Doveadm encrypt/decrypt files manually with per-user folder keys
There is an example of manually encrypting/decrypting mail processed by the mail_crypt plugin here:
https://doc.dovecot.org/configuration_manual/mail_crypt_plugin/
It outlines how one would manually encrypt/decrypt messages using global keys:
doveadm fs get/put crypt private_key_path=foo:public_key_path=foo2:posix:prefix=/path/to/files/root path/to/file
Is there a way to accomplish this using per-user folder keys? Is there some way of making sense of the information in the dovecot-attributes file to accomplish this?
-- Ben Burk BURK.TECH System Administrator
On 29/06/2021 06:05 Ben Burk <ben@burk.tech> wrote:
There is an example of manually encrypting/decrypting mail processed by the mail_crypt plugin here: https://doc.dovecot.org/configuration_manual/mail_crypt_plugin/
It outlines how one would manually encrypt/decrypt messages using global keys: doveadm fs get/put crypt private_key_path=foo:public_key_path=foo2:posix:prefix=/path/to/files/root path/to/file
Is there a way to accomplish this using per-user folder keys? Is there some way of making sense of the information in the dovecot-attributes file to accomplish this?
-- Ben Burk BURK.TECH System Administrator
You can use
doveadm mailbox cryptokey export
to export folder keys.
Aki
I think I've been able to print/export what I think are user keys with the -U flag: user@testbox :~$ sudo -u vmail doveadm -o plugin/mail_crypt_private_password="${pass}" mailbox cryptokey export -u user -U Folder: Public ID: 3498hg355a86c3c924a5841bb2e5c6e1b0c5496d5116c4fcb9askdjfalk34 Error: -----BEGIN PRIVATE KEY----- ***REDACTED*** -----END PRIVATE KEY----- user@testbox :~$ sudo -u vmail doveadm -o plugin/mail_crypt_private_password="${pass}" mailbox cryptokey list -u user -U Folder Active Public ID yes 3498hg355a86c3c924a5841bb2e5c6e1b0c5496d5116c4fcb9askdjfalk34 However, I can't seem to get the tool to print/export folder keys: user@testbox :~$ sudo -u vmail doveadm -o plugin/mail_crypt_private_password="${pass}" mailbox cryptokey list -u user test doveadm(user): Warning: mailbox cryptokey list: Nothing was matched. Use -U or specify mask? Folder Active Public ID user@testbox :~$ sudo -u vmail doveadm -o plugin/mail_crypt_private_password="${pass}" mailbox cryptokey list -u user test/ doveadm(user): Warning: mailbox cryptokey list: Nothing was matched. Use -U or specify mask? Folder Active Public ID user@testbox :~$ sudo -u vmail doveadm -o plugin/mail_crypt_private_password="${pass}" mailbox cryptokey export -u user user@testbox :~$ sudo -u vmail doveadm -o plugin/mail_crypt_private_password="${pass}" mailbox cryptokey export -u user test/ user@testbox :~$ sudo -u vmail doveadm -o plugin/mail_crypt_private_password="${pass}" mailbox cryptokey export -u user test user@testbox :~$ sudo -u vmail doveadm -o plugin/mail_crypt_private_password="${pass}" mailbox cryptokey export -u user * user@testbox :~$ In the examples above, I was attempting to select keys for the 'test' IMAP mail folder. I may just be misunderstanding the encryption/decryption operations here, and possibly the mask parameter. When I run the below command, it outputs the '.test.out' file but the file is not encrypted, presumably because the public key was not specified: sudo -u vmail doveadm fs put crypt private_key_path=/tmp/doveadm_TvZAjG16218-30778:posix:prefix=/var/mail/domain/user/Maildir/test/cur/ 1561754561.M105295P13988.smtp\,S\=3700\,W\=3780\:2\,RS .test.out What is the correct syntax to export folder keys, assuming that what I have exported above are the user keys? Do you need to specify both private/public keys when encrypting/decrypting? I wouldn't think so. Typically all that is needed for encryption is the public key, and for decryption the private key. My mail_crypt settings: mail_attribute_dict = file:%h/Maildir/dovecot-attributes mail_plugins = $mail_plugins mail_crypt plugin { mail_crypt_curve = secp521r1 mail_crypt_save_version = 2 mail_crypt_require_encrypted_user_key = yes } On 6/29/21 1:11 AM, Aki Tuomi wrote:
On 29/06/2021 06:05 Ben Burk <ben@burk.tech> wrote:
There is an example of manually encrypting/decrypting mail processed by the mail_crypt plugin here: https://doc.dovecot.org/configuration_manual/mail_crypt_plugin/
It outlines how one would manually encrypt/decrypt messages using global keys: doveadm fs get/put crypt private_key_path=foo:public_key_path=foo2:posix:prefix=/path/to/files/root path/to/file
Is there a way to accomplish this using per-user folder keys? Is there some way of making sense of the information in the dovecot-attributes file to accomplish this?
-- Ben Burk BURK.TECH System Administrator You can use
doveadm mailbox cryptokey export
to export folder keys.
Aki
-- Ben Burk BURK.TECH System Administrator
One more question and I think I should be ok. I just need to encrypt unencrypted mails after having originally enabled mail_crypt.
