Adding pgp encryption on web mail

Hello I think adding PGP for end to end encryption would be nice Like what proton mail does as then mail in a box could be used for more important emails and confidential ones instead of having to build a complicated email server for it

MIAB is not an “end”, it’s in the middle of the transaction.

If you’re looking to truly send emails with end to end encryption, the best and easiest way to do so is to do it on the client side, not the server side.

3 Likes

On the web mail part it would be nice

In MIAB webmail is provided by Roundcube. One can find plugins for PGP support in Roundcube. Might be interesting to experiment. An unsupported modification obviously.

1 Like

how would i do that?

Fork MIAB and look to configure the Enigma plugin for Roundcube.

Alternatively, if you are not wanting to experiment with MIAB you could look at an easier route with Cloudron. See enabling PGP support.

You could probably follow the instructions from the Cloudron site to edit the Roundcube config in MIAB. The Roundcube version is the same but Ubuntu is not. Again, unsupported modification.

1 Like

I’ll just add my personal opinion, since I get the final say :), that I think PGP-based encryption is such a mess that it can only be used correctly by experts and only adds security in very limited circumstances. Since we’re making something that should be useful for everyone, PGP isn’t something I would like to include in Mail-in-a-Box.

1 Like

I found and used this Implement PGP on Roundcube

PGP should be able to be used if wanted by the user using the system

MIAB will overwrite whatever Roundcube config every setup, so you’ll need to reenable the enigma plugin manually every time you upgrade.

If it helps, my fork comes with Enigma enabled out of the box, plus you get a WKD server if you’re into that stuff :slight_smile:

1 Like

your fork link don’t work

Sorry about that, fixed it :sweat_smile:

Does storing PGP private keys on a server defeat the purpose of PGP? I feel like I’m missing something.

Even aside from that, I don’t think email is the correct tool for E2E encryption. Seems something akin to sending the supply department on a recon mission.

1 Like

I tend to agree. Just because a thing can be done does not mean it should be done.

My experience with PGP is that it is quite difficult to set up and agree use with correspondents. Managing private keys securely is difficult for people as is end-point security generally.

I’d completely missed that you had included Roundcube Enigma in your fork. Good to know and thanks for sharing.

PGP keys is fine on the server as long as the server encrypts it behind a second password or attach the keys to the users password like how proton mail does

No, it isn’t. For it to be “end to end” the decryption can only occur at each end.

You are trusting Proton on what they tell you, but you cannot audit their operating servers, so you actually have no idea what they are doing. The significance of this is the entire reason for E2E is because you don’t trust the people managing the server.

Without PGP support or anyway outher way to use stronger than normal encryption the email server and client is completely trash if you wanted to send properly encrypted confidential stuff. It would be nice to have proper support out of the box instead of making it a “unsupportive modification” when all it takes is enabling 1 plugin

Sending PGP encrypted emails from a different email client and then trying to look at it from the webmail part is just not able to be done so you couldn’t even see what you sent if you wasn’t at your computer using the OG client that you sent that email from

I really don’t appreciate comments like this. Consider this a warning. I’m also locking the thread. If you want to continue the discussion, don’t call the project whose forum you are in trash.