adding encryption at rest for /home/user-data

[guizmoau]

This fork https://github.com/downtownallday/mailinabox-ldap has successfully implemented encryption at rest with LUKS for user-data folder.

You can make it optional, it just need to add the folder ehdd at root and start the install with script start-encrypted.sh and then after reboot to start the script startup.sh to launch server.

Could be a great new feature to add to your great powerfull fork !!

[ddavness]

Hi, and thanks!

I could look into this - but given there are passphrases involved I'm not sure how this would affect user experience in what maintenance is concerned.

I admit not being familiar with disk encryption, but a concern I have got is that resizing the LUKS file can either be a PITA, a very time-consuming process, or both.

What would be the difference between and mounting a dedicated partition on your disk just for mounting /home/user-data and the solution you're proposing?

[guizmoau]

Hi ddavness,

Thanks again for your great job on that forks !!

• yes about the reboot, the admin need to manually input the passphrase
• no resizing is not such a big deal

-the dedicated partition won't be encrypted so if someone access the disk of your server physically all data are in clear but you could use encrypted LVM for the whole system as well but it will be even more complicated at boot depending how you host your server yourself or totally or partially or with access to the hypervisor

alternatively there is a plugin for dovecot that does a similar job for the mails only https://doc.dovecot.org/configuration_manual/mail_crypt_plugin/ I haven't got time to try it yet but it could do the job for encryption at rest