux release is a self-contained AppImage — no installation required.

  1. Download Korax-x86_64.AppImage from the Releases page.
  2. Make it executable: 
    chmod +x Korax-x86_64.AppImage
  3. Run: 
    ./Korax-x86_64.AppImage

macOS · Android · iOS

Coming soon.

Free vs Pro

Feature Free Pro
Send & receive email
IMAP accounts Max 3 Unlimited
Basic PGP encryption / decryption
Generate PGP keypair Max 1 Unlimited
PGP key import / export View only
Keyserver auto-lookup (WKD)
Custom email signature (no watermark)
Smart rules & filtering
Unified inbox & custom swipe actions
Premium themes
Burn-after-reading (Korax-to-Korax)
Provider Hostility Detection & Korax Tunnel bypass
Linux Always Pro Always Pro

Pro is a one-time purchase. All Pro features are free during the current beta period.

Under the Hood

Architecture

Flutter UI (Dart)
      │
flutter_rust_bridge (FFI)
      │
Proprietary engine (Rust)
      │
   mailcore (Rust)
   ├── IMAP client
   ├── SMTP client
   ├── SQLite storage
   ├── MIME parser
   └── DNS SRV discovery

The UI layer never blocks: all network and crypto operations run in Rust, communicated to Dart via an FFI bridge with zero copy overhead.

Layer Technology
UI Flutter / Dart
Core engine Rust (Proprietary + mailcore)
FFI bridge flutter_rust_bridge
Cryptography sequoia-openpgp
Local storage SQLite
State management Riverpod

mailcore — Open Source Engine

mailcore is the Rust library at the heart of Korax. It handles everything below the UI:

  • IMAP client — RFC 3501 compliant, UIDVALIDITY-aware, uses BODY.PEEK[] to preserve \Seen flag integrity
  • SMTP client — RFC 5321 with STARTTLS and SMTPS
  • SQLite storage layer — local message cache, folder state, account credentials
  • MIME parser — RFC 2045/2046 multipart handling
  • DNS SRV auto-discovery — resolves _imaps._tcp and _submission._tcp before falling back to defaults; same mechanism used by Thunderbird, Evolution, and others

The source is published here for transparency and community audit. It is licensed under the PolyForm Noncommercial License 1.0.0 — free to read, study, and use for noncommercial purposes. Commercial use requires a separate agreement.

Building & Testing mailcore

To build and test the mailcore engine locally:

cd mailcore
cargo build
cargo test

Openness Model

This project is not fully open source. Some components are open, while others intentionally remain closed.

This decision is practical, not ideological. The threat model includes not only traditional security risks, but also external pressure — including censorship, targeted blocking, and attempts to restrict infrastructure or communication channels.

In some cases, fully transparent systems become easier to suppress systematically. The priority here is resilience and long-term operability under hostile conditions, not maximal openness at any cost.

At the same time, the project maintains:

  • public client releases
  • transparent distribution channels
  • publicly accessible builds and binaries
  • openness around critical UX and cryptographic decisions where it is safe to do so

The goal is to balance verifiability, usability, security, and resilience.

What stays proprietary: The PGP/Sequoia integration, advanced privacy features, the proprietary Rust engine, and the Flutter UI (korax/) are not published.

Security

Key storage: Private keys are never written to SQLite or disk in plaintext. On every platform, they are stored in the OS secure enclave (iOS Keychain, macOS Keychain, Android Keystore).

Support & Contributing

Bug Reports: Korax includes a built-in bug reporting feature directly within the application. Please use that for all general issues and feedback.

Reporting vulnerabilities: Do not open a public issue. Contact the maintainer directly at the address shown in the application's About screen.

Contributing: Core development is handled internally. At this time, we do not accept external pull requests or community code contributions.

About

Created by Eugen Kaparulin.
Official binaries distributed by K-Ops Oy.

© Eugen Kaparulin. All rights reserved.
mailcore is published under the PolyForm Noncommercial License 1.0.0.
All other parts of Korax are proprietary.

Reference in New Issue View Git Blame Copy Permalink