I agree with Thomas on this. If someone is spying on the server, any past and future emails can be stolen. In case all incoming mails are PGP-encrypted on the server, future emails can still be stolen, but atleast any past correspondence is secure.
Yannik Am 03.06.2015 um 03:50 schrieb Sebastian Nielsen: > Thats why its important to define which security goal your setup has. > > If you really want to PGP-encrypt your mails at receive, you can do it > with Ciphermail: > https://www.ciphermail.com/ > Ciphermail is implemented as a SMTP proxy, so you just feed postfix's > smtp-client into ciphermail and then have a localhost-only listening > smtpd which delivers to local storage. > > But to your points: > 1: If your WM is remotely manageable via SSH, you will also have > access to its "boot" over SSH/IPMI or whatever remote interface your > hosting company uses. > 2: Yes agree. But one thing to consider, is that if you have hosting > with VM's or VPS:es, its common that they make a backup of your > machine, eg they backup your machine as-is. This means that when your > hosting company takes the backup, it will still be encrypted. > Eg, even if they take the backup while the machine is in running > state, it will still be a backup of the "offline image" of machine, > which will represent how the machine will look if it was turned off > and then turned on right now, since LUKS never write plaintext to the > disk drive. RAM contents of the VM is usually not written to disk or > backuped at all since it can contain sensitive data. > 3: Yes thats true. But that is true for any non-encrypted mail that is > received on your server, since they could, if they were dishonest, tap > the mail from the RAM of the server, like they could with the LUKS > key. No on-server encryption is going to solve if your hosting company > is rogue. > In your first mail, you described the hosting company for being > untrusted because they were reckless and unresponsible with backups > and copies of offline-data that could linger around in the datacenter > and fall into the wrong hands. > > If the hosting company is completely untrusted with not just > lazy/reckless employees, insead just dishonest employees that could > itself be rogue, theres only 2 options: > A: Encrypt the mail before it reach the hosting company. For example > receiving mails in a another server, encrypting them with ciphermail > and then forwarding the encrypted mails to the hosting company. > B: Change hosting company to a more trusted one. > > -----Ursprungligt meddelande----- From: Thomas Keller > Sent: Wednesday, June 03, 2015 1:32 AM > To: postfix-users@postfix.org > Subject: Re: encrypt incoming emails with my public gpg key > > On 2015-06-03 01:16, Sebastian Nielsen wrote: > >> If you only are worried by backups or other copies that might come in >> the wrong hands, and not someone directly accessing the server, I would >> suggest setting up a encrypted storage in the server. Since VPS/VM in >> many times give you root access, you could easily set your virtual >> machine to be encrypted with LUKS, and then you have to type a password >> each time the VM boot. > > using LUKS has some disadvantages here: > 1) somebody has to type remotely the password every time the machine > boots. This is very impractical > > 2) LUKS is only effective when the machine is turned off. Once LUKS is > mounted (decrypted) data can be read and encryption key recovered > > 3) if ever, somebody gains access to the decryption key (see 2) all > emails ever received are accessible. > > Besides, for the sake of argument, we can assume that I already have > LUKS, but want to have another layer. These two things are not mutually > exlusive.
