The AtRest encryption feature allows individual users to encrypt
their mail messages when they are stored 'at rest' on the mail
system. All messages in all folders are encrypted using a
public encryption key, and decryption can only occur when the
system has your actual password so it can use the private
decryption key. The password is never stored on disk so
neither the administrator or Netwin or any external agency can
decode the messages without having your password.
To enable AtRest encryption first the administrator must enable
the feature
g_atrest_enable "true"
Then the user must login via http://your.server/cgi/user.cgi and
click on 'At Rest' on the left hand panel and enable encryption,
at this time the user must provide their current password to
ensure they really do know it!
Advantages of At Rest encryption
- If a hacker gains access to the mail file system they will not
be able to see any of your email messages.
- If an administrator wants to look at your email messages they
will not be able to.
- If an outside agency gains physical access by legal or illegal
means to the mail server they will still not be able to decode
and see your email messages.
Disadvantages of at rest encryption.
- If you forget your password, and you also loose the recovery
code that you are given when you first encrypt your messages,
then ALL your email messages will be lost forever, there is no
other recovery mechanism, the administrator CANNOT reset your
password and get you access to the files again. If they could
the security would be non existent!
- There is a mild performance hit as the data must be decrypted
and surgeweb has to do less 'caching'.
- Saved login sessions on surgeweb will not persist as long as
login credentials cannot be saved to disk.
Limitations, what it cannot protect you from
- If your password can be guessed with a dictionary attack or
brute force guessing millions of passwords, then your messages
could be decoded, be sure to set a complex password that is not
based on simple words etc...
- In some situations the server will write temporary files
containing unencrypted mail messages before displaying them via
imap or surgeweb, in theory an administrator could at this time
spy on those files. But only the messages you were
actively reading! And it would not be easy.
- The administrator can enable features to keep copies of all
email messages even when this feature is turned on, nothing can
prevent this as the administrator controls the server. The
normal archiving feature is automatically disabled though so
this will not occur by accident.
- So it's critical to 'stop' accessing your mail server if the
administrator is compromized legally or otherwise.
- Your email client may have your password stored, anyone who
gets access to your email client/stored password can then crack
your account instantly, so if security is important to you don't
allow your email client to remember your password.
Recovery Code
At the time the user enables encryption they are given a recovery
code, this is also emailed to the user. The user should
print and save this code, if the users normal password is lost or
forgotten then it's the only mechanism by which they can reset
their password without loosing all their messages.