Best mail encryption solution for per-user

Aki Tuomi aki.tuomi at dovecot.fi
Fri Feb 9 08:31:26 EET 2018 

> On February 9, 2018 at 3:20 AM tai74 at vfemail.net wrote:
> 
> 
> 
> Hai,
> 
> Do you have advice about Dovecot plugins for mail encryption:
> 
> https://wiki2.dovecot.org/Plugins/MailCrypt
> 
> https://0xacab.org/riseuplabs/trees
> 
> I like NaCL based encryption but the MailCrypt plugin is better  
> because it's maintained by Dovecot developers (is this correct?)
> 
> Hard to understand MailCrypt docs so may I ask, may I provide per user  
> encryption? I don't like global because I want every user to have  
> different encryption based on their password. But I don't see the  
> useful of per-folder encryption. Docs for TREES are easier to  
> understand it will work on a per-user encryption using the user  
> password to decrypt the needed keys.
> 
> How about indexing? Does native fast Dovecot indexing must be turned  
> off for one of these or both? Is this a big performance hit? And how  
> to turn off indexing on a per-user basis?
> 
> Thank you so very mcuh
> 
> 

Hi!

Mail crypt plugin in dovecot core is indeed developed and maintained by us. Turning on encryption is simple, but you'll have to consider key management closely.

The simple instructions are

mail_plugins = $mail_plugins mail_crypt
mail_attribute_dict = file:%h/Maildir/dovecot-attributes

plugin {
  mail_crypt_curve = <some curve you like>
  mail_crypt_save_version = 2
}

This will turn on automatic key creation for folders and users.

NOTE that the keys won't be encrypted in this scenario.

To encrypt keys you have few choices. You can use a static password, static ECC key, per-user password, per-user ECC key, per-user password protected ECC key.

With the per-user model, the easiest, if you don't let users change password could be adding into userdb or passdb, mail_crypt_private_password = %{sha512:password}

If you want users to be able to change passwords, you either need to manage the encryption passwords in user database, or call doveadm mailbox cryptokey password during password change.

Also we do not currently support DR keys, so if the per-user key is lost, you will not be able to recover the mails.

Aki

More information about the dovecot mailing list