Can I Encrypt Dovecot mails, How to encrypt Dovecot emails ?

on Tue Apr 1 | Updated on Tue Apr 1

Yes, you can encrypt Dovecot Mails, while allowing users to access them normally upon login. The best approach is Dovecot Mail Crypt Plugin, which enables per-user mail encryption at rest.

How It Works

  • Emails are encrypted before being written to disk.
  • When a user logs in, emails are decrypted on-the-fly using their credentials.
  • The encryption keys are stored securely and never written in plaintext.

Steps to Encrypt Stored Emails in Dovecot

1. Install Required Packages

Ensure you have Dovecot with the mail-crypt plugin installed. If not, install it:

sudo apt install dovecot-core dovecot-imapd dovecot-lmtpd dovecot-mysql dovecot-mail-crypt

2. Enable the Mail Crypt Plugin

Edit your Dovecot config file (/etc/dovecot/conf.d/10-mail.conf) and add:

mail_plugins = $mail_plugins mail_crypt

For LMTP (Local Mail Transfer Protocol), enable the plugin in /etc/dovecot/conf.d/20-lmtp.conf:

protocol lmtp {
mail_plugins = $mail_plugins mail_crypt
}

For IMAP, enable it in /etc/dovecot/conf.d/20-imap.conf:

protocol imap {
mail_plugins = $mail_plugins mail_crypt
}

3. Configure Encryption Keys

Edit /etc/dovecot/conf.d/10-mail-crypt.conf (create if missing) and set:

plugin {
mail_crypt_global_private_key = </etc/dovecot/private_key.pem
mail_crypt_global_public_key = </etc/dovecot/public_key.pem
}

Generate RSA keys:

openssl genpkey -algorithm RSA -out /etc/dovecot/private_key.pem
openssl rsa -in /etc/dovecot/private_key.pem -pubout -out /etc/dovecot/public_key.pem
chmod 600 /etc/dovecot/private_key.pem

4. Enable Per-User Encryption

Edit /etc/dovecot/conf.d/90-mail-crypt.conf:

plugin {
mail_crypt_save_version = 2
mail_crypt_require_encrypted_user_key = yes
}

This ensures that emails are only readable by the user who owns them.

5. Restart Dovecot

Apply the changes:

sudo systemctl restart dovecot

How It Works for Users

  • When an email is received, it’s encrypted before being stored.
  • When the user logs in via IMAP/POP3, Dovecot decrypts it on-the-fly.
  • If a hacker gains access to the VPS, the emails remain useless without the private keys.

Alternative: Full-Disk Encryption (FDE)

If you don’t want per-user encryption but still want security, you can:

  • Use LUKS encryption on the mail storage disk.
  • Set up encfs or eCryptfs for encrypted mail directories.

However, Dovecot’s mail-crypt is the best method for user-specific encryption.