I am wondering how I can back up keys for mail users in their
password-protected form, without exporting them from `doveadm mailbox
cryptokey export`, which requires a password. The goal here is to
perform routine backups to keep keys current. Relevant config is as follows:
mail_attribute_dict = file:%h/Maildir/dovecot-attributes
mail_plugins = $mail_plugins mail_crypt
plugin {
? mail_crypt_curve = secp521r1
? mail_crypt_save_version = 2
? mail_crypt_require_encrypted_user_key = yes
}
Am i correct in assuming I should back up the dovecot-attributes file?
Are there any ancillary files that need to be backed up as well, such as
indexes, to properly read and handle this file?
I have viewed the file and it appears there are several keys at play for
a single mail user. Do different folders in a users imap space have
different encryption keys? Are all of these keys populated in this
dovecot-attributes file?
Is there any established procedure for restoring keys? Is it as simple
as placing the dovecot-attributes file, if that is infact what needs to
be backed up beforehand to perform a restore.
--
Ben Burk
BURK.TECH System Administrator
> On 17/06/2021 19:59 Ben Burk <ben at burk.tech> wrote: > > > I am wondering how I can back up keys for mail users in their > password-protected form, without exporting them from `doveadm mailbox > cryptokey export`, which requires a password. The goal here is to > perform routine backups to keep keys current. Relevant config is as follows: > > > mail_attribute_dict = file:%h/Maildir/dovecot-attributes > mail_plugins = $mail_plugins mail_crypt > > plugin { > ? mail_crypt_curve = secp521r1 > ? mail_crypt_save_version = 2 > ? mail_crypt_require_encrypted_user_key = yes > } > > > Am i correct in assuming I should back up the dovecot-attributes file? > Are there any ancillary files that need to be backed up as well, such as > indexes, to properly read and handle this file? > > I have viewed the file and it appears there are several keys at play for > a single mail user. Do different folders in a users imap space have > different encryption keys? Are all of these keys populated in this > dovecot-attributes file? > > Is there any established procedure for restoring keys? Is it as simple > as placing the dovecot-attributes file, if that is infact what needs to > be backed up beforehand to perform a restore. > > > -- > Ben Burk > BURK.TECH System AdministratorHi! You can just take a copy of the dovecot-attributes file as you suspected. Aki