Atrest encryption

The AtRest encryption feature allows individual users to encrypt their mail messages when they are stored 'at rest' on the mail system.  All messages in all folders are encrypted using a public encryption key, and decryption can only occur when the system has your actual password so it can use the private decryption key.  The password is never stored on disk so neither the administrator or Netwin or any external agency can decode the messages without having your password.

To enable AtRest encryption first the administrator must enable the feature

    g_atrest_enable "true"

BEFORE YOU DO THIS, BACKUP YOUR EXISTING MAIL!!! If something goes wrong with encryption it is irreversible.

Read the warning at the bottom of this page!

Then the user must login via http://your.server/cgi/user.cgi and click on 'At Rest' on the left hand panel and enable encryption, at this time the user must provide their current password to ensure they really do know it!

As of version 7.3p we have added a new feature whereby the administrator can SET a global decryption password. This allows your files to be restored if you forget your password. The administrator MUST NOT forget this password, it cannot be changed, or reset!

To configure the admin recovery password, this cannot be changed later, if it is changed, it will not work for any existing encrypted messages!
    tellmail atrest_admin YourSecretPassword   

After setting that password you can make users data automatically encrypt next time they login, this will impact performance initially.

    g_atrest_all "true"

Again, this feature is dangerous!

To decrypt a users mail folders (e.g. if they forget their own password)
    tellmail atrest_admin_decrypt YourSecretPassword
To change a users password use this command:
tellmail atrest_set_user_pass Mytes3 secret

NOTE: Upgrade to at least version 7.4 or later before turning on!

Advantages of At Rest encryption

  • If a hacker gains access to the mail file system they will not be able to see any of your email messages.
  • If an administrator wants to look at your email messages they will not be able to.
  • If an outside agency gains physical access by legal or illegal means to the mail server they will still not be able to decode and see your email messages.
  • Files are encrypted using industry standard AES 256bit CBC.

Disadvantages of at rest encryption.

  • If you forget your password, and you also loose the recovery code that you are given when you first encrypt your messages, then ALL your email messages will be lost forever, there is no other recovery mechanism, the administrator CANNOT reset your password and get you access to the files again. (See notes above regarding the new administrator decrypt command, which is now supported.  If you want a higher level of security then disable this feature with the setting: g_atrest_crazy "true")
  • There is a mild performance hit as the data must be decrypted and surgeweb has to do less 'caching'.
  • Saved login sessions on surgeweb will not persist as long as login credentials cannot be saved to disk.
  • If you change a users password in the backend user database manually, then they will be able to login, but all their email will be invisible as the decryption will not work!  To resolve first decrypt using the atrest_admin_decrypt command noted above.

Limitations, what it cannot protect you from

  • If your password can be guessed with a dictionary attack or brute force guessing millions of passwords, then your messages could be decoded, be sure to set a complex password that is not based on simple words etc...
  • In some situations the server will write temporary files containing unencrypted mail messages before displaying them via imap or surgeweb, in theory an administrator could at this time spy on those files.  But only the messages you were actively reading! And it would not be easy.
  • The administrator can enable features to keep copies of all email messages even when this feature is turned on, nothing can prevent this as the administrator controls the server.  The normal archiving feature is automatically disabled though so this will not occur by accident.
  • So it's critical to 'stop' accessing your mail server if the administrator is compromised legally or otherwise.
  • Your email client may have your password stored, anyone who gets access to your email client/stored password can then crack your account instantly, so if security is important to you don't allow your email client to remember your password.

Recovery Code

At the time the user enables encryption they are given a recovery code, this is also emailed to the user.  The user should print and save this code, if the users normal password is lost or forgotten then it's the only mechanism by which they can reset their password without loosing all their messages. This does not apply if g_atrest_all is enabled.  If g_atrest_crazy is not defined, then the admin recover password can be used


It cannot be emphasized enough, there are risks with this feature. Users WILL forget their passwords and loose their recovery codes. Even with the admin feature if you forget the admin password it cannot ever be reset or fixed!!!! Please don't enable this unless you truly understand how dangerous it is. There is almost no good reason for using this feature 🙂 Unless you are actually a professional spy! 🙂

Was this article helpful?

Related Articles