Most teams mean one of two things when they say secure email. Either the message rides over TLS and lands in a normal inbox, or the sender uses a secure email portal or end to end encryption like S/MIME or PGP. Secure links are different. The sensitive content is encrypted before it leaves the sender’s device, and the recipient gets a one time, self destructing link to retrieve it. Both approaches have a place, but they solve different problems.
Key takeaway: if your risk is unauthorized persistence and forwardability, secure links with client side, zero knowledge encryption are safer for secrets and credentials. If your requirement is long term, regulated correspondence that must be archived in mail systems, secure email or portals are the right fit.
What counts as “secure email” today
Secure email is an umbrella term. In practice it usually means one of the following:
- Transport layer encryption only. SMTP with STARTTLS protects the hop between mail servers, but messages are stored in cleartext on each mailbox and in backups. See the Google Transparency Report on safer email for delivery TLS trends.
- End to end encrypted email. S/MIME and PGP encrypt message content from sender to recipient, but they require certificate or key distribution and user training. S/MIME is standardized in IETF RFC 8551.
- Secure email portals or gateways. The recipient gets a notification email and must sign in to a vendor portal to view the message. Content is stored on the provider’s servers, and the provider can typically access it for scanning and legal process unless the solution is zero knowledge, which most portals are not.
Strengths of secure email:
- Fits existing correspondence workflows and archiving needs
- Good for signed notices, policies, and messages that must remain discoverable
- Organizational controls for DLP and journaling are already in place
Limitations to consider:
- Persistence by design, messages and attachments live in mailboxes and backups
- Revocation is hard. You can sometimes revoke portal access, but you cannot claw back an email or a downloaded attachment
- Key distribution and usability challenges for S/MIME or PGP limit external adoption
What “secure links” actually do
Secure links, sometimes called one time or self destructing links, are built for ephemeral transmission. The sender encrypts the secret in the browser or client, only ciphertext touches the server, and the decryption key travels separately, often as a URL fragment. The link expires on first open or after a short time window.
When implemented with client side, zero knowledge encryption, the provider never sees the plaintext or the decryption key. This is the model Nurbak uses by design, which makes it materially different from traditional secure email portals.
Benefits of secure links for secrets:
- Minimal persistence, nothing lands in inboxes or chat logs, and the link can burn after one view
- Revocation and expiry are built in, you control time to live and one time access
- Reduced forward risk, a forwarded link will be useless after first open
- Vendor compromise resistance, zero knowledge design keeps keys and plaintext off the server
For more on why client side encryption matters, see Client-Side vs. Server-Side Encryption: Why It Matters for Your Secrets.
Threat models that should drive your choice
- Persistence risk. Email creates durable copies in multiple places, including journals and eDiscovery buckets. If the goal is not leaving a trail, email is the wrong tool.
- Forwardability and misdelivery. Even with S/MIME, a recipient can forward or save attachments. Secure links can limit access to a single open and a short TTL.
- Vendor access. Portals often retain plaintext or keys for scanning. Zero knowledge links avoid provider access by design.
- Revocation and audit. Email recall is largely a myth. Links can be expired on demand and can record access events without storing content.
- Compliance and privacy by design. Data minimization and storage limitation are core privacy principles. See GDPR Article 5. Ephemeral links align naturally with these goals.
Industry guidance also encourages minimizing secret exposure windows. The OWASP Secrets Management Cheat Sheet recommends strong lifecycle controls for secrets and distribution mechanisms that do not proliferate copies.
Secure email vs. secure links, a side by side comparison
| Criterion | Secure email (TLS, S/MIME, or portal) | Secure links with zero knowledge |
|---|---|---|
| Encryption scope | Often transport only, S/MIME or PGP can be end to end, portals usually server side | End to end by default, encryption happens client side |
| Provider access to content | Common with portals, not with S/MIME or PGP | No, provider sees only ciphertext |
| Persistence | High, messages live in inboxes, archives, and backups | Low, single view and short TTL, no inbox copies |
| Revocation | Limited, portal access can be turned off but emails persist | Strong, expire now and burn after reading |
| Forward risk | High, forwarding and downloads create more copies | Low, forwarding after burn is ineffective |
| Delivery to external parties | Friction for S/MIME or PGP key exchange, portals add account creation | Simple link, no accounts required |
| Audit trail | Possible via mail journaling or portal logs | Possible via access logs without content |
| Best use cases | Contracts needing archive, policy notices, regulated correspondence | Passwords, API keys, recovery codes, temporary credentials, PII handoffs |
A practical decision framework
Choose secure email when:
- You must retain and later prove the content of a formal notice
- Your recipients already operate an S/MIME or PGP program and exchanging keys is standard
- Legal or industry rules require email archiving tied to user mailboxes
Choose secure links when:
- You are sending one off secrets like passwords, API tokens, SSH keys, or 2FA recovery codes
- You want the data to evaporate after first use and not linger in systems or backups
- You need a simple workflow for external recipients without key exchange
- You want vendor compromise resistance and cannot allow providers to access plaintext
Still unsure which way to go in a given case? Ask these five questions:
- Does the recipient need to keep this item beyond a short window?
