Storage encryption

[foxcpp]

I guess it might make sense to implement server-side encryption for mail storage to protect past messages in case of database compromise. PGP is a ready-to-use public key[1] infrastructure[2], though we might want to use keys generated by the server for each user to avoid all trust issues.

The symmetric key used to protect private key can be derived from user password using the computation-intensive hash algorithm such as bcrypt.

[1] Public key encryption is necessary to ensure that we can deliver new messages without knowledge of the decryption key.
[2] Tho I think we might want to pick something simpler for this purpose, ideas?

There are also some problems that need to be solved:

• Can it be implemented as a storage-agnostic overlay? We need to design something to store and retrieve generated keys. Users of go-imap-sql may expect everything to be in a single database.
• We should not try to decrypt messages that are already PGP-encrypted by. Underlying storage may provide some indication of whether the message is encrypted so it boils down to the first problem.
• We should try to encrypt the meta-data too, this includes envelope and body structure.

Originally posted by @foxcpp in #10 (comment)

[foxcpp]

Throwing ideas into air

Module interface:

type Keyring interface {
  UnlockPrivateKey(username string, secretKey []byte) PrivateKey
  GetPublicKey(username string) PublicKey
}

May be implemented by the underlying mail storage or external storage (simple keyring file?).

We can store the "encrypted" flag using IMAP keywords (custom flags). Like $Maddy_Encrypted (prefixed with maddy to avoid possible clashes with other keywords that may be in use).

Regarding [2] - https://github.com/danielhavir/go-hpke

Originally posted by @foxcpp in #10 (comment)

[foxcpp]

Explaining reasoning even further:
It is intended to limit the impact of a security breach when access to the database is gained. For example, the database can be located on a different server or only limited file system access was gained.

The symmetric key used to protect private key can be derived from user password using the computation-intensive hash algorithm such as bcrypt.

It can derive symmetric key using algorithm different from the one used for authentication. And this key is never stored anywhere.

[MFAshby]

This is the kind of problem that cryptdb was designed to solve. Unfortunately not sure if there's a working implementation for sqlite but it seems like the right idea.

[foxcpp]

Closed in favor of #10. Implementing a standard data encryption protocol that would allow user clients to decrypt messages is a way better approach in my opinion. It is possible to add an optional feature of server storing the private key and doing so on user behalf, creating a flexible server-side message encryption solution.