[Dovecot] E-Mail Encryption

[tomas at tuxteam.de]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sun, Jul 19, 2009 at 03:48:25PM +0100, Frank Leonhardt wrote:
> From: tomas at tuxteam.de
> > We do agree that local encryption of messages is a Good Thing [...]

> > Did I forget anything?
> 
> I think that's a pretty good summary of the situation. Where I'd differ is
> your risk assessment of the hijacking of a live server.

I don't think we differ that much. For your typical "web server out
there" I think there is a non-negligible risk of it being hacked (I
think that is your assessment too). That means: plan for that
eventuality. Don't keep things on this machine if you don't have to.

Or did I get you wrong?

[elided part: agree wholeheartedly]

> So, encrypting the mail file makes a lot of sense [...]

That's why I always talk about *de*crypting. I'm all for encrypting on
the server (agreed, the server "sees" the clear-text files at some point
in time, but once they are encrypted and all the remnants out of swap,
we are safe). What I don't see as an advance (wrt whole-disk encryption)
is when it's possible to *de*crypt the sensitive data on the server. 

[...]

> I'm not in favour of whole disk encryption for data recovery and forensic
> reasons.

Agreed on recovery. Not so much on forensics (you'd have to have the
key, but I'd see that as a Good Thing).

[...]

> Having said all this, I'm fairly relaxed about not having mail files
> encrypted. I've frequently told everyone to assume that their email is
> insecure, and if they've got a problem with it they need to use PGP or some
> other end-to-end encryption on their mail clients. Not my problem!

Fully agreed, but one would have to entice people to send encrypted mail
all the time. How would you go about that?

Regards
- -- tomás
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFKZCyYBcgs9XrR2kYRApKgAJ9UrFBe8VtJJP/3a/nC6m+USD65pgCeMqrS
V8IBFpcqiSs0kl+LCrf2bz0=
=SofB
-----END PGP SIGNATURE-----