On 06.11.2017 13:59, Zbyszek Żółkiewski wrote: >> On 06.11.2017 13:20, Zbyszek Żółkiewski wrote: >>>> Wiadomość napisana przez Aki Tuomi <aki.tu...@dovecot.fi> w dniu >>>> 06.11.2017, o godz. 08:44: >>>> >>>> On 04.11.2017 20:52, Zbyszek Żółkiewski wrote: >>>>> Hi, >>>>> >>>>> I have few questions regarding mail_crypt: >>>>> >>>>> 1) Is mail_crypt_global_private_key file read upon dovecot start/restart >>>>> only or it is/can be read in any other time? I have made few tests by >>>>> starting dovecot and removing master key for decryption - therefore it is >>>>> not available on the platform - it only reside in memory, removing one of >>>>> attack vectors >>>> It can be given from config file, or from user database. It is read on >>>> use. You can also encrypt the key using a password, but in the end, the >>>> password or the key needs to be provided by something. >>> yes i am loading it in conf file like: >>> >>> mail_crypt_global_private_key = </etc/dovecot/somefile.key >>> >>> but then i am removing that file - and it looks like dovecot still is able >>> to decrypt mails encrypted with that file. So you are saying there might be >>> situation that this file need to be “re-read” from disk ? >> Yeah, the file content is loaded into configuration. If you need to >> re-read it you need to restart dovecot. > ok thanks, so this is what i wanted to know: so the content of the private > key are read on startup and held in memory, and they are only refreshed when > dovecot restarts. So in my use-case i can safely remove private key once > dovecot started, right ? > > thanks, > _ > Zbyszek
Yeah, you can safely remove it. Aki
