diff --git a/docker-compose.yml b/docker-compose.yml
index 8043862b..fcd80c29 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -1,222 +1,224 @@
 version: '3'
 services:
   coturn:
     build:
       context: ./docker/coturn/
     container_name: kolab-coturn
     healthcheck:
       interval: 10s
       test: "kill -0 $$(cat /tmp/turnserver.pid)"
       timeout: 5s
       retries: 30
     environment:
       - TURN_PUBLIC_IP=${COTURN_PUBLIC_IP}
       - TURN_LISTEN_PORT=3478
       - TURN_STATIC_SECRET=${COTURN_STATIC_SECRET}
     hostname: sturn.mgmt.com
     image: kolab-coturn
     network_mode: host
     restart: on-failure
   roundcube:
     build:
       context: ./docker/roundcube/
     container_name: kolab-roundcube
     hostname: roundcube.hosted.com
     restart: on-failure
     depends_on:
       mariadb:
         condition: service_healthy
       pdns:
         condition: service_healthy
     environment:
       - APP_DOMAIN=${APP_DOMAIN}
       - DB_HOST=mariadb
       - DB_ROOT_PASSWORD=${DB_ROOT_PASSWORD}
       - DB_RC_DATABASE=roundcube
       - DB_RC_USERNAME=roundcube
       - DB_RC_PASSWORD=${DB_PASSWORD:?"DB_PASSWORD is missing"}
       - IMAP_HOST=imap
       - IMAP_PORT=11143
       - IMAP_ADMIN_LOGIN=${IMAP_ADMIN_LOGIN}
       - IMAP_ADMIN_PASSWORD=${IMAP_ADMIN_PASSWORD}
       - MAIL_HOST=postfix
       - MAIL_PORT=10587
     healthcheck:
       interval: 10s
       test: "kill -0 $$(cat /run/httpd/httpd.pid)"
       timeout: 5s
       retries: 30
     # This makes docker's dns, resolve via pdns for this container.
     # Please note it does not affect /etc/resolv.conf
     dns: 172.18.0.11
     image: roundcube
     networks:
       kolab:
         ipv4_address: 172.18.0.9
     ports:
       - "8080:8080"
     tmpfs:
       - /tmp
       - /var/tmp
     volumes:
       - ./ext/:/src.orig/:ro
+      - roundcube:/data
   mariadb:
     container_name: kolab-mariadb
     restart: on-failure
     environment:
       - MARIADB_ROOT_PASSWORD=${DB_ROOT_PASSWORD}
       - TZ="+02:00"
       - DB_HKCCP_DATABASE=${DB_DATABASE}
       - DB_HKCCP_USERNAME=${DB_USERNAME}
       - DB_HKCCP_PASSWORD=${DB_PASSWORD}
       - DB_KOLAB_DATABASE=kolab
       - DB_KOLAB_USERNAME=kolab
       - DB_KOLAB_PASSWORD=${DB_PASSWORD:?"DB_PASSWORD is missing"}
     healthcheck:
       interval: 10s
       test: test -e /var/run/mysqld/mysqld.sock
       timeout: 5s
       retries: 30
     image: mariadb:10.9
     networks:
       kolab:
         ipv4_address: 172.18.0.3
     volumes:
       - ./docker/mariadb/mysql-init/:/docker-entrypoint-initdb.d/
       - ./docker/mariadb/mysql-update/:/always-initdb.d/
       - mariadb:/var/lib/mysql
   pdns:
     build:
       context: ./docker/pdns/
     container_name: kolab-pdns
     restart: on-failure
     tty: true
     hostname: pdns
     depends_on:
       mariadb:
         condition: service_healthy
     healthcheck:
       interval: 10s
       test: "pdns_control rping || exit 1"
       timeout: 5s
       retries: 30
     image: kolab-pdns
     environment:
       - ROLE=both
       - DB_HOST=mariadb
       - DB_DATABASE=${DB_DATABASE:?DB_DATABASE}
       - DB_USERNAME=${DB_USERNAME:?DB_USERNAME}
       - DB_PASSWORD=${DB_PASSWORD:?DB_PASSWORD}
     networks:
       kolab:
         ipv4_address: 172.18.0.11
     tmpfs:
       - /run
       - /tmp
