Automatic encryption of stored messages

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello!

Is there a way to encrypt all of the Cyrus' user-specific files on the disk? So that somebody breaking in -- or stealing the server -- has no access to the messages (and other data) unless a user's password is also available?

This is how I'd envision it:
  • A somewhat secret "salt" and the location of a (memory-backed) cyrus-only directory, such as /tmp/cyruspw, are set in a config-file.
  • A user logs in using a pam-module, which creates a symlink such as /tmp/cyruspw/user -> somehash(salt+password+user).
  • Subsequent access to the user's files uses the above hash as the key for user's messages, attachments, etc.
  • New messages are stored unencrypted (or on a shared encrypted partition) until the next time this user logs in. When he does, his user-specific encryption begins in background.
  • When the user disconnects, and all unencrypted messages are encrypted, the user's entry is removed from /tmp/cyruspw until his next login.
  • A (rare) password-change will require all unencrypted messages to be re-encrypted with the new hash -- until the re-encryption is completed, the server will keep the old hash around (in a different location, that would survive a system restart, such as /var/cyrus/oldpw/user -> oldhash) to provide access to the not-yet-re-encrypted messages.
A fancier system could also provide for a "master password" to allow message-recovery in case of the user forgetting their password (or a law-enforcement subpoena). Some people may choose to not use this feature in their setup...

I think, this ensures reasonable protection for the stored messages without any cooperation from the MUA -- a stolen server (or a decommissioned hard-drive) will not reveal user's e-mails. Also, each user is assured, that their old emails are not accessible to anyone, when he isn't accessing them himself.

This may be possible to do right now -- without changing the Cyrus' code at all -- by using encrypted filesystems. Unfortunately, it means, each user's files would have to reside on their own filesystem... The proposed mechanism would provide a better way without too much trouble. What do you think?
-mi
[Index of Archives]     [Info Cyrus]     [Squirrel Mail]     [Linux Media]     [Yosemite News]     [gtk]     [KDE]     [Gimp on Windows]     [Steve's Art]

  Powered by Linux