dovecot - Dec 2016 - making a plugin encrypt index data

Hello,

I'm encrypting mail on disk using a plugin[0], but the index files are
not encrypted (specifically the dovecot.index.cache can be read).

I want to do is encrypt index on disk, so I'm looking for how a plugin
can achieve that by hooking into the right locations. Is that easily
possible in a plugin?

I can turn off those indexes by passing INDEX=MEMORY, but that isn't
possible if I use sdbox/mdbox.

thanks for any suggestions!
micah

0. https://0xacab.org/riseuplabs/tofu-scrambler

> On December 16, 2016 at 6:48 PM micah anderson <micah at riseup.net>
wrote:
> 
> 
> 
> Hello,
> 
> I'm encrypting mail on disk using a plugin[0], but the index files are
> not encrypted (specifically the dovecot.index.cache can be read).
> 
> I want to do is encrypt index on disk, so I'm looking for how a plugin
> can achieve that by hooking into the right locations. Is that easily
> possible in a plugin?
> 
> I can turn off those indexes by passing INDEX=MEMORY, but that isn't
> possible if I use sdbox/mdbox.
> 
> thanks for any suggestions!
> micah
> 
> 0. https://0xacab.org/riseuplabs/tofu-scrambler
Hi!

At the moment it's not possible without making new storage class. We are
planning to add support for fs drivers for indexes at some point.

Aki Tuomi
Dovecot Oy

> ---------- Original Message ----------
> From: Aki Tuomi <aki.tuomi at dovecot.fi>
> To: micah anderson <micah at riseup.net>
> Date: December 16, 2016 at 11:25 PM
> Subject: Re: making a plugin encrypt index data
> 
> When we released our encryption plugin, mail-crypt, it's capabilities
include fs-crypt. This can be used to encrypt things like FTS indexes and
attachments, and with suitable mail storage, such as obox, you can also encrypt
indexes.
> 
> To extend this support to dbox or maildir, does require rather involved
changes in dovecot core, which currently has no support for fs-api in index
handling. This might happen on v2.3 or v2.4, depending.
> 
> I somehow suspect that the work estimate would exceed your budget. But it
is going to happen, it's just matter of time. Can't give you any
timeline though, since we have not decided on one yet.
> 
> Aki
> 
> > On December 16, 2016 at 9:53 PM micah anderson <micah at
riseup.net> wrote:
> > 
> > 
> > 
> > Hi Aki,
> > 
> > Do you have any idea approximately when this would be planned for?
> > 
> > We are also interested potentially paying for the ability to encrypt
our
> > indexes, as this is a major concern for us. We don't have a lot of
money
> > as a non-profit, but if there is a possibility of contract work, we
> > would be interested to know what it would cost to do it.
> > 
> > thanks,
> > micah
> > 
> > Aki Tuomi <aki.tuomi at dovecot.fi> writes:
> > 
> > >> On December 16, 2016 at 6:48 PM micah anderson <micah at
riseup.net> wrote:
> > >> 
> > >> 
> > >> 
> > >> Hello,
> > >> 
> > >> I'm encrypting mail on disk using a plugin[0], but the
index files are
> > >> not encrypted (specifically the dovecot.index.cache can be
read).
> > >> 
> > >> I want to do is encrypt index on disk, so I'm looking for
how a plugin
> > >> can achieve that by hooking into the right locations. Is that
easily
> > >> possible in a plugin?
> > >> 
> > >> I can turn off those indexes by passing INDEX=MEMORY, but
that isn't
> > >> possible if I use sdbox/mdbox.
> > >> 
> > >> thanks for any suggestions!
> > >> micah
> > >> 
> > >> 0. https://0xacab.org/riseuplabs/tofu-scrambler
> > >
> > > Hi!
> > >
> > > At the moment it's not possible without making new storage
class. We are planning to add support for fs drivers for indexes at some point.
> > >
> > > Aki Tuomi
> > > Dovecot Oy