Doveadm encrypt/decrypt files manually with per-user folder keys

Ben Burk ben at burk.tech
Thu Jul 1 05:19:20 EEST 2021 

I think I've been able to print/export what I think are user keys with 
the -U flag:


user at testbox :~$ sudo -u vmail doveadm -o 
plugin/mail_crypt_private_password="${pass}" mailbox cryptokey export -u 
user -U
Folder:
Public ID: 3498hg355a86c3c924a5841bb2e5c6e1b0c5496d5116c4fcb9askdjfalk34
Error:
-----BEGIN PRIVATE KEY-----
***REDACTED***
-----END PRIVATE KEY-----


user at testbox :~$ sudo -u vmail doveadm -o 
plugin/mail_crypt_private_password="${pass}" mailbox cryptokey list -u 
user -U
Folder Active Public ID
        yes 3498hg355a86c3c924a5841bb2e5c6e1b0c5496d5116c4fcb9askdjfalk34



However, I can't seem to get the tool to print/export folder keys:


user at testbox :~$ sudo -u vmail doveadm -o 
plugin/mail_crypt_private_password="${pass}" mailbox cryptokey list -u 
user test
doveadm(user): Warning: mailbox cryptokey list: Nothing was matched. Use 
-U or specify mask?
Folder Active Public ID
user at testbox :~$ sudo -u vmail doveadm -o 
plugin/mail_crypt_private_password="${pass}" mailbox cryptokey list -u 
user test/
doveadm(user): Warning: mailbox cryptokey list: Nothing was matched. Use 
-U or specify mask?
Folder Active Public ID


user at testbox :~$ sudo -u vmail doveadm -o 
plugin/mail_crypt_private_password="${pass}" mailbox cryptokey export -u 
user
user at testbox :~$ sudo -u vmail doveadm -o 
plugin/mail_crypt_private_password="${pass}" mailbox cryptokey export -u 
user test/
user at testbox :~$ sudo -u vmail doveadm -o 
plugin/mail_crypt_private_password="${pass}" mailbox cryptokey export -u 
user test
user at testbox :~$ sudo -u vmail doveadm -o 
plugin/mail_crypt_private_password="${pass}" mailbox cryptokey export -u 
user *
user at testbox :~$



In the examples above, I was attempting to select keys for the 'test' 
IMAP mail folder. I may just be misunderstanding the 
encryption/decryption operations here, and possibly the mask parameter. 
When I run the below command, it outputs the '.test.out' file but the 
file is not encrypted, presumably because the public key was not specified:


sudo -u vmail doveadm fs put crypt 
private_key_path=/tmp/doveadm_TvZAjG16218-30778:posix:prefix=/var/mail/domain/user/Maildir/test/cur/ 
1561754561.M105295P13988.smtp\,S\=3700\,W\=3780\:2\,RS .test.out



What is the correct syntax to export folder keys, assuming that what I 
have exported above are the user keys? Do you need to specify both 
private/public keys when encrypting/decrypting? I wouldn't think so. 
Typically all that is needed for encryption is the public key, and for 
decryption the private key.



My mail_crypt settings:


mail_attribute_dict = file:%h/Maildir/dovecot-attributes
mail_plugins = $mail_plugins mail_crypt

plugin {
   mail_crypt_curve = secp521r1
   mail_crypt_save_version = 2
   mail_crypt_require_encrypted_user_key = yes
}


On 6/29/21 1:11 AM, Aki Tuomi wrote:
>> On 29/06/2021 06:05 Ben Burk <ben at burk.tech> wrote:
>>
>>
>> There is an example of manually encrypting/decrypting mail processed by the mail_crypt plugin here:
>> https://doc.dovecot.org/configuration_manual/mail_crypt_plugin/
>>
>>
>> It outlines how one would manually encrypt/decrypt messages using global keys:
>> doveadm fs get/put crypt private_key_path=foo:public_key_path=foo2:posix:prefix=/path/to/files/root path/to/file
>>
>>
>>
>> Is there a way to accomplish this using per-user folder keys? Is there some way of making sense of the information in the dovecot-attributes file to accomplish this?
>>
>> -- 
>> Ben Burk
>> BURK.TECH System Administrator
> You can use
>
> doveadm mailbox cryptokey export
>
> to export folder keys.
>
> Aki
>
-- 
Ben Burk
BURK.TECH System Administrator

More information about the dovecot mailing list