Did anyone else get 13 identical copies of this response from Daniel???
On 2013-03-27 12:47 AM, Daniel Reinhardt <crypto...@gmail.com> wrote:
If you are concerned about data being left on a hard drive when it fails
and you are returning it to vendor, then I would consider hard drive
degaussers. They are effective, but are very costly.
On Wed, Mar 27, 2013 at 12:36 AM, Xin Li <delp...@delphij.net> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On 3/25/13 6:24 AM, Simon Brereton wrote:
On 25 March 2013 12:30, Robert Schetterer <r...@sys4.de> wrote:
Am 25.03.2013 11:03, schrieb Simon Brereton:
Hi
As I understand it email headers need to be unencrypted
(otherwise DKIM doesn't work). From the MUA to either Postfix,
or Dovecot the connection is (or can/should be) secured with
TLS/SSL.
What I would like to know is if it is possible to encrypt the
mailstore? Postfix is using Dovecot for delivery so it's only
Dovecot that would need to encrypt/decrypt the mailstore.
Is this possible? Is there a terrible reason to do it even if
it is possible?
I realise that from MTA to MTA there's no guarantee of
encryption (and in fact it's very unlikely unless keys have
been exchanged), but my primary goal is supplement the physical
security of the mail store of mails we already have or have
sent.
Mostly just idle curiosity as to what has been done, or what
could be done. What is worth doing is a separate thread
entirely.
Thanks.
Simon
my meaning
crypted mailstore makes sense in a mail archive, in germany you
have to have a mail archive for some kind of company emails all
these solutions have some crypted mailstore , and some more
features for data security, but thats a big theme, to big for
here
crypt storage isnt "the saveness" per default, someone hacking
the system and get root may hack your crypt storage too etc, also
to big theme for here
Robert, indeed, this is sort of my point. If we encrypt laptop
harddrives to prevent unauthorised access, that doesn't prevent
the possiblity of someone who already has admin access to the
device from decrypting/viewing/moving files. What it does do is
prevent unauthorised access to the data if there is no admin
access.
Currently my mail store isn't encrypted and I would like to know if
it is possible to do that, and if so, maybe get some pointers.
Let's say you operate a mail server which uses a RAID array (or ZFS
pool) as backend storage and one day one disks goes bad and needs to
be replaced. You don't want information being leak from that bad disk
when returning to vendor for replacement.
There are a lot of solutions to this issue. One possible way is to
use FreeBSD's full disk encryption, geli(4), to encrypt all hard
drives and have the email server hold the key on its boot partition,
but don't protect it with a password so that the mail server can boot
without any human intervention.
Encrypting individual user's mail store make little sense as one can
still get your decryption key if they got root privilege, usually by
tracing the login process or just replace it with something that can
do the login but also save login credentials. In short, if root have
been compromised, it's game over already.
Cheers,
-----BEGIN PGP SIGNATURE-----
iQEcBAEBCAAGBQJRUndLAAoJEG80Jeu8UPuzyyMIAJ22uv8U2OlZFFAUWTDL4zu/
tw6ZhxqQxhHVsg69kQPmIRVnMvlv0bhRqQphaJl5PQJAnfiwvrulx8ruFfTWIM3W
xyxKMQtY/pJouRJwz1SZsfuuBNjU+ACX17IXIi5NDkLm8IT1FLgS9fWaYotACIUe
5fTXgodDDAGrWoYE4X1WTJiYCEE4UisilExaAJ0quk72NO/TzMnsLktR7mx0eSaP
NqAi8ger9a2rflStgdJlI6pCmzRs4onAs2YWZq4F5Nv/wnnUysMsSjwNW+MuL4WY
jWbX8oF+11kyH14vPLvzLKvMXjC9yKf8G880OPuMmgFQOrYAXzP5yp3w/rRVBCM=
=SMvV
-----END PGP SIGNATURE-----
--
Best regards,
Charles Marcus
I.T. Director
Media Brokers International, Inc.
678.514.6224 | 678.514.6299 fax
