diff --git a/dovecot/keyproxy.go b/dovecot/keyproxy.go
index 265130fa2d046e2e87752eb4e08b87ec35b284c9..680aa74eb5b8a9ac722d2ca3e370277a669df0eb 100644
--- a/dovecot/keyproxy.go
+++ b/dovecot/keyproxy.go
@@ -19,6 +19,10 @@ type Config struct {
 	Shard      string                    `yaml:"shard"`
 	LDAPConfig *backend.LDAPConfig       `yaml:"ldap"`
 	Keystore   *clientutil.BackendConfig `yaml:"keystore"`
+
+	// Set this to true if the keys obtained from the backend need
+	// to be base64-encoded before being sent to Dovecot.
+	Base64Encode bool `yaml:"base64_encode_results"`
 }
 
 // Database represents the interface to the underlying backend for
@@ -55,6 +59,7 @@ type KeyLookupProxy struct {
 	db       Database
 }
 
+// NewKeyLookupProxy returns a KeyLookupProxy with the specified configuration.
 func NewKeyLookupProxy(config *Config) (*KeyLookupProxy, error) {
 	if err := config.check(); err != nil {
 		return nil, err
@@ -110,7 +115,7 @@ func (s *KeyLookupProxy) lookupUserdb(ctx context.Context, username string) (int
 		return nil, false, nil
 	}
 	log.Printf("userdb lookup for %s", username)
-	return &userdbResponse{PublicKey: b64encode(pub)}, true, nil
+	return &userdbResponse{PublicKey: s.b64encode(pub)}, true, nil
 }
 
 func (s *KeyLookupProxy) lookupPassdb(ctx context.Context, username, password string) (interface{}, bool, error) {
@@ -119,7 +124,7 @@ func (s *KeyLookupProxy) lookupPassdb(ctx context.Context, username, password st
 	priv, err := s.keystore.Get(ctx, s.config.Shard, username, password)
 	if err == nil {
 		log.Printf("passdb lookup for %s (from keystore)", username)
-		return &passdbResponse{PrivateKey: b64encode(priv)}, true, nil
+		return &passdbResponse{PrivateKey: s.b64encode(priv)}, true, nil
 	}
 
 	// Otherwise, fetch encrypted keys from the db and attempt to
@@ -138,9 +143,12 @@ func (s *KeyLookupProxy) lookupPassdb(ctx context.Context, username, password st
 		return nil, false, err
 	}
 	log.Printf("passdb lookup for %s (decrypted)", username)
-	return &passdbResponse{PrivateKey: b64encode(priv)}, true, nil
+	return &passdbResponse{PrivateKey: s.b64encode(priv)}, true, nil
 }
 
-func b64encode(b []byte) string {
-	return base64.StdEncoding.EncodeToString(b)
+func (s *KeyLookupProxy) b64encode(b []byte) string {
+	if s.config.Base64Encode {
+		return base64.StdEncoding.EncodeToString(b)
+	}
+	return string(b)
 }