Home
Products
Download
Buy Now
Support
Company

Also see the dedicated surgemail.com website with knowledge base and ticketing system

Help Index

 

SurgeMail At Rest encryption feature

The AtRest encryption feature allows individual users to encrypt their mail messages when they are stored 'at rest' on the mail system.  All messages in all folders are encrypted using a public encryption key, and decryption can only occur when the system has your actual password so it can use the private decryption key.  The password is never stored on disk so neither the administrator or Netwin or any external agency can decode the messages without having your password.

To enable AtRest encryption first the administrator must enable the feature
    g_atrest_enable "true"

Then the user must login via http://your.server/cgi/user.cgi and click on 'At Rest' on the left hand panel and enable encryption, at this time the user must provide their current password to ensure they really do know it!

As of version 7.3p we have added a new feature whereby the administrator can SET a global decryption password. This allows your files to be restored if you forget your password. The administrator MUST NOT forget this password, it cannot be changed, or reset!


To configure the admin recovery password:
    tellmail atrest_admin YourSecretPassword   

After setting that password you can make users data automatically encrypt next time they login, this will impact performance initially.
    g_atrest_all "true"

To decrypt a users mail folders (e.g. if they forget their own password)
    tellmail atrest_admin_decrypt user@xyz.com YourSecretPassword


NOTE: Upgrade to at least version 7.3p-7 or later before turning on!

Advantages of At Rest encryption

  • If a hacker gains access to the mail file system they will not be able to see any of your email messages.
  • If an administrator wants to look at your email messages they will not be able to.
  • If an outside agency gains physical access by legal or illegal means to the mail server they will still not be able to decode and see your email messages.

Disadvantages of at rest encryption.

  • If you forget your password, and you also loose the recovery code that you are given when you first encrypt your messages, then ALL your email messages will be lost forever, there is no other recovery mechanism, the administrator CANNOT reset your password and get you access to the files again. (See notes above regarding the new administrator decrypt command, which is now supported.  If you want a higher level of security then disable this feature with the setting: g_atrest_crazy "true")
  • There is a mild performance hit as the data must be decrypted and surgeweb has to do less 'caching'.
  • Saved login sessions on surgeweb will not persist as long as login credentials cannot be saved to disk.
  • If you change a users password in the backend user database manually, then they will be able to login, but all their email will be invisible as the decryption will not work!  To resolve first decrypt using the atrest_admin_decrypt command noted above.

Limitations, what it cannot protect you from

  • If your password can be guessed with a dictionary attack or brute force guessing millions of passwords, then your messages could be decoded, be sure to set a complex password that is not based on simple words etc...
  • In some situations the server will write temporary files containing unencrypted mail messages before displaying them via imap or surgeweb, in theory an administrator could at this time spy on those files.  But only the messages you were actively reading! And it would not be easy.
  • The administrator can enable features to keep copies of all email messages even when this feature is turned on, nothing can prevent this as the administrator controls the server.  The normal archiving feature is automatically disabled though so this will not occur by accident.
  • So it's critical to 'stop' accessing your mail server if the administrator is compromised legally or otherwise.
  • Your email client may have your password stored, anyone who gets access to your email client/stored password can then crack your account instantly, so if security is important to you don't allow your email client to remember your password.

Recovery Code

At the time the user enables encryption they are given a recovery code, this is also emailed to the user.  The user should print and save this code, if the users normal password is lost or forgotten then it's the only mechanism by which they can reset their password without loosing all their messages. This does not apply if g_atrest_all is enabled.  If g_atrest_crazy is not defined, then the admin recover password can be used