📄️ Overview
Encryption at rest is a term used to describe the process of encrypting data while it's stored, or "at rest," on persistent media, such as hard drives, solid-state drives, or other forms of digital storage. The purpose of encryption at rest is to ensure that data stored on these media is not readable or accessible without the necessary decryption keys. The process of encryption at rest usually involves taking clear-text data and converting it into cipher-text using an encryption algorithm and an encryption key. The key is a secret string of bits used by the encryption algorithm to scramble the data in a specific way. Without the key, or without a way to derive the key, the scrambled data remains unintelligible and secure.
📄️ Management
Stalwart Mail Server includes a self-service portal that allows end users to control their own data security and independently manage encryption at rest for their accounts. This self-service interface allows users to enable or disable encryption without needing to involve or rely on the system administrator. To manage their encryption settings, users need to access the web management UI located under "/account/crypto" on the JMAP server base URL. For instance, if your JMAP server base URL is https8080, then your users can access the encryption at rest management interface at https8080/account/crypto.
📄️ S/MIME
S/MIME, which stands for Secure/Multipurpose Internet Mail Extensions, is a widely accepted protocol for sending digitally signed and/or encrypted messages. It is built into most modern email software and interoperates between them, which makes it one of the most popular ways to send secure emails.
📄️ OpenPGP
OpenPGP is a non-proprietary protocol for encrypting and decrypting data, including emails, using public key cryptography. It's based on the original PGP (Pretty Good Privacy) software, but as an open standard, it is implemented by many different programs and systems. OpenPGP ensures the privacy and integrity of your messages. When a user sends an email, the content is encrypted using a symmetric encryption algorithm, such as AES256 or AES128, which convert the plaintext email into encrypted text, or ciphertext. The symmetric key, also known as the session key, used to perform this encryption is then itself encrypted using the recipient's public key. Only the recipient, with their private key, can decrypt the session key and subsequently the actual email content.