Arca – Support

1

Locks and keys

Arca protects your email using public-key cryptography. The idea is simple: messages are sealed with a lock and opened with a key.

  • A lock (public key) is meant to be shared. Anyone can have it. It can only seal messages — it cannot open them.
  • A key (private key) is kept secret on your device. Only it can open messages sealed with the matching lock.

When someone sends you an encrypted email, they seal it with your lock. They can get your lock from the server, or directly from you. Once sealed, only your private key can open it.

Want the full picture? This excellent 3-minute video explains modern encryption clearly:

▶ Watch: How public-key encryption works (3 min)

2

One problem remains: is the lock genuine?

Encryption is only as trustworthy as the lock you’re using. Before relying on it, you need to be 100% certain that a lock really belongs to the person it claims to — and that an email you receive truly came from them, unchanged on the way.

The danger is an attacker who secretly sits between you and your contact, swapping in their own lock while impersonating each of you. They can then read or alter everything that passes through, and neither of you would notice. This is called a Man-in-the-Middle (MitM) attack, and software can carry it out automatically, at scale.

To shut this down and be 100% sure your conversation is private, you and your contact need to verify each other’s locks. The rest of this tutorial shows you how.

3

Your Privacy ID

Look at the top of the Arca window — you’ll see four unusual words, like Imov Yekoc Komi Qucet. This is your Privacy ID: a unique identifier mathematically derived from your lock.

When you receive an encrypted email from a contact, you can see their Privacy ID too.

  • The first two words alone are unique to roughly 1 in 4 billion people.
  • The full four-word ID: roughly 1 in 18 billion billion.
Your Privacy ID is not secret. It’s safe for anyone to see — just like your email address. Sharing and comparing it openly is exactly how verification works.
Privacy ID in the title bar
4

When to verify

The easiest time to verify is after you and your contact have exchanged an initial encrypted email. To be safe, don’t put any big secrets in that first message — verify first, then write freely.

Connect with your contact in real time — phone, Zoom, WhatsApp, or any live channel. Then each of you opens a secure email from the other. In the top-right corner of the email you’ll see a red Unverified label.

Click it to start verification.

Unverified label on an email
5

Compare the four sentences

Arca shows four unique sentences derived from your contact’s lock. Your contact sees the same four sentences on their screen.

Read them out loud to each other, one at a time. If your contact’s sentence matches yours exactly, check the box next to it. Do this for all four.

Take this seriously. Only check a box if the sentence matches exactly — word for word. Other people trust your verification too. Being careless here doesn’t just endanger you; it endangers everyone who relies on your contacts to be verified.
The four verification sentences
6

Verified

Once all four boxes are checked, click Verify. The red “Unverified” label changes to a green lock with your contact’s name — confirmation that their lock is genuine and your communication is secure.

You only need to do this once per contact. From now on, every encrypted email from them shows the green lock automatically.

Green verified lock on an email