wiki:PluginRepository/Encryption

Version 3 (modified by dan, 4 years ago) (diff)

+storage api, global options

Encryption

on this page thoughts about the development of an encryption plugin will be shared.

quick brainstorming (jonas): see RoundCube-Dev Thread for discussion on the mailinglist.

  • add some abstraction layer to support several implementations of gnupg key management
    • possible drivers:
      • server side key storage (either use gnupg binary or the php pecl gnupg library)
      • client side key storage
      • maybe even other encryption systems, i.e. s/mime
  • list of essential functions:
    • encrypt(text, keys): encrypt text for public keys
    • decrypt(text): decrypt text with appropriate private key
    • sign(text, privatekey): sign text with private key
    • verify(text): verify
    • import_key(text): import keys
  • list of additional useful functions:
    • export_key(key): export public key
    • export_priv_key(key): export private key
    • signandencrypt(text, keys, privatekey): sign with private key and encrypt for public keys
    • del_key(key): delete public key
    • del_priv_key(privatekey): delete private key
    • edit_priv_key(privatekey): edit private key
    • list_keys(): list all public keys
    • list_priv_keys(): list all private keys
    • gen_priv_key(): generate new private key
    • get_key(email/keyid): get a new public key
  • for mail layer:
    • decrypt inline encrypted mails
    • decrypt openpgp/mime encrypted mails
    • verify inline signed mails
    • verify opengpg/mime signed mails
    • encrypt and/or sign outgoing mails with opengpg/mime standard
    • encrypt and/or sign outgoing mails inline
  • storage interface(?): Interface to keys implemented by drivers
    • encrypt(text,keys)
    • decrypt(text, passphrase_callback)
    • sign(text,keys,passphrase_callback)
    • verify(text)
  • for server side storage:
    • create gnupg home directories with pubring.gpg and secring.gpg for every single user
    • pass $GNUGPGHOME to gnupg/gpgme library according to roundcube user
    • requirement to give read+write access to webserver user to all gnupg home directories
    • maybe maintain a mysql database with all keys, fingerprints etc to detect manipulated key data in the keyrings.
    • public keys retrieval - ldap, keyserver lookup, database
  • additional useful user settings/options:
    • default private key to sign mails
    • default public key to encrypt mails for in addition to recipient keys (i.e. own key)
    • default (sign y/n; encrypt y/n) for new mails
    • default for replies to signed and/or encrypted mails
    • default for replies to unsigned and unencrypted mails
  • additional useful global settings/options:
    • backend plugin(s)
    • ldap servers and query method
    • keyservers
    • default public key to encrypt mails for in addition to recipient keys (i.e. escrow)

please extend this design draft with your thoughts ...

Attachments (10)

Download all attachments as: .zip