[nzlug] encrypted IMAP storage?

[Jim Cheetham]

On Dec 10, 2007 11:37 AM, Guy K. Kloss <G.Kloss at massey.ac.nz> wrote:
> I was wondering with all those email providers around now (Gmail, etc.)
> whether it is possible to store the content on those in an encrypted way,
> rather than just using transport layer encryption (SSL, TLS).

The email provider will always have to have the ability to decrypt
your messages when interacting with your IMAP client, in which case
the presence of an encrypted filesystem becomes irrelevant. The only
way around this would be to try and make sure that all messages going
into Gmail were encrypted first, e.g. by PGP.

You couldn't enforce this at the Gmail end, because inherently all the
non-encrypted messages would have been received by them first and are
therefore compromised (and form a great corpus for a plaintext
attack); therefore you have to enforce this policy at the sending end.

Obviously you cannot expect your communicants to remember to always
encrypt, but if you allowed yourself the use of a server under your
control to pass email through, you could use an SMTP proxy like GNU
Anubis to receive all your email (i.e. be the MX target). Anubis would
then encrypt the contents with your public key, and forward them to
Gmail.

You could then collect the encrypted messages with POP or IMAP or over
the webmail client, and deal with local decryption -- however you must
be careful that you do not allow your client program to save the
decrypted message back into the Gmail filestore; perhaps you should be
copying the messages into a local PC filesystem (encrypted over
loopback or something) first, or simply never saving decrypts.

-jim