       - /var/run
       - /var/tmp
     volumes:
       - /sys/fs/cgroup:/sys/fs/cgroup:ro
   redis:
     build:
       context: ./docker/redis/
     healthcheck:
       interval: 10s
       test: "redis-cli ping || exit 1"
       timeout: 5s
       retries: 30
     container_name: kolab-redis
     restart: on-failure
     hostname: redis
     image: redis
     networks:
       - kolab
     volumes:
       - ./docker/redis/redis.conf:/usr/local/etc/redis/redis.conf:ro
   webapp:
     build:
       context: ./docker/webapp/
       args:
         GIT_REF: ${KOLAB_GIT_REF:-master}
     container_name: kolab-webapp
     restart: on-failure
     image: kolab-webapp
     healthcheck:
       interval: 10s
       test: "./artisan octane:status || exit 1"
       timeout: 5s
       retries: 30
       start_period: 5m
     depends_on:
       redis:
         condition: service_healthy
     networks:
       kolab:
         ipv4_address: 172.18.0.4
     volumes:
       - ./src:/src/kolabsrc.orig:ro
     ports:
       - "8000:8000"
   meet:
     build:
       context: ./docker/meet/
       args:
         GIT_REF: ${KOLAB_GIT_REF:-master}
     container_name: kolab-meet
     restart: on-failure
     healthcheck:
       interval: 10s
       test: "curl --insecure -H 'X-AUTH-TOKEN: ${MEET_SERVER_TOKEN}' --fail https://${MEET_LISTENING_HOST}:12443/meetmedia/api/health || exit 1"
       timeout: 5s
       retries: 30
       start_period: 5m
     environment:
       - WEBRTC_LISTEN_IP=${MEET_WEBRTC_LISTEN_IP:?err}
       - PUBLIC_DOMAIN=${MEET_PUBLIC_DOMAIN:?err}
       - LISTENING_HOST=${MEET_LISTENING_HOST:?err}
       - LISTENING_PORT=12443
       - TURN_SERVER=${MEET_TURN_SERVER}
       - TURN_STATIC_SECRET=${COTURN_STATIC_SECRET}
       - AUTH_TOKEN=${MEET_SERVER_TOKEN:?err}
       - WEBHOOK_TOKEN=${MEET_WEBHOOK_TOKEN:?err}
       - WEBHOOK_URL=${APP_PUBLIC_URL:?err}/api/webhooks/meet
       - SSL_CERT=/etc/pki/tls/certs/meet.${APP_WEBSITE_DOMAIN:?err}.cert
       - SSL_KEY=/etc/pki/tls/private/meet.${APP_WEBSITE_DOMAIN:?err}.key
     network_mode: host
     image: kolab-meet
     volumes:
       - ./meet/server:/src/meet/:ro
       - ./docker/certs/meet.${APP_WEBSITE_DOMAIN}.cert:/etc/pki/tls/certs/meet.${APP_WEBSITE_DOMAIN}.cert
       - ./docker/certs/meet.${APP_WEBSITE_DOMAIN}.key:/etc/pki/tls/private/meet.${APP_WEBSITE_DOMAIN}.key
   minio:
     container_name: kolab-minio
     restart: on-failure
     healthcheck:
       interval: 10s
       test: "mc ready local || exit 1"
       timeout: 5s
       retries: 30
       start_period: 5m
     environment:
       - MINIO_ROOT_USER=${MINIO_USER}
       - MINIO_ROOT_PASSWORD=${MINIO_PASSWORD}
     image: minio/minio
     networks:
       kolab:
         ipv4_address: 172.18.0.14
     ports:
       - "9000:9000"
       - "9001:9001"
     entrypoint: sh
     command: -c 'mkdir -p /data/${MINIO_BUCKET} && minio server /data --console-address ":9001"'
     volumes:
       - minio:/data
 networks:
   kolab:
     driver: bridge
     ipam:
       config:
         - subnet: "172.18.0.0/24"
 volumes:
   mariadb:
   minio:
+  roundcube:
diff --git a/docker/roundcube/Dockerfile b/docker/roundcube/Dockerfile
index 037eaf26..a6d4f196 100644
--- a/docker/roundcube/Dockerfile
+++ b/docker/roundcube/Dockerfile
@@ -1,91 +1,95 @@
 FROM quay.io/centos/centos:stream9
 
