<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN">
<html><body style='font-family: Verdana,Geneva,sans-serif'>
<p>On 2021-02-22 2:25 am, Aki Tuomi wrote:</p>
<blockquote type="cite" style="padding-left:5px; border-left:#1010ff 2px solid; margin-left:5px">
<blockquote type="cite" style="padding-left:5px; border-left:#1010ff 2px solid; margin-left:5px">On 22/02/2021 00:20 <a href="mailto:deano-dovecot@areyes.com">deano-dovecot@areyes.com</a>wrote: Some questions about mail_crypt setups I have global mail encryption working nicely, and replication works nicely between two systems. The main problem is that the private and public keys are *right there* on the server in /etc/dovecot/private ... Fine for a completely controlled system, but not so fine when on a rented VPS etc. When are the keys read in by dovecot ? Are they ever read in again while dovecot is running, or does it cache them in ram until dovecot is restarted ? Would it be possible for dovecot to read the keys as output from a script ? I'm thinking of a small script that would reach out to an authentication service like Authy or Okta or similar. Admin gets an alert on their phone, taps OK, UNLOCK and the two keys are returned to the script, which then hands them back to dovecot and away it goes. The mail_crypt config normally contains
<blockquote type="cite" style="padding-left:5px; border-left:#1010ff 2px solid; margin-left:5px">mail_crypt_global_private_key = </etc/dovecot/private/dovecot_crypt_privkey mail_crypt_global_public_key = </etc/dovecot/private/dovecot_crypt_pubkey</blockquote>
Perhaps add another variable like
<blockquote type="cite" style="padding-left:5px; border-left:#1010ff 2px solid; margin-left:5px">mail_crypt_global_script = </etc/dovecot/private/dovecot_crypt_script</blockquote>
That script would run and feed the two keys back into dovecot (no matter how it got to them). So I started looking into per-user/per-folder encryption to see how that would work, and I have that setup nicely too. The config looks like this</blockquote>
</blockquote>
<p><span style="font-family: 'Lucida Grande', Verdana, Arial, Helvetica, sans-serif; white-space: pre-wrap;">Any thoughts about something like this for providing the keys ? That is, from a script. If the format is kept simple (eg. script must provide two keys, private first, then newline, then public, then newline) admins can come up with many variations on getting the keys into dovecot. Especially if they're only read once per dovecot invocation.</span></p>
<blockquote type="cite" style="padding-left:5px; border-left:#1010ff 2px solid; margin-left:5px">
<pre>Recently one solution used was to provide per-user global keypair, which is used to encrypt everything for a user. This can be easier than using the managed keys and encrypting the user's key with password.</pre>
</blockquote>
<pre>Any examples around ?</pre>
<pre> </pre>
<pre>DC</pre>
</body></html>