mail_crypt plugin, few questions

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

mail_crypt plugin, few questions

Zbyszek Żółkiewski
Hi,

I have few questions regarding mail_crypt:

1) Is mail_crypt_global_private_key file read upon dovecot start/restart only or it is/can be read in any other time? I have made few tests by starting dovecot and removing master key for decryption - therefore it is not available on the platform - it only reside in memory, removing one of attack vectors

2) Is there planned any “rollout” for key rotation in the feature ?

3) is there any better way to encrypt mails that were sent before enabling mail_crypt ? I have made some simple script to automate and in-place encryption: https://gist.github.com/kolargol/d551d132949068ce6efce7bc85a317cb but maybe there is better way? If someone want to use it, please read code before as it require updating magic(5) local database

thanks!

_
Zbyszek Żółkiewski
Reply | Threaded
Open this post in threaded view
|

Re: mail_crypt plugin, few questions

Aki Tuomi-2


On 04.11.2017 20:52, Zbyszek Żółkiewski wrote:
> Hi,
>
> I have few questions regarding mail_crypt:
>
> 1) Is mail_crypt_global_private_key file read upon dovecot start/restart only or it is/can be read in any other time? I have made few tests by starting dovecot and removing master key for decryption - therefore it is not available on the platform - it only reside in memory, removing one of attack vectors
It can be given from config file, or from user database. It is read on
use. You can also encrypt the key using a password, but in the end, the
password or the key needs to be provided by something.
> 2) Is there planned any “rollout” for key rotation in the feature ?
There is already *some* key rotation availability. Mail re-encryption is
not supported, but you can roll the user key, and you can take new
folder keys into use. The old ones need to be retained unless you move
emails out and back to the folder.
>
> 3) is there any better way to encrypt mails that were sent before enabling mail_crypt ? I have made some simple script to automate and in-place encryption: https://gist.github.com/kolargol/d551d132949068ce6efce7bc85a317cb but maybe there is better way? If someone want to use it, please read code before as it require updating magic(5) local database
>
> thanks!
>
> _
> Zbyszek Żółkiewski

The Best Practice, supported way, is to move the emails around, so you
move all your mails from INBOX to FooBox, and then back. This can have
some side-effects, and you might want to test this. Most notably it will
consume UIDs, unless you reset the folder by removing indexes.

Aki
Reply | Threaded
Open this post in threaded view
|

Re: mail_crypt plugin, few questions

Zbyszek Żółkiewski


> Wiadomość napisana przez Aki Tuomi <[hidden email]> w dniu 06.11.2017, o godz. 08:44:
>
> On 04.11.2017 20:52, Zbyszek Żółkiewski wrote:
>> Hi,
>>
>> I have few questions regarding mail_crypt:
>>
>> 1) Is mail_crypt_global_private_key file read upon dovecot start/restart only or it is/can be read in any other time? I have made few tests by starting dovecot and removing master key for decryption - therefore it is not available on the platform - it only reside in memory, removing one of attack vectors
> It can be given from config file, or from user database. It is read on
> use. You can also encrypt the key using a password, but in the end, the
> password or the key needs to be provided by something.


yes i am loading it in conf file like:

mail_crypt_global_private_key = </etc/dovecot/somefile.key

but then i am removing that file - and it looks like dovecot still is able to decrypt mails encrypted with that file. So you are saying there might be situation that this file need to be “re-read” from disk ?

>> 3) is there any better way to encrypt mails that were sent before enabling mail_crypt ? I have made some simple script to automate and in-place encryption: https://gist.github.com/kolargol/d551d132949068ce6efce7bc85a317cb but maybe there is better way? If someone want to use it, please read code before as it require updating magic(5) local database
>>
>> thanks!
>
> The Best Practice, supported way, is to move the emails around, so you
> move all your mails from INBOX to FooBox, and then back. This can have
> some side-effects, and you might want to test this. Most notably it will
> consume UIDs, unless you reset the folder by removing indexes.

ok, i was using above script to encrypt hundred of thousands email files and i did not found any issues, it is also quite fast, do you see any problems with that ?

thanks!

_
Zbyszek
Reply | Threaded
Open this post in threaded view
|

Re: mail_crypt plugin, few questions

Aki Tuomi-2


On 06.11.2017 13:20, Zbyszek Żółkiewski wrote:

>
>> Wiadomość napisana przez Aki Tuomi <[hidden email]> w dniu 06.11.2017, o godz. 08:44:
>>
>> On 04.11.2017 20:52, Zbyszek Żółkiewski wrote:
>>> Hi,
>>>
>>> I have few questions regarding mail_crypt:
>>>
>>> 1) Is mail_crypt_global_private_key file read upon dovecot start/restart only or it is/can be read in any other time? I have made few tests by starting dovecot and removing master key for decryption - therefore it is not available on the platform - it only reside in memory, removing one of attack vectors
>> It can be given from config file, or from user database. It is read on
>> use. You can also encrypt the key using a password, but in the end, the
>> password or the key needs to be provided by something.
>
> yes i am loading it in conf file like:
>
> mail_crypt_global_private_key = </etc/dovecot/somefile.key
>
> but then i am removing that file - and it looks like dovecot still is able to decrypt mails encrypted with that file. So you are saying there might be situation that this file need to be “re-read” from disk ?
Yeah, the file content is loaded into configuration. If you need to
re-read it you need to restart dovecot.