 MAINTAINER Christian Mollekopf <mollekopf@apheleia-it.ch>
 
 ENV HOME=/opt/app-root/src
 
 LABEL io.k8s.description="Platform for serving PHP roundcube applications" \
       io.k8s.display-name="Roundcube" \
       io.openshift.expose-services="80:http" \
       io.openshift.tags="builder,php,apache"
 
 RUN dnf -y update
 
 # Add EPEL.
 RUN dnf -y install 'dnf-command(config-manager)' && \
     dnf config-manager --set-enabled crb && \
     dnf -y install \
         epel-release epel-next-release && \
     dnf clean all
 
 # Add the EPEL key.
 RUN rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-9
 
 
 # Add kolab
 RUN rpm --import https://mirror.apheleia-it.ch/repos/Kolab:/16/key.asc && \
     rpm -Uvh https://mirror.apheleia-it.ch/repos/Kolab:/16/kolab-16-for-el9stream.rpm
 
 # Install php modules
 RUN sed -i -e '/^ssl/d' /etc/yum.repos.d/kolab*.repo && \
     dnf config-manager --enable kolab-16-testing &&\
     dnf -y --setopt tsflags= install php-kolab php-kolabformat &&\
     dnf clean all
 
 RUN dnf -y install \
         composer \
         diffutils \
         file \
         git \
         make \
         unzip \
         curl-minimal \
         mariadb \
         which \
         rsync \
         openssl-devel \
         httpd \
         patch \
         php-cli \
         php-common \
         php-devel \
         php-ldap \
         php-opcache \
         php-pecl-apcu \
         php-mysqlnd \
         php-gd \
         php-fpm \
         php-pear \
         ImageMagick \
         re2c \
         npm \
         wget && \
         dnf -y install procps-ng iputils bind-utils sudo telnet && \
     dnf clean all
 
 
 RUN npm install -g less less-plugin-clean-css
 
 WORKDIR ${HOME}
 
 COPY /rootfs /
 RUN /opt/app-root/src/build.sh 
 
+VOLUME /data
+
 RUN chgrp -R 0 /opt/app-root/src && \
     chmod -R g=u /opt/app-root/src
 
 RUN mkdir -p /run/php-fpm && \
     chmod 777 /run/php-fpm && \
     mkdir -p /run/httpd && \
     chmod 777 /run/httpd && \
-    chmod -R 777 /etc/httpd /var/log/httpd /var/lib/httpd
+    mkdir -p /data && \
+    chmod 777 /data && \
+    chmod -R 777 /etc/httpd /var/log/httpd /var/lib/httpd /data
 
-RUN chown -R 1001:0 /opt/app-root/src
+RUN chown -R 1001:0 /opt/app-root/src /data
 USER 1001
 
 EXPOSE 8080
 
 # https://httpd.apache.org/docs/2.4/stopping.html#gracefulstop
 STOPSIGNAL SIGWINCH
 
 CMD [ "/opt/app-root/src/init.sh" ]
diff --git a/docker/roundcube/rootfs/opt/app-root/src/build.sh b/docker/roundcube/rootfs/opt/app-root/src/build.sh
index 3e4ade20..44d38e8c 100755
--- a/docker/roundcube/rootfs/opt/app-root/src/build.sh
+++ b/docker/roundcube/rootfs/opt/app-root/src/build.sh
@@ -1,61 +1,56 @@
 #!/bin/bash
 set -e
 set -x
 
 pushd /opt/app-root/src/
 
 # Clone what we don't find (roundcubemail-skin-elastic is not publicly available, so can't be included this way)
 if [ ! -d roundcubemail ]; then
     git clone --branch dev/kolab-1.5 https://git.kolab.org/source/roundcubemail.git roundcubemail
 fi
 if [ ! -d roundcubemail-plugins-kolab ]; then
     git clone --branch master https://git.kolab.org/diffusion/RPK/roundcubemail-plugins-kolab.git roundcubemail-plugins-kolab
 fi
 if [ ! -d syncroton ]; then
     git clone --branch master https://git.kolab.org/diffusion/S/syncroton.git syncroton
 fi
 if [ ! -d iRony ]; then
     git clone --branch master https://git.kolab.org/source/iRony.git iRony
 fi
 if [ ! -d chwala ]; then
     git clone --branch master https://git.kolab.org/diffusion/C/chwala.git chwala
 fi
 if [ ! -d autoconf ]; then
     git clone --branch master https://git.kolab.org/diffusion/AC/autoconf.git autoconf
 fi
 if [ ! -d freebusy ]; then
     git clone --branch master https://git.kolab.org/diffusion/F/freebusy.git freebusy
 fi
 