I've determined how to decrypt encrypted mails from command line using the private key for the mail folder, like so:
sudo -u vmail doveadm -o plugin/mail_crypt_private_password="${pass}" mailbox cryptokey export -u user test | awk '/BEGIN PRIVATE KEY/,/END PRIVATE KEY/' | sudo -u vmail tee /tmp/doveadm_HfztmQ-6192-3032
/dev/null 2>&1
sudo -u vmail doveadm fs get crypt private_key_path=/tmp/doveadm_HfztmQ-6192-3032:posix:prefix=/var/mail/domain/user/Maildir/test/cur/ 1626274985.M269696P3026.smtp\,S\=11765\,W\=12153\:2\,S
However, I'm still not sure how I'm supposed to export the public key to do the encryption operation on unencrypted mail. The only keys that I've been able to export for this folder-key system are the private keys per folder and the private keys for the user:
sudo -u vmail doveadm -o plugin/mail_crypt_private_password="${pass}" mailbox cryptokey export -u user test
sudo -u vmail doveadm -o plugin/mail_crypt_private_password="${pass}" mailbox cryptokey export -u user -U
I've tried with
On 7/12/21 1:25 AM, Aki Tuomi wrote:
Try
sudo -u vmail doveadm -o plugin/mail_crypt_private_password="${pass}" mailbox cryptokey export -u user '*'
(note the '*')
Aki
-- Ben Burk BURK.TECH System Administrator
-- Ben Burk BURK.TECH System Administrator
On 14/07/2021 18:31 Ben Burk <ben@burk.tech> wrote:
One more question and I think I should be ok. I just need to encrypt unencrypted mails after having originally enabled mail_crypt.
I've determined how to decrypt encrypted mails from command line using the private key for the mail folder, like so:
sudo -u vmail doveadm -o plugin/mail_crypt_private_password="${pass}" mailbox cryptokey export -u user test | awk '/BEGIN PRIVATE KEY/,/END PRIVATE KEY/' | sudo -u vmail tee /tmp/doveadm_HfztmQ-6192-3032
/dev/null 2>&1
sudo -u vmail doveadm fs get crypt private_key_path=/tmp/doveadm_HfztmQ-6192-3032:posix:prefix=/var/mail/domain/user/Maildir/test/cur/ 1626274985.M269696P3026.smtp\,S\=11765\,W\=12153\:2\,S
However, I'm still not sure how I'm supposed to export the public key to do the encryption operation on unencrypted mail. The only keys that I've been able to export for this folder-key system are the private keys per folder and the private keys for the user:
sudo -u vmail doveadm -o plugin/mail_crypt_private_password="${pass}" mailbox cryptokey export -u user test
sudo -u vmail doveadm -o plugin/mail_crypt_private_password="${pass}" mailbox cryptokey export -u user -U
I've tried with
On 7/12/21 1:25 AM, Aki Tuomi wrote:
Try
sudo -u vmail doveadm -o plugin/mail_crypt_private_password="${pass}" mailbox cryptokey export -u user '*'
(note the '*')
Aki
-- Ben Burk BURK.TECH System Administrator
-- Ben Burk BURK.TECH System Administrator
I don't think you can realistically encrypt those emails by hand. I mean with maildir it's "doable", but will require doing it with some external script. Maybe use doveadm import
to import them from somewhere?
Aki
To anyone sifting through this mailing list in the future, I was able to accomplish manual encryption by moving mail or folders. This can be done in the client or through doveadm move.
On 7/14/21 11:00 AM, Aki Tuomi wrote:
On 14/07/2021 18:31 Ben Burk <ben@burk.tech> wrote:
One more question and I think I should be ok. I just need to encrypt unencrypted mails after having originally enabled mail_crypt.
I've determined how to decrypt encrypted mails from command line using the private key for the mail folder, like so:
sudo -u vmail doveadm -o plugin/mail_crypt_private_password="${pass}" mailbox cryptokey export -u user test | awk '/BEGIN PRIVATE KEY/,/END PRIVATE KEY/' | sudo -u vmail tee /tmp/doveadm_HfztmQ-6192-3032
/dev/null 2>&1
sudo -u vmail doveadm fs get crypt private_key_path=/tmp/doveadm_HfztmQ-6192-3032:posix:prefix=/var/mail/domain/user/Maildir/test/cur/ 1626274985.M269696P3026.smtp\,S\=11765\,W\=12153\:2\,S
However, I'm still not sure how I'm supposed to export the public key to do the encryption operation on unencrypted mail. The only keys that I've been able to export for this folder-key system are the private keys per folder and the private keys for the user:
sudo -u vmail doveadm -o plugin/mail_crypt_private_password="${pass}" mailbox cryptokey export -u user test
sudo -u vmail doveadm -o plugin/mail_crypt_private_password="${pass}" mailbox cryptokey export -u user -U
I've tried with
On 7/12/21 1:25 AM, Aki Tuomi wrote:
Try
sudo -u vmail doveadm -o plugin/mail_crypt_private_password="${pass}" mailbox cryptokey export -u user '*'
(note the '*')
Aki
-- Ben Burk BURK.TECH System Administrator
Ben Burk BURK.TECH System Administrator I don't think you can realistically encrypt those emails by hand. I mean with maildir it's "doable", but will require doing it with some external script. Maybe use
doveadm import
to import them from somewhere?Aki
-- Ben Burk BURK.TECH System Administrator
participants (2)
-
Aki Tuomi
-
Ben Burk