Best mail encryption solution for per-user

tai74 at vfemail.net tai74 at vfemail.net
Sun Feb 11 08:07:02 EET 2018 

Aki really thanks for reply,, I hope for continue the conversation,

>> Do you have advice about Dovecot plugins for mail encryption:
>>
>> https://wiki2.dovecot.org/Plugins/MailCrypt
>> https://0xacab.org/riseuplabs/trees
>>
>> I like NaCL based encryption but the MailCrypt plugin is better
>> because it's maintained by Dovecot developers (is this correct?)
>>
>> Hard to understand MailCrypt docs so may I ask, may I provide per user
>> encryption? I don't like global because I want every user to have
>> different encryption based on their password. But I don't see the
>> useful of per-folder encryption. Docs for TREES are easier to
>> understand it will work on a per-user encryption using the user
>> password to decrypt the needed keys.
>>
>> How about indexing? Does native fast Dovecot indexing must be turned
>> off for one of these or both? Is this a big performance hit? And how
>> to turn off indexing on a per-user basis?
>>
> Mail crypt plugin in dovecot core is indeed developed and maintained  
> by us. Turning on encryption is simple, but you'll have to consider  
> key management closely.
>
> The simple instructions are
>
> mail_plugins = $mail_plugins mail_crypt
> mail_attribute_dict = file:%h/Maildir/dovecot-attributes
>
> plugin {
>   mail_crypt_curve = <some curve you like>
>   mail_crypt_save_version = 2
> }

With no other settings, I understand this to auto-generate keys.
It's putting them in mail_attribute_dict? How is that related to
mail_crypt_private_key,, which is for what then?

> This will turn on automatic key creation for folders and users.

I guess it's saying "folders" mode because each folder has a keypair
but I don't understand why a single keypair isn't enough? Because of
possibility to have shared folders? Anywayz I'm confused how it relating
against global mode and where user mode fits (there is no user mode
say the docs).

> NOTE that the keys won't be encrypted in this scenario.
>
> To encrypt keys you have few choices. You can use a static password,  
> static ECC key, per-user password, per-user ECC key, per-user  
> password protected ECC key.

Sorry newb question, though how is this choice made (on different values
of mail_crypt_require_encrypted_user_key?)

> With the per-user model, the easiest, if you don't let users change  
> password could be adding into userdb or passdb,  
> mail_crypt_private_password = %{sha512:password}
>
> If you want users to be able to change passwords, you either need to  
> manage the encryption passwords in user database, or call doveadm  
> mailbox cryptokey password during password change.

I have custom userdb lookup so I don't mind to manage key encryption
passwords in database, but how do I do it? Is it by to include
mail_crypt_private_password in the userdb lookup?

Moreso,, if I want password same to be as regular IMAP password, is
there security problem? I think it's possible to return plaintext
password for userdb lookup with %w right?

Moreso,, I don't see that to work because maybe pwd changes in userdb
but encryption keys (stored where?) still be encrypted with old pwd
no? In such case, what is to be done? Your indication was that doveadm
can be used but that there is another soultion which doesn't become
full evident to me yet.

Is literally solution now I must also store keys in database and make
custom pwd change module decrypt to re-encrypt them with new pwd?

> Also we do not currently support DR keys, so if the per-user key is  
> lost, you will not be able to recover the mails.

Fair!

> Forgot to add that currently it's not possible to encrypt indexes due
> to how lib-index is designed.

To infer your statement, this means indexing will work anyway ok even
with encryption turning on? With caveat of have unencrypted metadata in
index files? So that we must choose, unprotected metadata or remove
indexing? May indexing be removed per-user, maybe from userdb lookup?





-------------------------------------------------

ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of the NSA's hands!
$24.95 ONETIME Lifetime accounts with Privacy Features!  
15GB disk! No bandwidth quotas!
Commercial and Bulk Mail Options!

More information about the dovecot mailing list