[Dovecot] Disk Encryption

Simon Brereton simon.buongiorno at gmail.com
Wed Mar 27 11:23:27 EET 2013 

On 27 March 2013 05:36, Xin Li <delphij at delphij.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> On 3/25/13 6:24 AM, Simon Brereton wrote:
>> On 25 March 2013 12:30, Robert Schetterer <rs at sys4.de> wrote:
>>> Am 25.03.2013 11:03, schrieb Simon Brereton:
>>>> Hi
>>>>
>>>> As I understand it email headers need to be unencrypted
>>>> (otherwise DKIM doesn't work).  From the MUA to either Postfix,
>>>> or Dovecot the connection is (or can/should be) secured with
>>>> TLS/SSL.
>>>>
>>>> What I would like to know is if it is possible to encrypt the
>>>> mailstore?  Postfix is using Dovecot for delivery so it's only
>>>> Dovecot that would need to encrypt/decrypt the mailstore.
>>>>
>>>> Is this possible?  Is there a terrible reason to do it even if
>>>> it is possible?
>>>>
>>>> I realise that from MTA to MTA there's no guarantee of
>>>> encryption (and in fact it's very unlikely unless keys have
>>>> been exchanged), but my primary goal is supplement the physical
>>>> security of the mail store of mails we already have or have
>>>> sent.
>>>>
>>>> Mostly just idle curiosity as to what has been done, or what
>>>> could be done.  What is worth doing is a separate thread
>>>> entirely.
>>>>
>>>> Thanks.
>>>>
>>>> Simon
>>>>
>>>
>>> my meaning
>>>
>>> crypted mailstore makes sense in a mail archive, in germany you
>>> have to have a mail archive for some kind of company emails all
>>> these solutions have some crypted mailstore , and some more
>>> features for data security, but thats a big theme, to big for
>>> here
>>>
>>> crypt storage isnt "the saveness" per default, someone hacking
>>> the system and get root may hack your crypt storage too etc, also
>>> to big theme for here
>>
>> Robert, indeed, this is sort of my point.  If we encrypt laptop
>> harddrives to prevent unauthorised access, that doesn't prevent
>> the possiblity of someone who already has admin access to the
>> device from decrypting/viewing/moving files.  What it does do is
>> prevent unauthorised access to the data if there is no admin
>> access.
>>
>> Currently my mail store isn't encrypted and I would like to know if
>> it is possible to do that, and if so, maybe get some pointers.
>
> Let's say you operate a mail server which uses a RAID array (or ZFS
> pool) as backend storage and one day one disks goes bad and needs to
> be replaced.  You don't want information being leak from that bad disk
> when returning to vendor for replacement.
>
> There are a lot of solutions to this issue.  One possible way is to
> use FreeBSD's full disk encryption, geli(4), to encrypt all hard
> drives and have the email server hold the key on its boot partition,
> but don't protect it with a password so that the mail server can boot
> without any human intervention.

Thanks.  I think I will investigate this option.  I use Debian, and I
think the same approach is possible.

My concern with this approach is that if the drive is booted from then
the information is freely available - but as you say, only if the root
password is known.  If the drive is simply mounted in different
system, then the passphrase would be need (this is what I understand).

Alternatively, I could encrypt /var/mail/ and mount it as a LUKS
volume to achieve the same effect.  But I need a test plan and
equipment.

Thanks for all the pointers.

Simon

More information about the dovecot mailing list