Skip to main content

Encryption settings

📄️ Overview

Encryption at rest is a term used to describe the process of encrypting data while it's stored, or "at rest," on persistent media, such as hard drives, solid-state drives, or other forms of digital storage. The purpose of encryption at rest is to ensure that data stored on these media is not readable or accessible without the necessary decryption keys. The process of encryption at rest usually involves taking clear-text data and converting it into cipher-text using an encryption algorithm and an encryption key. The key is a secret string of bits used by the encryption algorithm to scramble the data in a specific way. Without the key, or without a way to derive the key, the scrambled data remains unintelligible and secure.

📄️ Management

Stalwart Mail Server includes a web management interface that allows end users to control their own data security and independently manage encryption at rest for their accounts. This self-service interface allows users to enable or disable encryption without needing to involve or rely on the system administrator. To manage their encryption settings, users need to access the web management UI located under "/crypto" on the JMAP server base URL. For instance, if your JMAP server base URL is https8080, then your users can access the encryption at rest management interface at https8080/crypto.

📄️ OpenPGP

OpenPGP is a non-proprietary protocol for encrypting and decrypting data, including emails, using public key cryptography. It's based on the original PGP (Pretty Good Privacy) software, but as an open standard, it is implemented by many different programs and systems. OpenPGP ensures the privacy and integrity of your messages. When a user sends an email, the content is encrypted using a symmetric encryption algorithm, such as AES256 or AES128, which convert the plaintext email into encrypted text, or ciphertext. The symmetric key, also known as the session key, used to perform this encryption is then itself encrypted using the recipient's public key. Only the recipient, with their private key, can decrypt the session key and subsequently the actual email content.