end-to-end encryption

Aki Tuomi aki.tuomi at dovecot.fi
Wed May 16 07:07:01 EEST 2018


> On 15 May 2018 at 22:43 Gandalf Corvotempesta <gandalf.corvotempesta at gmail.com> wrote:
> 
> 
> Hi to all
> I was looking at protonmail.com
> Is possible to implement and end-to-end encryption with dovecot, where
> server-side there is no private key to decrypt messages?
> 

You could probably automate this with sieve and e.g. GnuPG, which would mean that all your mails are encrypted without server having key to decrypt this.

> If I understood properly, on protonmail the private key is encrypted with
> user's password, so that only an user is able to decrypt the mailbox.
> 
> Anything similiar ?

In this case, the server *does* have the private key, even if it's encrypted... =)

Dovecot's mail crypt plugin can achieve *similar* thing with 

mail_crypt_private_password=%{password} (see https://wiki.dovecot.org/Plugins/MailCrypt)

But this requires quite good planning, esp. if you are hosting mails, since there is currently no DR feature in dovecot. If you decide to use mail crypt plugin, set it up with private key password, and lose the password, then the mails really are gone.

Also worth noting is that, currently, dovecot does not encrypt indexes, which can contain information about your mails.

Aki


More information about the dovecot mailing list