EmailDiscussions.com  

Go Back   EmailDiscussions.com > Discussions about Email Services > The Technical Zone...
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read
Stay in touch wirelessly

The Technical Zone... The Geeky forum... Use this forum to discuss technical aspects of email, from authentication protocols to encryption.

Reply
 
Thread Tools
Old 3 Apr 2018, 10:10 AM   #1
William9
The "e" in e-mail
 
Join Date: Nov 2005
Location: San Francisco
Posts: 2,281
Encryption at rest on email servers - Important?

General questions for discussion:
  1. What security risks does email encryption at rest mitigate?
  2. How important is encryption at rest from the data security standpoint?
  3. Which email providers encrypt their customers data at rest?
I'm not referring to encryption in transit that occurs when both the sending and receiving email systems support SSL or TLS. Rather, the questions are regarding messages filed in a customers account.

I assumed that having email data encrypted at rest on my email service providers' machines would help to prevent someone from stealing my data by hacking. Of course, encryption would not prevent theft of data if the hacker were using my login credentials. Is the security benefit of encryption at rest limited to preventing someone from accessing data when a physical drive is stolen?

I'm pretty sure that Google encrypts Gmail data a rest. Microsoft encrypts its business accounts. I'm not sure about free Outlook.com. And of course the paid email services that advertise a high level of security such as LuxSci encrypt data at rest.
William9 is offline   Reply With Quote

Old 4 Apr 2018, 07:54 AM   #2
TenFour
Master of the @
 
Join Date: Feb 2017
Location: USA
Posts: 1,679
Not sure really, since I think the largest danger is giving up your login information via a phishing attack or other malware. Once they have your credentials and can unencrypt your emails anyway, what does it matter? I suppose there is some vulnerability at certain email providers that your emails can be read by staff or access given via some backdoor, and then if they are encrypted nobody should be able to read them. With smaller providers there is really nothing other than trust that they won't read your email.
TenFour is offline   Reply With Quote
Old 10 May 2018, 07:18 PM   #3
popowich
Essential Contributor
 
Join Date: May 2009
Posts: 263

Representative of:
EmailQuestions.com
> What security risks does email encryption at rest mitigate?

It prevents plain text emails from being readable if someone physically steals the hard drive from the email service providers server.

It also protects plain text from being readable if the service provider retires the drive without sanitizing it before dumping it in the trash, leaving it out on a desk, or sending it to a computer recycling company that doesn't properly destroy it.

Any example where an unauthorized person gets physical access to the drive fits here.

> Once they have your credentials and can unencrypt your emails anyway, what does it matter?

Different things, having your username and password doesn't mean a bad guy can decrypt an encrypted hard drive.
popowich is offline   Reply With Quote
Old 10 May 2018, 08:10 PM   #4
TenFour
Master of the @
 
Join Date: Feb 2017
Location: USA
Posts: 1,679
Quote:
Different things, having your username and password doesn't mean a bad guy can decrypt an encrypted hard drive.
Sure, but that is an unlikely scenario according to studies like the one Google released recently. On the other hand, the most likely scenario is that your credentials get stolen or hacked and then bad guys just log in and get your email that way. If you are really worried for some reason that data at rest is in danger go with a huge provider where the data is scattered around the world in multiple centers that have military-grade security. I doubt Google disposes of dead drives in the trash and even if they did what are the chances your information will be on the drive? Encryption at rest is mainly a worry for those who store data at small providers where you have no idea how protected it is, and if that is the case how do you know the provider doesn't have your encryption keys too?
TenFour is offline   Reply With Quote
Reply


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Forum Jump


All times are GMT +9. The time now is 05:08 PM.

 

Copyright EmailDiscussions.com 1998-2022. All Rights Reserved. Privacy Policy