S/MIME: how private-keys are protected?

Dear all

I’ve just started evaluating Mail3.5.5 @NC26.0.11,PHP8.2.15,MariaDB10.6.16 in order to replace my non-Browser Clients in many cases.

Could somebody pls. share some insights how the imported S/MIME private-keys are protected within Db-Table “oc_mail_smime_certificates” ?

Thanks and regards

They are encrypted with the instance secret.

1 Like

Thank you, @ChristophWurst. Maybe it could be enriched by adding additional layers, from which the user could choose?
… which could be valid from 1st access to an encrypted eMail to the end-of-session, or so?

E.g. the user could decide if private-key passphrase shall be typed before 1st access - or to encrypt private-key involving something simple from YubiKey (HMAC?) or similar?

Since I’m new here … Is this the point that I might place an “featue request” to the related GitHub-Repo to share this idea?

I do not use S/MIME. However, I could imagine that the Nextcloud instance must be able to access the unencrypted data independently of the user, similar to server-side encryption. Perhaps @ChristophWurst can confirm or refute this.

Personally, i find that private S/MIME keys on servers contradict the principle of S/MIME. But apparently, unlike TLS, S/MIME is not end-to-end encryption.