On 8/28/20 4:26 PM, Michael Orlitzky wrote:> The contents of the disk
are unencrypted while the server is powered
on, or at least while the server is receiving email (while it's reading
from and writing to that disk). In practice that will be all the time
-- you can't log in and type the disk-encryption password every time
an email arrives.
You don't need to enter a password every time that an email comes in.
I have a VPS with an encrypted file system. I enter the password at the
time that it boots.
The disk and file system(s) therein are encrypted all the time. So a
clone of the disk will require the passphrase to unlock the key.
The only way to get the key is to extract it out of the running VPS's
memory. Something that I think is beyond the capability of many, but
definitely not all, people.
A clone of the VPS will effectively present the same security posture as
the running system.
I've been running like this for five (or more) years without any
problems. I think it works great.
I shouldn't have used the word "secret." Pre-established or out-of-band
authentication would have been more accurate.
Okay. Poor choice of words happen. Unfortunately I mistook your
statement to be referencing symmetric encryption with a shared secret.
With GPG, the trust is between you and I, and the VPS provider acts
as the eavesdropper. All three parties are distinct, and the security
can work. With TLS between MTAs, the trust is established on-the-fly
between the other MTA and the VPS provider, but the VPS provider still
also plays the the role of the eavesdropper. When the eavesdropper
is trusted, you're in trouble.
As long as STARTTLS is used (and validated) between the MTAs and the VPS
provider doesn't have a way to get the keys (because they are on an
encrypted disk), then the contents of the transmission should be fairly
secure.
--
Grant. . . .
unix || die