Just to follow up on this one.
I created an encrypted file with cryptsetup (LUKS) and mounted it onto “mailcowdockerized_crypt-vol-1/_data”.
Moved the files from the original “mailcowdockerized_crypt-vol-1” and into the now encrypted one and it just works :-)
All this has of course been done with all containers shutdown.
It was crazy easy which just show how well designed and packaged mailcow is.
The only caveat is that you need to modify the docker-compose.yml and change all “restart: always” to “restart: no”. This stops the services from starting after boot. As you need to manually mount the volume before dovecot can read the keys, every reboot requires manual intervention. This is a little price to pay for protection of the mails.
I have injected a short curl command in the crontab which pings me constantly with Pushover messages until I react:
curl -s -X POST -d token=APP_TOKEN&user=USER_TOKEN&message=Server_rebooted&title=Reboot&priority=2 https://api.pushover.net/1/messages.json