 
 pushd roundcubemail
 cp /opt/app-root/src/composer.json composer.json
 rm -rf vendor/ composer.lock
 php -dmemory_limit=-1 $(command -v composer) install
 
 cd /opt/app-root/src/
 ./update.sh
 cd /opt/app-root/src/roundcubemail
 
 # Adjust the configs
 
 sed -i -r \
     -e "s/'vlv'(\s+)=> false,/'vlv'\1=> true,/g" \
     -e "s/'vlv_search'(\s+)=> false,/'vlv_search'\1=> true,/g" \
     -e "s/inetOrgPerson/inetorgperson/g" \
     -e "s/kolabInetOrgPerson/inetorgperson/g" \
     config/*.inc.php
 
-sed -i -r -e "s|\$config\['enigma_pgp_homedir'\] = .*$|\$config['enigma_pgp_homedir'] = '/tmp/';|g" config/enigma.inc.php
-sed -i -r -e "s|\$config\['enigma_passwordless'\] = .*$|\$config['enigma_passwordless'] = true;|g" config/enigma.inc.php
-sed -i -r -e "s|\$config\['enigma_multihost'\] = .*$|\$config['enigma_multihost'] = true;|g" config/enigma.inc.php
-echo "\$config['enigma_woat'] = true;" >> config/enigma.inc.php
-
 sed -i -r -e "s|\$config\['managesieve_host'\] = .*$|\$config['managesieve_host'] = 'kolab';|g" config/managesieve.inc.php
 
 popd
 
 # Set the php timezone
 sed -i -r -e 's|^(;*)date\.timezone.*$|date.timezone = Europe/Zurich|g' /etc/php.ini
 # Allow environment variables from fpm
 sed -i -e "s/;clear_env/clear_env/" /etc/php-fpm.d/www.conf
diff --git a/docker/roundcube/rootfs/opt/app-root/src/init.sh b/docker/roundcube/rootfs/opt/app-root/src/init.sh
index 5706d143..a10c34ea 100755
--- a/docker/roundcube/rootfs/opt/app-root/src/init.sh
+++ b/docker/roundcube/rootfs/opt/app-root/src/init.sh
@@ -1,69 +1,72 @@
 #!/bin/bash
 
 echo "Starting"
 set -e
 set -x
 
+mkdir -p /data/pgp-home
+chmod 777 /data/pgp-home
+
 pushd /opt/app-root/src/
 pushd roundcubemail
 
 ## Copy our configs over the default ones
 cp /opt/app-root/src/roundcubemail-config-templates/* config/
 
 DES_KEY=$(openssl rand -base64 24);
 sed -i -r -e "s|\$config\['des_key'\] = .*$|\$config['des_key'] = \"$DES_KEY\";|g" config/config.inc.php
 
 # Initialize the db
 cat > /tmp/kolab-setup-my.cnf << EOF
 [client]
 host=${DB_HOST}
 user=root
 password=${DB_ROOT_PASSWORD}
 EOF
 
 mysql --defaults-file=/tmp/kolab-setup-my.cnf <<EOF
 CREATE DATABASE IF NOT EXISTS $DB_RC_DATABASE CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;
 CREATE USER IF NOT EXISTS $DB_RC_USERNAME@'%' IDENTIFIED BY '$DB_RC_PASSWORD';
 ALTER USER $DB_RC_USERNAME@'%' IDENTIFIED BY '$DB_RC_PASSWORD';
 GRANT ALL PRIVILEGES ON $DB_RC_DATABASE.* TO $DB_RC_USERNAME@'%';
 FLUSH PRIVILEGES;
 EOF
 
