0

I am planning to use a self hosted (Linux based) email server. However, the server will be on hosting providers machine. The hosting providers will have access to the physical machine. In that case, can they access the emails? If so, how can I protect my emails?

nobody
  • 11,251
  • 1
  • 41
  • 60
Ahmad Ismail
  • 127
  • 5
  • As an aside to your question: The days of slapping up your own email server are long gone. Standing up and **Securing and Maintaining** an email server is a significant undertaking. Securing a sole use internal server is reasonably done but requires care. Setting up and maintaining the Federated Controls necessary for other mail servers to trust and exchange mail with your server is not trivial. Think carefully about why you want to take this on. – user10216038 Jul 04 '21 at 18:04

1 Answers1

2

They can, and you can't stop them

It's their server, you can't stop them from accessing the content of the emails. They can simply read the emails right off the disk.

If, however, the emails are encrypted (end to end, like PGP), and you only decrypt the emails on your own machine after pulling them from the server, then all they'll get access to is an encrypted blob. Except, good luck getting all your correspondents to use PGP.

nobody
  • 11,251
  • 1
  • 41
  • 60
  • I guess I also have to use FDE and encrypt the HDD in the server along with encrypting the emails. Is it? – Ahmad Ismail Jul 03 '21 at 08:39
  • 2
    @blueray Even with FDE, the hosting provider can still use a [cold boot attack](https://en.wikipedia.org/wiki/Cold_boot_attack) to get the FDE key. And in case the provider is giving you a VM instead of an entire physical server, they can just dump the VM's memory from the host. But, yes, it somewhat raises the bar for the attack. – nobody Jul 03 '21 at 08:44
  • I know that without physical security we are always at risk (and it always gets down to cold boot attack). For my use case I am willing to accept the best secured system possible. Other than cold boot attack, is there any other risks that can be mitigated to build a securest possible email server (on which I do not have physical access to). – Ahmad Ismail Jul 03 '21 at 09:03
  • 1
    @blueray I don't know if you're willing to switch your hosting provider, but if you are, you can look into [confidential computing](https://security.stackexchange.com/q/241542/235964). It's *probably* more secure than just FDE, but I can't say just how much more secure it is. – nobody Jul 03 '21 at 09:13
  • thank you very much. I will consider that. – Ahmad Ismail Jul 03 '21 at 09:15
  • 2
    Also FDE on a *Server* is problematic. Servers have to be able to restart. When restarted for whatever reason, how is the encryption key supplied and from where? If it's automatic, the provider has access. If not automatic, you need manual intervention at inopportune times. – user10216038 Jul 04 '21 at 17:54