On 06.11.2017 13:20, Zbyszek Żółkiewski wrote:
Wiadomość napisana przez Aki Tuomi <aki.tuomi@dovecot.fi> w dniu 06.11.2017, o godz. 08:44:
Hi,
I have few questions regarding mail_crypt:
- Is mail_crypt_global_private_key file read upon dovecot start/restart only or it is/can be read in any other time? I have made few tests by starting dovecot and removing master key for decryption - therefore it is not available on the platform - it only reside in memory, removing one of attack vectors It can be given from config file, or from user database. It is read on use. You can also encrypt the key using a password, but in the end, the
On 04.11.2017 20:52, Zbyszek Żółkiewski wrote: password or the key needs to be provided by something.
yes i am loading it in conf file like:
mail_crypt_global_private_key = </etc/dovecot/somefile.key
but then i am removing that file - and it looks like dovecot still is able to decrypt mails encrypted with that file. So you are saying there might be situation that this file need to be “re-read” from disk ?
Yeah, the file content is loaded into configuration. If you need to re-read it you need to restart dovecot.
ok thanks, so this is what i wanted to know: so the content of the private key are read on startup and held in memory, and they are only refreshed when dovecot restarts. So in my use-case i can safely remove private key once dovecot started, right ?
thanks, _ Zbyszek