Ben Burk
2021-Jun-29 03:05 UTC
Doveadm encrypt/decrypt files manually with per-user folder keys
There is an example of manually encrypting/decrypting mail processed by the mail_crypt plugin here: https://doc.dovecot.org/configuration_manual/mail_crypt_plugin/ It outlines how one would manually encrypt/decrypt messages using global keys: doveadm fs get/put crypt private_key_path=foo:public_key_path=foo2:posix:prefix=/path/to/files/root path/to/file Is there a way to accomplish this using per-user folder keys? Is there some way of making sense of the information in the dovecot-attributes file to accomplish this? -- Ben Burk BURK.TECH System Administrator -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20210628/463600ca/attachment-0001.html>
Aki Tuomi
2021-Jun-29 06:11 UTC
Doveadm encrypt/decrypt files manually with per-user folder keys
> On 29/06/2021 06:05 Ben Burk <ben at burk.tech> wrote: > > > There is an example of manually encrypting/decrypting mail processed by the mail_crypt plugin here: > https://doc.dovecot.org/configuration_manual/mail_crypt_plugin/ > > > It outlines how one would manually encrypt/decrypt messages using global keys: > doveadm fs get/put crypt private_key_path=foo:public_key_path=foo2:posix:prefix=/path/to/files/root path/to/file > > > > Is there a way to accomplish this using per-user folder keys? Is there some way of making sense of the information in the dovecot-attributes file to accomplish this? > > -- > Ben Burk > BURK.TECH System AdministratorYou can use doveadm mailbox cryptokey export to export folder keys. Aki
Ben Burk
2021-Jul-01 02:19 UTC
Doveadm encrypt/decrypt files manually with per-user folder keys
I think I've been able to print/export what I think are user keys with
the -U flag:
user at testbox :~$ sudo -u vmail doveadm -o
plugin/mail_crypt_private_password="${pass}" mailbox cryptokey export
-u
user -U
Folder:
Public ID: 3498hg355a86c3c924a5841bb2e5c6e1b0c5496d5116c4fcb9askdjfalk34
Error:
-----BEGIN PRIVATE KEY-----
***REDACTED***
-----END PRIVATE KEY-----
user at testbox :~$ sudo -u vmail doveadm -o
plugin/mail_crypt_private_password="${pass}" mailbox cryptokey list -u
user -U
Folder Active Public ID
?????? yes 3498hg355a86c3c924a5841bb2e5c6e1b0c5496d5116c4fcb9askdjfalk34
However, I can't seem to get the tool to print/export folder keys:
user at testbox :~$ sudo -u vmail doveadm -o
plugin/mail_crypt_private_password="${pass}" mailbox cryptokey list -u
user test
doveadm(user): Warning: mailbox cryptokey list: Nothing was matched. Use
-U or specify mask?
Folder Active Public ID
user at testbox :~$ sudo -u vmail doveadm -o
plugin/mail_crypt_private_password="${pass}" mailbox cryptokey list -u
user test/
doveadm(user): Warning: mailbox cryptokey list: Nothing was matched. Use
-U or specify mask?
Folder Active Public ID
user at testbox :~$ sudo -u vmail doveadm -o
plugin/mail_crypt_private_password="${pass}" mailbox cryptokey export
-u
user
user at testbox :~$ sudo -u vmail doveadm -o
plugin/mail_crypt_private_password="${pass}" mailbox cryptokey export
-u
user test/
user at testbox :~$ sudo -u vmail doveadm -o
plugin/mail_crypt_private_password="${pass}" mailbox cryptokey export
-u
user test
user at testbox :~$ sudo -u vmail doveadm -o
plugin/mail_crypt_private_password="${pass}" mailbox cryptokey export
-u
user *
user at testbox :~$
In the examples above, I was attempting to select keys for the 'test'
IMAP mail folder. I may just be misunderstanding the
encryption/decryption operations here, and possibly the mask parameter.
When I run the below command, it outputs the '.test.out' file but the
file is not encrypted, presumably because the public key was not specified:
sudo -u vmail doveadm fs put crypt
private_key_path=/tmp/doveadm_TvZAjG16218-30778:posix:prefix=/var/mail/domain/user/Maildir/test/cur/
1561754561.M105295P13988.smtp\,S\=3700\,W\=3780\:2\,RS .test.out
What is the correct syntax to export folder keys, assuming that what I
have exported above are the user keys? Do you need to specify both
private/public keys when encrypting/decrypting? I wouldn't think so.
Typically all that is needed for encryption is the public key, and for
decryption the private key.
My mail_crypt settings:
mail_attribute_dict = file:%h/Maildir/dovecot-attributes
mail_plugins = $mail_plugins mail_crypt
plugin {
? mail_crypt_curve = secp521r1
? mail_crypt_save_version = 2
? mail_crypt_require_encrypted_user_key = yes
}
On 6/29/21 1:11 AM, Aki Tuomi wrote:>> On 29/06/2021 06:05 Ben Burk <ben at burk.tech> wrote:
>>
>>
>> There is an example of manually encrypting/decrypting mail processed by
the mail_crypt plugin here:
>> https://doc.dovecot.org/configuration_manual/mail_crypt_plugin/
>>
>>
>> It outlines how one would manually encrypt/decrypt messages using
global keys:
>> doveadm fs get/put crypt
private_key_path=foo:public_key_path=foo2:posix:prefix=/path/to/files/root
path/to/file
>>
>>
>>
>> Is there a way to accomplish this using per-user folder keys? Is there
some way of making sense of the information in the dovecot-attributes file to
accomplish this?
>>
>> --
>> Ben Burk
>> BURK.TECH System Administrator
> You can use
>
> doveadm mailbox cryptokey export
>
> to export folder keys.
>
> Aki
>
--
Ben Burk
BURK.TECH System Administrator