Re: Why Cached mail is not encrypted on the N900 device???
 

And then what? Should it prompt for the decryption key every time you access a stored message? Anything else would mean the key is stored somewhere (even if it's just in RAM) which defeats the purpose.

You could use claws-mail and PGP for sensitive messages.

Re: Why Cached mail is not encrypted on the N900 device???
 

what is the point complying to industry standards when you can bypass everything with one single
?

Re: Why Cached mail is not encrypted on the N900 device???
 

What key should it use to encrypt messages?

Could you provide a reference to these "security standards"? Most PC-based mail clients don't encrypt cached mail by default, in the absence of FDE, laptops are usually by default as vulnerable.

So, maybe the problem isn't just the email client.

First, one should come up with a standard the device should adhere to, or reference one.

Second, we could probably run through some concepts of how this could be implemented to support a standard while not making the device almost impossible to use or losing existing features (such as ability to access "MyDocs" from PCs without requiring software that might not be present on most PCs)

Re: Why Cached mail is not encrypted on the N900 device???
 

If you think root privileges can bypass everything, then

Re: Why Cached mail is not encrypted on the N900 device???
 

That would be the only proper solution, however the "every time" part can be relaxed a bit. The password could be asked every time the app is started for example (and that would mean no automatic mail fetching in background).

Easiest thing for an user to do is to set up home dir (or full disk) encryption. Both should be within reach, however will require some hacking. Strict device lock policy is also necessary, so that an average attacker is forced to clear the RAM (and the enc. key) as his first move.

For OP, if you want security standards compliance, go with a security standards certified device. N900 is not one, and won't become one with a software update. I'm quite sure e-mail local storage isn't the only area where security fails.

Re: Why Cached mail is not encrypted on the N900 device???
 

That would mean storing the key in RAM, from where it's trivial to retrieve it. Besides, the email app is autostarted at boot time, even if you don't want it and don't even have any accounts configured :-(

But the encrypted block device/filesystem would be mounted (and thus accessible as plaintext) while the device is on. The only protection it would add would be in case the thief rebooted the device before trying to read the messages.

Re: Why Cached mail is not encrypted on the N900 device???
 

I challenge you to retrieve something from my device's RAM, right now!

No, really, how do you do it without access to the device?

(Edit: OK, we're probably talking about different things, I meant the naive way where the GUI == app)

And how do you do it with access to a LOCKED device?

It's not about if it's running or not, it's about if it's keeping key material in RAM. Two different things.

You only quoted half of that block, and it also seems that you only read half of it. Here's the second half again:

Edit:
Trying to make it more clear, that my assumption was that either:
(a) The attacker has access to device that has no key material in RAM (i.e. the e-mail app was closed before he got access).
(b) The attacker has access to device that has key material in RAM, but that is locked (the HDE/FDE case WITH automatic locking).

Re: Why Cached mail is not encrypted on the N900 device???
 

you completely missed my point. doesn't root have access to stuff millisecond before you start generating the encrypted data?

e: I mainly referred to the fact that giving physical access to someone might end things up in a way that there is a script running as root, grabbing data and uploading it to server x. even when you have million industry standards, things doesn't change a bit.

Re: Why Cached mail is not encrypted on the N900 device???
 

The same way you would retrieve plain-text emails without physical access or from a locked device (which may include "no way"). My point is that encrypting the stored messages doesn't really add any extra security unless it's implemented in a way that's too inconvenient for most people to use.

That was in response to the password being "asked every time the app is started".

I'm not sure what that means exactly - clearing the entire RAM would be equivalent to a reboot, no? Clearing just the keys is possible, but that would mean either asking for a passphrase after every unlock or using the (really weak) device lock code to protect that at which point you might just as well not bother. Having a "real" login that allows strong alpha/numeric/symbolic passwords instead would help of course.

In Harmattan, with access to the hardware TPM (but only in "closed" mode), the situation will be different but for Maemo as it stands I don't see any good solutions.

Re: Why Cached mail is not encrypted on the N900 device???
 

If you are worried about security - symlink your mail store to a truecrypt partition that you manually mount any time you want to interact with Modest or whatever your mail user agent happens to be.

This isn't the huge security flaw that you feel it is. Really, it's not.

There comes a point where you need to decrypt your email to read it obviously, and to do this you need a key that has to be difficult to brute force - so ask yourself, are you really going to type in 64+ characters or whatever your pass phrase happens to be, every time you want email? It's the only way - otherwise you leave yourself open to key recovery via RAM, swap, or storage.

It's much easier to beef up your physical security than worry so much about email.

Alternatively you could just go web based and keep your mail server locked in a concrete box in your basement...