 # Run roundcube and plugin database initializations
 echo "Initializing tables..."
 bin/initdb.sh --dir SQL/ || :
 
 for plugin in $(find plugins -mindepth 1 -maxdepth 1 -type d | sort); do
     if [ ! -z "$(find ${plugin} -type d -name SQL)" ]; then
         for dir in $(find plugins/$(basename ${plugin})/ -type d -name SQL); do
             # Skip plugins with multiple drivers and no kolab driver
             if [ ! -z "$(echo $dir | grep driver)" ]; then
                 if [ -z "$(echo $dir | grep kolab)" ]; then
                     continue
                 fi
             fi
 
             bin/initdb.sh \
                 --dir $dir \
                 --package $(basename ${plugin}) \
                 >/dev/null 2>&1 || :
         done
     fi
 done
 
 popd
 
 roundcubemail/bin/initdb.sh --dir syncroton/docs/SQL/ || :
 roundcubemail/bin/initdb.sh --dir chwala/doc/SQL/ || :
 
 echo "Updating tables..."
 roundcubemail/bin/updatedb.sh --dir syncroton/docs/SQL/ --package syncroton || :
 roundcubemail/bin/updatedb.sh --dir roundcubemail/SQL/ --package roundcube || :
 roundcubemail/bin/updatedb.sh --dir roundcubemail/plugins/libkolab/SQL/ --package libkolab || :
 roundcubemail/bin/updatedb.sh --dir roundcubemail/plugins/kolab-calendar/SQL/ --package calendar-kolab || :
 
 echo ""
 echo "Done, starting httpd..."
 
 /usr/sbin/php-fpm
 exec httpd -DFOREGROUND
diff --git a/docker/roundcube/rootfs/opt/app-root/src/roundcubemail-config-templates/enigma.inc.php b/docker/roundcube/rootfs/opt/app-root/src/roundcubemail-config-templates/enigma.inc.php
new file mode 100644
index 00000000..7accf1e4
--- /dev/null
+++ b/docker/roundcube/rootfs/opt/app-root/src/roundcubemail-config-templates/enigma.inc.php
@@ -0,0 +1,71 @@
+<?php
+
+    // Enigma Plugin options
+    // --------------------
+
+    // A driver to use for PGP. Default: "gnupg".
+    $config['enigma_pgp_driver'] = 'gnupg';
+
+    // A driver to use for S/MIME. Default: "phpssl".
+    $config['enigma_smime_driver'] = 'phpssl';
+
+    $config['enigma_multihost'] = true;
+
+    // Enables logging of enigma operations (including Crypt_GPG debug info)
+    $config['enigma_debug'] = false;
+
+    // Keys directory for all users. Default 'enigma/home'.
+    // Must be writeable by PHP process
+    $config['enigma_pgp_homedir'] = "/data/pgp-home";
+
+    // Location of gpg binary. By default it will be auto-detected.
+    // This is also a way to force gpg2 use if there are both 1.x and 2.x on the system.
+    $config['enigma_pgp_binary'] = '';
+
+    // Location of gpg-agent binary. By default it will be auto-detected.
+    // It's used with GnuPG 2.x.
+    $config['enigma_pgp_agent'] = '';
+
+    // Location of gpgconf binary. By default it will be auto-detected.
+    // It's used with GnuPG >= 2.1.
+    $config['enigma_pgp_gpgconf'] = '';
+
+    // Enables signatures verification feature.
+    $config['enigma_signatures'] = true;
+
+    // Enables messages decryption feature.
+    $config['enigma_decryption'] = true;
+
+    // Enables messages encryption and signing feature.
+    $config['enigma_encryption'] = true;
+
+    // Enable signing all messages by default
+    $config['enigma_sign_all'] = false;
+
+    // Enable encrypting all messages by default
+    $config['enigma_encrypt_all'] = false;
+
+    // Enable attaching a public key to all messages by default
+    $config['enigma_attach_pubkey'] = true;
+
+    // Default for how long to store private key passwords (in minutes).
+    // When set to 0 passwords will be stored for the whole session.
+    $config['enigma_password_time'] = 5;
+
+    // With this option you can lock composing options
+    // of the plugin forcing the user to use configured settings.
+    // The array accepts: 'sign', 'encrypt', 'pubkey'.
+    //
+    // For example, to force your users to sign every email,
+    // you should set:
+    //     - enigma_sign_all     = true
+    //     - enigma_options_lock = array('sign')
+    //     - dont_override       = array('enigma_sign_all')
+    $config['enigma_options_lock'] = array();
+
+    $config['enigma_passwordless'] = true;
+    $config['enigma_woat'] = true;
+
+    if (file_exists(RCUBE_CONFIG_DIR . '/' . $_SERVER["HTTP_HOST"] . '/' . basename(__FILE__))) {
+        include_once(RCUBE_CONFIG_DIR . '/' . $_SERVER["HTTP_HOST"] . '/' . basename(__FILE__));
+    }