- Would persistence in inboxes or backups create audit or breach risk for us?
- Do we need to revoke access on demand?
- Can we avoid key management and training for external users?
- Would creating more copies violate data minimization or contractual promises?
If you answer yes to the last four, secure links are usually safer.
Implementing secure links safely in the real world
If you are new to one time links, start with a simple, repeatable checklist.
- Generate the secret with least privilege and a short lifetime, for example a scoped API key or a temporary password
- Encrypt and create a one time, self destructing link, then set an aggressive expiration window
- Verify the intended recipient through an independent channel before sending the link
- Send the link in your usual communication tool, but never include the secret in the message
- Confirm receipt, then rotate or disable the secret immediately after use
For a detailed walkthrough, see How to share a secret with one-time links.
Operational tips and pitfalls to avoid:
- Link previews. Some mail and chat clients prefetch links for previews, which can consume one time links. Share the link in a context where previews are disabled or instruct recipients to open the link from a trusted device
- Separate channels. When practical, send the link through one channel and any metadata or instructions through another
- Device hygiene. Ephemeral delivery helps, but compromised endpoints can still exfiltrate data, keep endpoints patched and locked down
Compliance and audit advantages
Ephemeral, zero knowledge linking maps cleanly to privacy by design. It reduces retention, simplifies incident scope, and supports storage limitation and data minimization principles outlined in GDPR Article 5.
Security auditors also care about secret lifecycle. Using one time links for distribution limits where secrets appear, which reduces compensating controls you need elsewhere and makes evidence easier to produce during SOC 2 or ISO audits. For a deeper dive on audit expectations, read SOC2 and Password Sharing: How to Maintain Compliance in Remote Teams.
Where Nurbak fits
Nurbak focuses on the secure link side of the equation for human to human secret sharing. It encrypts in the browser with AES 256, stores only ciphertext, and creates one time access links that self destruct after being read. The platform follows a zero knowledge model, so the server cannot see or log plaintext. Teams get audit access logs, an admin dashboard and analytics, and integrations that fit existing infrastructure. Nurbak does not store secret content and uses short lived metadata so you can prove access without keeping the data itself.
If your policy goal is to minimize data trails, this pattern reduces risk while keeping a usable workflow for clients, contractors, and non technical recipients.
Common myths and realities
- Password protected PDFs are enough. In practice, shared passwords end up in the same channel as the file, and recipients often store both. Use end to end encryption and avoid persistent copies when possible
- S/MIME makes email forward proof. S/MIME protects contents in transit and at rest in mailboxes, but it does not prevent a recipient from saving or forwarding the decrypted content
- Links are phishable, so we should avoid them. Phishing risk applies to every medium. Use recognizable domains, clear context, and out of band verification for high sensitivity items
- We need to keep secrets in email for audit. You need evidence of delivery and retrieval, not unlimited retention of the secret, access logs from a zero knowledge link satisfy this without retaining plaintext
FAQs
Is secure email end to end encrypted by default? No. Most email rides over TLS between servers, which protects transport. End to end requires S/MIME or PGP and working key exchange with the recipient.
Are secure links safer than secure email for passwords and API keys? For one off secrets, yes in most cases. Secure links can burn after reading, they do not leave copies in inboxes or backups, and a zero knowledge provider cannot read the content.
What about secure email portals that send a notification link? Portals still store your content on the provider and usually can access it. Zero knowledge secure links encrypt in your browser and store only ciphertext, which reduces insider and legal process risks.
Can recipients forward a secure link? They can forward the URL, but if you set one time access and a tight expiration, a forwarded link will not work after the first view.
How do we prevent link previews from consuming one time links? Share links in channels where previews are disabled, or instruct recipients to open links in a browser directly. See operational tips in How to share a secret with one-time links.
Does this help with GDPR or privacy requirements? Yes. Ephemeral, minimal retention patterns align with data minimization and storage limitation in GDPR Article 5. Also see our guide on GDPR-compliant self-destructing links.
Where can I learn more about S/MIME and email encryption? The standard for S/MIME is IETF RFC 8551. Transport encryption for SMTP is commonly provided via STARTTLS, which you can explore through the Google Transparency Report.
Bottom line
- Use secure email when correspondence must be archived and rediscovered later
- Use secure links when the goal is to hand off a secret with minimal trace, single use, and vendor compromise resistance
If you want a modern, zero knowledge approach to secret handoffs, try Nurbak. Create a self destructing link in seconds, send it to the intended recipient, and leave no trace once it is read. Start here: Nurbak.