eM Client’s QR Export

With the release of the eM Client for iOS and Android we added a QR export function to the desktop version of eM Client 9.2.

We have implemented this feature for a quick and easy import of settings and other data (such as account settings, templates, signatures, QuickTexts, certificates, tags, and more) into mobile devices which can use a camera function to bring over your settings with one single scan, in comparison to moving an exported XML file from one computer to another.

How does it work?

Let us explain in a few simple steps how this feature works on the technical side.

  • The data is encrypted on the original device (desktop eM Client) via 256bit AES symmetric encryption algorithm with a random encryption key.
  • This encrypted data is sent securely to a service running on our server.
  • A unique identifier is generated by the server to access the data.
  • The server generates a URL address for the QR code with the mentioned unique identifier and encryption key.
  • The QR code is scanned by the device that wants to import these settings (the eM Client mobile app) getting the correct URL address.
  • The mobile device downloads the encrypted settings data from our server.
  • The eM Client mobile app decrypts the data with the encryption key found in QR code.

Is the QR Export secure?

Since the steps are so simple, one might wonder if the data you bring over is safe or if the eM Client company has any access to them - we are happy to confirm that your data is absolutely safe, because of these reasons:

  • The eM Client company never has direct access to this data. When it’s stored on our servers for the purpose of export/import it is in an encrypted form which we cannot decipher.
    Decryption can be done only by using the encryption key, which is only available to the device you’re exporting from and the device you’re importing to (end-to-end encryption).
  • This data is stored on our servers only for a limited time (no longer than 30 minutes), for one-time import only.
  • The data is stored in-memory, so it cannot be retrieved from a server database or file storage - this means that even if someone gained access to our server within that time frame, they would not be able to locate this data since it’s in the operating memory only.