Lavabit now stores the key in a tamper-resistant device. The service automatically generates a long passphrase that the company won't be able to see, inserts the key into the device and then destroys the passphrase. A developer for the company told The Intercept that "Once it's in there, we cannot pull that SSL key back out."
At the moment, the service is only open to previous users who were suddenly locked out of their accounts due to its sudden death. They likely won't be able to retrieve their old emails anymore, but they can now continue using their Lavabit account. The company will eventually start accepting new users, though, and they'll be able to choose between three modes: Trustful, Cautious and Paranoid.
The least secure option encrypts emails on the company's server, while Cautious will offer end-to-end encryption. Those who prefer the latter will have to install the client software on their devices to be able to generate an encryption key. But since Cautious still stores the key in the company's server and that might not be enough for some people, the service came up with Paranoid mode. It stores the key on the users' devices instead, and people will have to manually transfer it if they want to use another device. Plus, if they lose the key, it's gone for good.
In addition to three security tiers, the new Lavabit has a feature called Dark Mail to encrypt every email's metadata. It also prevents the sender's ISP from knowing the email's recipient and the recipient's ISP from knowing the sender's. The company didn't say when it will start welcoming new sign ups, but you can pre-register for an account right now on Lavabit's website.