>
>>> 3) is there any better way to encrypt mails that were sent before enabling mail_crypt ? I have made some simple script to automate and in-place encryption: https://gist.github.com/kolargol/d551d132949068ce6efce7bc85a317cb but maybe there is better way? If someone want to use it, please read code before as it require updating magic(5) local database
>>>
>>> thanks!
>> The Best Practice, supported way, is to move the emails around, so you
>> move all your mails from INBOX to FooBox, and then back. This can have
>> some side-effects, and you might want to test this. Most notably it will
>> consume UIDs, unless you reset the folder by removing indexes.
> ok, i was using above script to encrypt hundred of thousands email files and i did not found any issues, it is also quite fast, do you see any problems with that ?
>
> thanks!
>
> _
> Zbyszek

That script looks fine.

Aki
Reply | Threaded
Open this post in threaded view
|

Re: mail_crypt plugin, few questions

Zbyszek Żółkiewski
>
> On 06.11.2017 13:20, Zbyszek Żółkiewski wrote:
>>
>>> Wiadomość napisana przez Aki Tuomi <[hidden email]> w dniu 06.11.2017, o godz. 08:44:
>>>
>>> On 04.11.2017 20:52, Zbyszek Żółkiewski wrote:
>>>> Hi,
>>>>
>>>> I have few questions regarding mail_crypt:
>>>>
>>>> 1) Is mail_crypt_global_private_key file read upon dovecot start/restart only or it is/can be read in any other time? I have made few tests by starting dovecot and removing master key for decryption - therefore it is not available on the platform - it only reside in memory, removing one of attack vectors
>>> It can be given from config file, or from user database. It is read on
>>> use. You can also encrypt the key using a password, but in the end, the
>>> password or the key needs to be provided by something.
>>
>> yes i am loading it in conf file like:
>>
>> mail_crypt_global_private_key = </etc/dovecot/somefile.key
>>
>> but then i am removing that file - and it looks like dovecot still is able to decrypt mails encrypted with that file. So you are saying there might be situation that this file need to be “re-read” from disk ?
> Yeah, the file content is loaded into configuration. If you need to
> re-read it you need to restart dovecot.

ok thanks, so this is what i wanted to know: so the content of the private key are read on startup and held in memory, and they are only refreshed when dovecot restarts. So in my use-case i can safely remove private key once dovecot started, right ?

thanks,
_
Zbyszek
Reply | Threaded
Open this post in threaded view
|

Re: mail_crypt plugin, few questions

Aki Tuomi-2


On 06.11.2017 13:59, Zbyszek Żółkiewski wrote:

>> On 06.11.2017 13:20, Zbyszek Żółkiewski wrote:
>>>> Wiadomość napisana przez Aki Tuomi <[hidden email]> w dniu 06.11.2017, o godz. 08:44:
>>>>
>>>> On 04.11.2017 20:52, Zbyszek Żółkiewski wrote:
>>>>> Hi,
>>>>>
>>>>> I have few questions regarding mail_crypt:
>>>>>
>>>>> 1) Is mail_crypt_global_private_key file read upon dovecot start/restart only or it is/can be read in any other time? I have made few tests by starting dovecot and removing master key for decryption - therefore it is not available on the platform - it only reside in memory, removing one of attack vectors
>>>> It can be given from config file, or from user database. It is read on
>>>> use. You can also encrypt the key using a password, but in the end, the
>>>> password or the key needs to be provided by something.
>>> yes i am loading it in conf file like:
>>>
>>> mail_crypt_global_private_key = </etc/dovecot/somefile.key
>>>
>>> but then i am removing that file - and it looks like dovecot still is able to decrypt mails encrypted with that file. So you are saying there might be situation that this file need to be “re-read” from disk ?
>> Yeah, the file content is loaded into configuration. If you need to
>> re-read it you need to restart dovecot.
> ok thanks, so this is what i wanted to know: so the content of the private key are read on startup and held in memory, and they are only refreshed when dovecot restarts. So in my use-case i can safely remove private key once dovecot started, right ?
>
> thanks,
> _
> Zbyszek

Yeah, you can safely remove it.

Aki