Backing up per user keys for mailcrypt
I am wondering how I can back up keys for mail users in their
password-protected form, without exporting them from doveadm mailbox cryptokey export
, which requires a password. The goal here is to
perform routine backups to keep keys current. Relevant config is as follows:
mail_attribute_dict = file:%h/Maildir/dovecot-attributes mail_plugins = $mail_plugins mail_crypt
plugin { mail_crypt_curve = secp521r1 mail_crypt_save_version = 2 mail_crypt_require_encrypted_user_key = yes }
Am i correct in assuming I should back up the dovecot-attributes file? Are there any ancillary files that need to be backed up as well, such as indexes, to properly read and handle this file?
I have viewed the file and it appears there are several keys at play for a single mail user. Do different folders in a users imap space have different encryption keys? Are all of these keys populated in this dovecot-attributes file?
Is there any established procedure for restoring keys? Is it as simple as placing the dovecot-attributes file, if that is infact what needs to be backed up beforehand to perform a restore.
-- Ben Burk BURK.TECH System Administrator
On 17/06/2021 19:59 Ben Burk <ben@burk.tech> wrote:
I am wondering how I can back up keys for mail users in their password-protected form, without exporting them from
doveadm mailbox cryptokey export
, which requires a password. The goal here is to perform routine backups to keep keys current. Relevant config is as follows:mail_attribute_dict = file:%h/Maildir/dovecot-attributes mail_plugins = $mail_plugins mail_crypt
plugin { mail_crypt_curve = secp521r1 mail_crypt_save_version = 2 mail_crypt_require_encrypted_user_key = yes }
Am i correct in assuming I should back up the dovecot-attributes file? Are there any ancillary files that need to be backed up as well, such as indexes, to properly read and handle this file?
I have viewed the file and it appears there are several keys at play for a single mail user. Do different folders in a users imap space have different encryption keys? Are all of these keys populated in this dovecot-attributes file?
Is there any established procedure for restoring keys? Is it as simple as placing the dovecot-attributes file, if that is infact what needs to be backed up beforehand to perform a restore.
-- Ben Burk BURK.TECH System Administrator
Hi!
You can just take a copy of the dovecot-attributes file as you suspected.
Aki
participants (2)
-
Aki Tuomi
-
Ben Burk