A lot of new rules are going to take effect in the EU and especially here in Denmark, May next year and one of the things, we as an ISP, has been advised to do, is to encrypt peoples e-mail, that we store on our server. So here is my question: Has anyone any idea how to do this in an elegant way and is this even something that ispconfig will support? Another question is the database that ISPConfig uses to store information about customers. Is there a way to encrypt this data, so we comply with the new regulative for personal data protection? Mike
Do you need to encrypt the email for each user with a different password or is one password for all users ok? In that case, yu can probably use an encrypted file system for /var/vmail There is no easy way to do that as ispconfig must be able to read the data, but it should be possible to encrypt and decrypt all data in the database on the fly in ISPConfig.
Or use full disk encryption. Then all is encrypted... but not really sure what you mean witch encrypting... so you need to be more specific
Sorry for the late reply. #1 This is new information for all of us here in DK, but I was at a conference on the subject, last thursday and the advice we got from the ministry of internal affairs and justice department, was to encrypt as much userinformation as we could. I still have nothing on print and it could be until August before we get something. A link to information on this subject directly from the EU, can be found here http://ec.europa.eu/justice/data-protection/ but it is subject to interpretation from country to country. #2 What I would like is to encode each e-mail stored on the server, using a AES/RAS keypair, that can then be decoded by dovecot and postfix. That way, if we have a breach of security and our e-mails are downloaded somehow, they at least will need the keypair to decode them. Fair enough they can obtain that too, but it's another level of security. Till It is the same senario as with the e-mail. Data should be stored encrypted with AES/RSA encryption in the database and Apache/MySQL should then be able to decode it when needed. If someone gets hold of the DB, the data will be useless without the keys. I hope that explains things
Interesting, thanks for the reference. However, I don't personally believe EU states will rush to enforce such a thing *for email data*, on the contrary, they generally tend to discourage use of communication encryption because that just make legal investigations harder. As for personal data permanently stored, which if I understand correctly is the primary goal of this bill, this is more sensible, as ISPC might store this kind of information (emails, bank account!). I personally don't store any bank information there but this is a legit concern.
With the regard to e-mail and encryption, the problem here is that you as a host, are liable for information kept on your systems, when this is effectuated. That means if someone got e-mail with 'sensitive' information in their e-mails and you have a leak, you are liable for the data that is misused/stolen, as well as the owner of the e-mails. So that's why I personally prefer to simply avoid this kind of problem by having this encrypted. I am already looking in to the possibility to do the same with the CMS's we support, as well.
I would not crypt the mailbase on the server. This will be a nightmare if you loose the key. Let your clients use PGP or S/MIME. There is also a crypt-plugin for Dovecot: https://wiki2.dovecot.org/Plugins/MailCrypt
If you use something that needs secure storage of the decryption keys you can store those keys on filesystem over the network, so they keys aren't sitting on the disk beside the data they decrypt. I've used both an iscsi device with luks encryption as well as encfs over an sshfs mount for similar things; also I've been pretty happy with using mandos to store decryption keys and make them available only on the local network. I believe I posted example scripts for doing ISPConfig backups that way, if useful (specifically, sshfs mounted a remote directory via rsa keys, then mandos requests a key which is used with encfs to encrypt/decrypt the backup files). In your case you would probably want to unmount the remote storage once your dovecot/email keys have been loaded, so they keys are not available via the filesystem (just like after backups run in those sample scripts, the encfs and sshfs are unmounted).
Jesse: That is not a bad idea, thanks. I will take it in to account when I start testing in a months time, on one of our test servers. WHen I'm done, I will make sure to post my findings and maybe a howto on how I ended up setting this up, since others might be required/want to use this functionality.
This encryption does not work if someone gets access to your server. This may work, if some takes your HDDs away.
Florian: Well it will help if they get access to the filesystem, but you are correct that it won't help if someone gets in through dovecot or postfix.
FYI: "4. Each Member State shall notify to the Commission the provisions of its law which it adopts pursuant to this Chapter, by 25 May 2018 and, without delay, any subsequent amendment affecting them."
