Store data encrypted in maildir
Bron Gondwana
brong at fastmail.fm
Tue Aug 25 09:53:03 EDT 2015
We do that at FastMail.
The problem is that the filesystem needs to be mounted for Cyrus to access it, and then root can access all the files.
If you want to have a system where root can't access files... you're basically looking for non-unix or you're doing horrible hacks on top of unix which are fragile and nasty. You'll want to talk to one of the mail services that specialises in this stuff about what they've done with encrypted containers and loopback filesystems and all that magic. You COULD do this for Cyrus as well with a combination of carefully automounted LUKS or similar filesystems for various parts of the spool, and a custom authentication daemon which integrated with your filesystem mounter to only decrypt and mount partitions on login. One partition per user, it would work. Painfully complex to deal with though.
So we just say "trust root on your mail server" - and only give that to a small handful of key staff. We tend to need it when debugging real problems too. It's surprising how many people want you to be able to fix things, ok - maybe it's not.
Bron.
On Tue, Aug 25, 2015, at 23:24, Ken Murchison wrote:
> Try putting your Cyrus partition(s) on an encrypted filesystem. I've
> never tried it but I'm pretty sure its possible.
>
>
> On 08/25/2015 02:25 AM, Ram wrote:
> > Is there a way I can store cyrus imap mails encrypted. This may not be
> > a fully secure system
> > but I just need something so that a root logged in user cant trivially
> > read the files
> >
> >
> >
> > ----
> > Cyrus Home Page: http://www.cyrusimap.org/
> > List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
> > To Unsubscribe:
> > https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
>
>
> --
> Kenneth Murchison
> Principal Systems Software Engineer
> Carnegie Mellon University
>
> ----
> Cyrus Home Page: http://www.cyrusimap.org/
> List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
> To Unsubscribe:
> https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
--
Bron Gondwana
brong at fastmail.fm
More information about the Info-cyrus
mailing list