rstml edited this page Dec 27, 2012 · 6 revisions

Storing email messages on the public cloud such as AWS S3 can be insecure and unacceptable. ElasticInbox supports encryption of the email blobs using AES encryption (AES-CBC with PKCS5 padding is the only supported cipher mode at the moment).

In order to enable encryption, first you need to create Java JCE Keystore and add at least one symmetric key into it. Following command generates new AES-128 key with alias mykey1 and adds it to the keystore:

keytool -genseckey -alias mykey1 -keyalg AES -keysize 128 -storetype jceks -keystore config/elasticinbox.ks

NOTE: Same password for keystore and key should be used.

Next, you need to enable encryption in ElasticInbox config file and add key alias:

# encrypt objects written to the blob store
blobstore_enable_encryption: true
blobstore_default_encryption_key: mykey1

# encryption settings
  keystore: "elasticinbox.ks"
  keystore_password: mysecret

All new messages will be encrypted using mykey1 key before they are stored in the cloud. ElasticInbox stores encryption key alias in the message metadata and uses it to decrypt message when it's read from the cloud blob storage. This mechanism allows key rotation. However, it's important to make sure that key stores are identical across all of your ElasticInbox nodes.

NOTE: When using AES-256 bit key you may get "Illegal key size" error. This is due to missing Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 6