Can I encrypt already existant unencrypted mail before I start using the mail-crypt plugin?

Tue Feb 21 23:49:21 UTC 2023

I would definitely get mail-crypt working on your system before worrying 
about encrypting existing emails. Iirc dovecot should support both types 
of files (encrypted, and non-encrypted) concurrently. So BEFORE you try 
anything, make sure via logs, etc that mail is being written to the fs 
as an encrypted file and that dovecot is able to decrypt it (i.e. you 
are able to view that particular mail file from your email client).

My specific use case way back was to encrypt a maildir system using this 
plugin a year or so ago. I believe there are 2 ways to set mail-crypt 
up. Using global keys or folder-specific keys. What you will learn going 
through this process using folder-specific keys is that any time mail is 
moved (from an IMAP directory to another) the mail becomes effectively 
re-encrypted using the destination's folder keys. I imagine how this 
works under global keys is that the mail is encrypted once when it is 
moved, then never again unless keys change. So all you would need to do 
to encrypt existing mail using either method would be to create a temp 
imap folder, move mail from each IMAP folder one at a time into this 
temp folder, then back to the original IMAP folder.

I had a few questions at the time in implementing this, so I've linked 
here the dovecot mailing list thread so it might provide some context if 
needed:

https://dovecot.org/pipermail/dovecot/2021-July/122469.html

On 2/21/23 16:29, Jeremy wrote:
> On Tuesday, February 21st, 2023 at 09:54, Aki Tuomi <aki.tuomi at open-xchange.com> wrote:
>
>
>>> On 16/02/2023 07:18 EET mailinglist-subscriptions mailinglist-subscriptions at protonmail.com wrote:
>>>
>>> Hi,
>>>
>>> I am using dovecot 2.3.16, along with postfix and a PostgreSQL database for managing virtual accounts.
>>>
>>> I'd like to start using the mail-crypt plugin. However, I'm having a bit some difficulty understanding the documentation at
>>>
>>> https://doc.dovecot.org/configuration_manual/mail_crypt_plugin
>>>
>>> to reach my goal. I plan to ask questions about those issues by starting new threads in this mailing list. But before I even come to that, I'd like to investigate the following:
>>>
>>> The above documentation only addresses a clean install and doesn't seem to mention encrypting already existent unencrypted mails, like my server has. Is it possible to encrypt those before I start using the mail-crypt plugin, such that it will be able to decrypt those messages as well?
>>>
>>> If it is, I am assuming that how I would go about achieving that will be very dependent on the ultimate configuration I have in mind (pub/priv keys, etc.). So I don't expect a full-fledged guide. However, if you could perhaps give a general overview of what would be needed to achieve this, I would very much appreciate that.
>>>
>>> Thank you.
>>
>> It will be easiest to do migration to new server, then the data will get encrypted while migrating. It is possible to write a script to do this, but will be much more hassle than migration.
>>
>> You might even be able to do it for one user at a time, by doing migration from maildir to maildir and then moving the new maildir over the old one.
>>
>> Aki
> Thanks for the suggestion. However, migrating sounds like quite the hassle as well.
>
> Now, I have next to no knowledge about the synchronization workings of IMAP, so perhaps this is totally infeasible, but could the following work?
>
> - Preface
> I am the only user of the mail server, with one virtual catch-all account for each domain I own. I access these accounts with Thunderbird.
>
> - Solution
> I make a backup of all mail in my Thunderbird accounts. Then I either delete all mails from within Thunderbird, or on the server. Then I configure the mail-crypt plugin. And then I import all backup mails and folders into my Thunderbird accounts again?
>
> Could that work? Or would that mess up the synchronization history (message IDs and what not)? And most importantly, if it actually could work, would the messages be properly encrypted then?
>