[Dovecot] E-Mail Encryption

tomas at tuxteam.de tomas at tuxteam.de
Fri Jul 17 12:23:51 EEST 2009


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thu, Jul 16, 2009 at 09:36:30AM -0500, Justin Krejci wrote:
> Some companies and governments in the United States at least have very
> strict policy requirements regarding various aspects of security and
> encryption.

Understandable.

>             Transit encryption (ssl/tls from MTA to MTA)

This makes sense, since one might assume the channel to be less secure
than the endpoints. Note though that the most important part is the
_authentication_ part, and this encompasses things like a key
distribution ifrastructure (à la PKI or some such). And this is the juicy
part.

>                                                           and local
> encryption of messages

We do agree that local encryption of messages is a Good Thing. But just
like that, without context, this phrase just amounts to Marketing
Oriented Hand Wawing, sorry. The meat of the discussion (and what was
being talked about in this thread is:

  where do you decrypt?
  (1)Server-side?
     (1.1) Only on the "running" server?
           (nearly equivalent to this would be to have a permanent
           key storage on the server, but suitably armored by
           passphrase).
     (1.2) On the "quiescent" server?
  (2)client-side?

Now it all amounts to the threat models you want to protect against.

(1.2) just protects you against very little. Whoever "gets"
      the server (dead or alive) gets the decryption key. You've
      lost. And if your server is sufficiently protected, you just
      don't need encryption.

(1.1) would protect yoou against someone "getting" the "dead"
      server (e.g. by stealing its disk). Just the same as encrypting
      the whole disk (assuming the unlock passprhase isn't stored near
      the server). Encrypting the whole disk has even the advantage
      that your swap space will be encrypted, which protects you
      against key bits hitting swap (by some dumb bug in key management
      software -- this has definitely happened!).

      This option doen't offer any relief if someone hi-jacks the
      "live" server (trojan or similar).

      So For this threat model (no hi-jacking, just loss of hardware)
      I'd definitely go for whole-disk encryption. That's what I do
      with my laptops.

(2)   This is actually the best solution. It won't protect you
      against the client being hi-jacked or stolen, but all other
      schemes above are vulnerable against that.

Did I forget anything?

Corollary: Decrypting data server-side buys you (nearly) nothing
compared to whole-disk encryption server side.

>                        sometimes is a requirement if you want to be able to
> bid on government contracts.
> 
> 
> https://www.bidsync.com/DPX?ac=view&auc=158380

Sorry, I didn't understand the page you linked to.

> This example is not for hosting mail but for an anti-spam/anti-virus service
> (they refer to it as email hygiene) that required message encryption on the
> transit MTA servers disk as well as tls/ssl for MTA to MTA encryption. 

Sorry. "required message encryption on the transit MTA" is just this
kind of handwaving: to decide whether this is useful or Just Another
Checkbox For Marketing (TM), you'd have to specify more (at least *who
will be able to decrypt that stuff*).

Regards
- -- tomás
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFKYEMnBcgs9XrR2kYRAilcAJ97p36ZpQzBJuDp6zwSwjoWLOgBlwCcCnAJ
bQH1pfumJel/WtEVDAFuGEo=
=1MRQ
-----END PGP SIGNATURE-----


More information about the dovecot mailing list