Some questions about mail_crypt setups

Sam Kuper sampablokuper at posteo.net
Mon Feb 22 04:26:26 EET 2021 

On Sun, Feb 21, 2021 at 05:20:59PM -0500, deano-dovecot at areyes.com wrote:
> I have global mail enecryption working nicely, and replication works
> nicely between two systems. The main problem is that the private and
> public keys are *right there* on the server in /etc/dovecot/private
> ...  Fine for a completely controlled system, but not so fine when on
> a rented VPS etc. 

I'm not running a Dovecot instance myself at the moment, but I have been
wondering about the above.

My current understanding is that Dovecot, like any other piece of
software that needs to decrypt data from disk, will inevitably need to
either:

  - keep the private keys in memory for at least *some* time, in order
    to be able to perform decryption using the CPU; OR

  - use an HSM (or equivalent, such as maybe a TPM or an OpenPGP Card)
    to perform decryption as needed.

In a case where there is no HSM (or equivalent), any attacker who gains
root or hypervisor privileges over the machine can in principle extract
the key from memory irrespective of whether the private key is on disk.
They can then decrypt messages at their leisure.  In such a case, the
security is already quite low and little additional security is lost by
keeping the private key in a local file on disk that is readable only by
root (and perhaps also readable by one other carefully-chosen account if
necessary).

The above applies to rented VPSes.  You are vulnerable to the VPS
provider, because they have hypervisor privileges.  So, if you want the
email store to be private, the first thing to do is have it on your own
hardware.


In the better case where you have your own hardware, then the concern
becomes: how to avoid attackers accessing the private keys if they gain
root, or if they gain physical access.   Here, an HSM (or equivalent)
will help, by keeping the private keys off the filesystem and out of
RAM/cache/etc.  A properly-implemented HSM or smartcard will make it
infeasible for an attacker to obtain the private key even if they gain
root; and will make it expensive for an attacker to obtain the private
key even if they gain physical access.


Can Dovecot utilise an HSM (or equivalent)?  I'm not sure.  I look
forward to finding out.


> Would it be possible for dovecot to read the keys as output from a
> script ? I'm thinking of a small script that would reach out to an
> authentication service like Authy or Okta or similar.

Making your own ability to access the email store dependent upon an
untrustworthy third-party like Okta is, IMO, even worse than using a
VPS.  Not only are you leaving the door open to an attacker should that
service provider prove to be either compromised or malicious; you also
leave yourself vulnerable to a whole new class of DoS attacks.

(Okta is mostly security theatre.  The basic premise is bad enough, but
auditing various Okta deployments, and meeting and speaking with Okta
technical staff, left me with an even worse impression of that company.)

Sam


-- 
A: When it messes up the order in which people normally read text.
Q: When is top-posting a bad thing?

()  ASCII ribbon campaign. Please avoid HTML emails & proprietary
/\  file formats. (Why? See e.g. https://v.gd/jrmGbS ). Thank you.

More information about the dovecot mailing list