Offline & Encrypted Personal E-Mail
I find most e-mail clients to be both complicated and restricting.
I like being able to read, write and manage my e-mail offline.
I also like storing my e-mail in an encrypted mailbox, in case someone else gets access to my device.
In this guide, I will explain how I have configured my e-mail system, and how it can be implemented for other users. I will be using an exemplary Yandex e-mail account (email@example.com).
The programs needed to replicate this setup are:
gnupg2(encryption and signing tool)
Before we begin, we need to install the required packages.
We start by configuring
mutt, which is a very flexible and customizable e-mail client with many options.
The lines below are the ones that are relevant to this guide.
If you are already a
mutt user, then these lines should be enough.
If not, then you might need to tweak the configuration to make it more usable for you.
We open the configuration file in a text editor.
We add the following lines, which tell
mutt how to send e-mail, and where to look for received e-mail.
set spoolfile = "$HOME/.email/INBOX"
set record = "$HOME/.email/Sent"
set sendmail = "/usr/bin/msmtp -a yandex"
set use_from = yes
set from = firstname.lastname@example.org
set realname = "Example User"
set mbox = "$HOME/.mailbox/Archives"
set mbox_type = Maildir
Next, we configure
isync to get e-mail from a remote IMAP server.
The binary for
isync is called
mbsync, and the default configuration file is
In this guide, we will put the configuration file in
~/.config/mbsync/mbsyncrc, and read the file when running
This makes our home directory tidier.
A basic configuration looks something like this.
PassCmd "pass yandex"
Then, we open up the
msmtp configuration file, which is read from
~/.config/msmtp/config by default.
Here is a simple configuration that works:
passwordeval "pass yandex"
account default : yandex
Next, we generate two RSA keypairs with
gnupg2 (one for the mailbox encryption, and one for the encrypted password storage).
The binary is called
gpg2 on Void Linux.
The program will ask us questions about the keys we are generating. We need to:
- Choose "RSA and RSA" keys (this is default)
- Choose 4096 bits as the keysize for better security (type 4096 when prompted for the keysize)
- Specify a duration of validity for the keys (this is optional, but is a good security measure, and the key can always be extended when necessary)
- Confirm the choices
- Enter a real name (Example User)
- Enter an e-mail address (email@example.com)
- Enter a comment (this is optional)
- Press "O" for "Okay"
- Enter the passphrase to protect the new keys
- Perform random actions on the mouse and on the keyboard in order to gain entropy while generating the keys (this is optional, and fun).
Then, we enter the following command to see the secret key ID (only the first line is the command, the rest is the output).
uid [ultimate] Example User <firstname.lastname@example.org>
sub rsa4096/0000000000000000 2021-01-01 [E]
The number marked in white is where the key ID should be. We note this number.
We then generate a new RSA keypair with the same process. This time, we might provide a comment when prompted, in order to make the new keypair more recognizable. When the generation is complete, we note the ID of the new key as well.
Next up, we initialize the password storage with
pass, using one of the key IDs we have generated.
pass saves passwords in a
gpg2 encrypted file in the
We are going to store our e-mail account password with
pass, because it is more secure than storing it in plain text.
We can insert a new password with the following command (we enter the password when prompted).
We can see the newly added password like this:
We also need to make the mailbox directory, compress it into a
tar archive, and encrypt it using the other RSA keypair.
We will be decrypting the mailbox whenever we synchronize with
mbsync or run the
mutt e-mail client, and encrypting it again when we are done.
I am using a different fake key ID this time, to differentiate it from the previous one.
We run the following commands first to make the encrypted
tar archive containing the empty mailbox, and remove the unencrypted files.
Finally, we write a simple shell script that will run everything as required.
Let's call the script
Our script will:
- Decrypt the encrypted
tararchive, and make a backup of the encrypted one, in case something goes wrong.
- Extract the mailbox from the archive, and remove the archive.
mbsyncto get the latest e-mail from the remote server.
muttis closed, compress the mailbox into a
tararchive, and remove the uncompressed mailbox.
- Encrypt the archived mailbox, and remove the unencrypted one.
Here is the script:
gpg2 -o $MBOX.tar -d $MBOX.tar.gpg && \
mv $MBOX.tar.gpg $MBOX.tar.gpg.bak
tar -xf $MBOX.tar -C ~/ && rm $MBOX.tar
[ -d "$MBOX" ] && mbsync -c ~/.config/mbsync/mbsyncrc -a
tar -cf $MBOX.tar -C ~/ .mailbox && rm -r $MBOX
gpg2 -r email@example.com -e $MBOX.tar && \
We save the script and make it executable.
Then, we copy the script to a directory in our
$PATH, or we just run it.