On 22/10/14 03:32 PM, James B. Byrne wrote:
>
> I am now investigating encrypting our IMAP user spool files. Does anyone have
> experience with handling encrypted data stores using either or both of the
> subject methods and would care tio share their observations? Which is the
> preferred method (I know: it depends, but on what?)? What administrative
> pain does each cause?
>
> Our IMAP host is a KVM guest so spinning up a duplicate and simply copying the
> data to an encrypted device or filesystem is not a very big deal. We can live
> with manually mounting the file system and providing a pass-phrase at boot.
> we are also looking into a semi-auto USB based solution to that issue.
Our mail server has used LUKS encryption for the <swap> and / partitions
for a while without issue. I use:
/dev/sda1 - /boot (normal ext4 partition)
/dev/sda2 - LVM PV - VG:
lv_swap -> luks -> <swap>
lv_root -> luks -> ext4 -> /
Running on CentOS 6.x, postfix/dovecot. Authentication DB is another
server with similar LUKS config. Both are KVM VMs. As you mentioned, I
do need to enter the passphrase on boot. I have an alert system that
warns me if a VM reboots unexpectedly.
--
Digimer
Papers and Projects: https://alteeve.ca/w/
What if the cure for cancer is trapped in the mind of a person without
access to education?