On 2021-02-22 2:25 am, Aki Tuomi wrote:

On 22/02/2021 00:20 deano-dovecot@areyes.comwrote: Some questions about mail_crypt setups I have global mail encryption working nicely, and replication works nicely between two systems. The main problem is that the private and public keys are *right there* on the server in /etc/dovecot/private ... Fine for a completely controlled system, but not so fine when on a rented VPS etc. When are the keys read in by dovecot ? Are they ever read in again while dovecot is running, or does it cache them in ram until dovecot is restarted ? Would it be possible for dovecot to read the keys as output from a script ? I'm thinking of a small script that would reach out to an authentication service like Authy or Okta or similar. Admin gets an alert on their phone, taps OK, UNLOCK and the two keys are returned to the script, which then hands them back to dovecot and away it goes. The mail_crypt config normally contains
mail_crypt_global_private_key = </etc/dovecot/private/dovecot_crypt_privkey mail_crypt_global_public_key = </etc/dovecot/private/dovecot_crypt_pubkey
Perhaps add another variable like
mail_crypt_global_script = </etc/dovecot/private/dovecot_crypt_script
That script would run and feed the two keys back into dovecot (no matter how it got to them). So I started looking into per-user/per-folder encryption to see how that would work, and I have that setup nicely too. The config looks like this

Any thoughts about something like this for providing the keys ? That is, from a script. If the format is kept simple (eg. script must provide two keys, private first, then newline, then public, then newline) admins can come up with many variations on getting the keys into dovecot. Especially if they're only read once per dovecot invocation.

Recently one solution used was to provide per-user global keypair, which is used to encrypt everything for a user. This can be easier than using the managed keys and encrypting the user's key with password.
Any examples around ?
 
DC