OpenPGP
OpenPGP is a non-proprietary protocol for encrypting and decrypting data, including emails, using public-key cryptography. It is based on the original PGP (Pretty Good Privacy) software, but as an open standard it is implemented by many different programs and systems. OpenPGP protects the privacy and integrity of messages: when a message is encrypted, the content is processed with a symmetric encryption algorithm (for example AES-256 or AES-128) that converts the plaintext into ciphertext. The symmetric key used for that pass, known as the session key, is itself encrypted with the recipient's public key. Only the recipient, using their private key, can recover the session key and decrypt the message.
Stalwart supports OpenPGP encryption using either AES-256 or AES-128 symmetric encryption. AES-256 offers a longer key length at the cost of more computational work per message; AES-128 is less resource-intensive but still provides a strong level of security.
Stored messages use the PGP/MIME format rather than the older PGP/Inline format. PGP/MIME covers the entire message, including attachments, rather than the body text alone, and is compatible with modern mail clients.
Obtaining a key pair
OpenPGP keys are generated by the user's mail client or by an external tool that implements the OpenPGP standard; Stalwart does not generate keys on the server. An OpenPGP key pair consists of a private key, which must be kept secret, and a public key, which can be freely shared. Both keys are required for encryption and decryption: the private key is used to decrypt messages that have been encrypted with its corresponding public key.
After generating an OpenPGP key pair, the user exports the public key and provides it to Stalwart. The server uses that public key to encrypt messages destined for the account. The private key must never be uploaded to the server or shared with anyone; it should be stored securely and used only by the intended recipient to decrypt incoming messages.
The exact procedure for generating an OpenPGP key pair and exporting the public key depends on the mail client or external tool in use. Consult the relevant client documentation for the correct steps.
Importing public keys
A registered public key is represented as a PublicKey object (found in the WebUI under Account › Public Keys). An account can register one or several public keys; encrypting against multiple keys is useful during key rotation, when recipients may still hold the older private key.
OpenPGP public keys must be supplied as ASCII-armored text; raw binary keys are not accepted. An ASCII-armored file consists of one or more Base64-encoded keys enclosed between -----BEGIN PGP PUBLIC KEY BLOCK----- and -----END PGP PUBLIC KEY BLOCK----- lines. For example:
-----BEGIN PGP PUBLIC KEY BLOCK-----
xjMEZMYfNhYJKwYBBAHaRw8BAQdAYyTN1HzqapLw8xwkCGwa0OjsgT/JqhcB/+Dy
Ga1fsBrNG0pvaG4gRG9lIDxqb2huQGV4YW1wbGUub3JnPsKJBBMWCAAxFiEEg836
pwbXpuQ/THMtpJwd4oBfIrUFAmTGHzYCGwMECwkIBwUVCAkKCwUWAgMBAAAKCRCk
nB3igF8itYhyAQD2jEdeYa3gyQ47X9YWZTK1wEJkN8W9//V1fYl2XQwqlQEA0qBv
Ai6nUh99oDw+/zQ8DFIKdeb5Ti4tu/X58PdpiQ7OOARkxh82EgorBgEEAZdVAQUB
AQdAvXz2FbFN0DovQF/ACnZyczTsSIQp0mvmF1PE+aijbC8DAQgHwngEGBYIACAW
IQSDzfqnBtem5D9Mcy2knB3igF8itQUCZMYfNgIbDAAKCRCknB3igF8itRnoAQC3
GzPmgx7TnB+SexPuJV/DoKSMJ0/X+hbEFcZkulxaDQEAh+xiJCvf+ZNAKw6kFhsL
UuZhEDktxnY6Ehz3aB7FawA=
=KGrr
-----END PGP PUBLIC KEY BLOCK-----
The key material is carried in the key field of the PublicKey object, alongside a required description and optional expiresAt and emailAddresses fields. The server auto-detects whether the value is an OpenPGP key or an S/MIME certificate, so both variants share the same field; only text-armored input is accepted (ASCII-armored for OpenPGP, PEM for S/MIME). Registered keys are then referenced from AccountSettings; see the management interface for how to select a key and enable encryption.