Skip to content


Switch branches/tags

Latest commit


Git stats


Failed to load latest commit information.
Latest commit message
Commit time


Arcane is a set of tools which allows you to encrypt all your existing unencrypted mails and all your new incoming mail with a GPG key so that only you can read them.

Why do I need this?

Many email providers store your emails for you on their servers, so that you can read them anywhere. This also means that your provider, anyone who hacks the server and the police (in case the server is seized) can read your private emails.

If all your emails are GPG encrypted, only you can read them because only you have access to your secret GPG key.

What could go wrong?

  • If you lose your secret GPG key you can not decrypt your emails anymore. Your emails will be lost. Therefore make a backup of your secret GPG key (i.e. print it).
  • After encrypting your emails you will (probably) not be able search the content of your emails (because they are encrypted). Searching for sender or subject should still work.
  • The metadata of your emails (sender,subject,date) will not be encrypted.
  • Your emails will not be more secure during transit (because they are encyrpted after arriving at the destination). Tell your friends and colleagues to encrypt their mails before sending them.



  • imaplib (Included in the Python Standard Library)
  • python-gpgme (Should be available in Debian and Ubuntu repositories)


# aptitude install python python-gpgme
# mkdir -p /usr/local/lib && cd /usr/local/lib
# git clone
# cd ../bin 
# ln -s ../lib/arcane/arcane
# ln -s ../lib/arcane/arcane-encrypt-mail

Afterwards you should be able to call 'arcane' and 'arcane-encrypt-mail' and get a usage output.

Step-by-Step Configuration

Generate GPG Key

To generate a new GPG key the following command will guide you through the key generation process:

$ gpg --gen-key

You will need to use an RSA key for encryption (do not choose any option that says 'sign only'). A secure key size is 2048 bit and above, 1024 bit RSA keys are considered insecure.

After the generation process your keypair should be visible with the following command:

$ gpg --list-secret-keys

Copy Public GPG Key to Server

(If you do not want automatic encryption of incoming emails or do not have access to your procmail configuration, then you can skip to 'Encrypting Existing Mails')

Export your key into a .pub file:

$ gpg --export --armor 77FA1F54 >

Copy the public key to your mailserver:

$ scp

Import the public key to your keyring on the mailserver:

$ gpg --import

Create procmail Configuration

Your procmail configuration file probably lies at '~/.procmailrc'. To encrypt all your incoming mail you will need to add a rule at the top:

# encryption
:0 fw
* <300000
| arcane-encrypt-mail --key 77FA1F54

The 'f' tells procmail to use this rule as a filter (i.e. the filtered email will continue to match other rules). The 'w' tells procmail to continue with the unfiltered mail if arcane-encrypt-mail exits with an error (i.e. the mail is already encrypted).

Note that you will either have to set the PATH variable so that the arcane-encrypt-mail script will be found.

Encrypt Existing Mails

Usually the hostname of your mailserver and your user credentials will be enough to start arcane. In this example the hostname is '', SSL needs to be used and the user is 'robin.jankins'.

Your GPG key identifier should be in the list you get after executing 'gpg --list-secret-keys'.

Now you have all the details for starting arcane:

$ arcane -h -s -u robin.jankins -k 77FA1F54

Quick Start


arcane -h hostname [-p port] [-s] -u username [-d] -k identifier
    -h,--hostname	Hostname of IMAP4 compatible mailserver
    -p,--port	Optional port number of IMAP4 service
    -s,--ssl	Optional SSL flag (changes default port to 993)
    -u,--username	Username that should be used for authentication
    -k,--key	Public key Identifier that will be used to encrypt the mails
    -m,--mailbox	Optional Mailbox argument which specifies which mailbox should be encrypted
    -d,--decrypt	Optional argument for decryption (useful for key rollover)


Encrypt all emails on an SSL IMAP compatible mailserver for the user robin.jankins with the public pgp key 77FA1F54

 arcane --hostname --ssl --username robin.jankins --key 77FA1F54

Encrypt only the 'office' mailbox on an SSL IMAP compatible mailserver

 arcane --hostname --ssl --mailbox office --username robin.jankins --key 77FA1F54

Example .procmailrc File if you want to encrypt all incoming mails with procmail


# encryption
:0 fw
* <300000
| arcane-encrypt-mail --key 77FA1F54

# your bunch of filter rules
# ...

# default rule

Known Issues

  • read/unread state is not preserved (all emails are displayed as read after using this tool)


Don't let *them* read your mail. Encrypt it now.






No packages published

Contributors 4