Overview
Encryption at rest is a term used to describe the process of encrypting data while it is stored, or "at rest", on persistent media such as hard drives, solid-state drives, or other forms of digital storage. The purpose of encryption at rest is to ensure that data stored on these media is not readable or accessible without the necessary decryption keys. The process usually involves taking clear-text data and converting it into cipher-text using an encryption algorithm and an encryption key. The key is a secret string of bits used by the encryption algorithm to scramble the data in a specific way. Without the key, or without a way to derive it, the scrambled data remains unintelligible and secure.
Management
Stalwart exposes encryption-at-rest settings through the self-service portal, which allows end users to register their own keys and toggle encryption for their accounts without involving a system administrator. The same settings are reachable over the JMAP API (through the AccountSettings and PublicKey objects) and through the CLI.
S/MIME
S/MIME (Secure/Multipurpose Internet Mail Extensions) is a widely accepted protocol for sending digitally signed or encrypted messages. It is built into most modern mail software and interoperates between implementations, which makes it one of the most common ways to send secure email.
OpenPGP
OpenPGP is a non-proprietary protocol for encrypting and decrypting data, including emails, using public-key cryptography. It is based on the original PGP (Pretty Good Privacy) software, but as an open standard it is implemented by many different programs and systems. OpenPGP protects the privacy and integrity of messages: when a message is encrypted, the content is processed with a symmetric encryption algorithm (for example AES-256 or AES-128) that converts the plaintext into ciphertext. The symmetric key used for that pass, known as the session key, is itself encrypted with the recipient's public key. Only the recipient, using their private key, can recover the session key and decrypt the message.