mail_crypt_acl_require_secure_key_sharing
Default | no |
---|---|
Value | boolean |
If enabled, you cannot share a key to groups or someone without a public key.
Appearance
The mail crypt plugin is used to secure email messages stored in a Dovecot system. Messages are encrypted before written to storage and decrypted after reading. Both operations are transparent to the user.
In case of unauthorized access to the storage backend, the messages will, without access to the decryption keys, be unreadable to the offending party.
There can be a single encryption key for the whole system or each user can have a key of their own. The used cryptographical methods are widely used standards and keys are stored in portable formats, when possible.
The use of mail crypt plugin depends on a user having a keypair, a private and a public key, for asymmetric cryptography. These keys are provisioned in a variable via the user database or directly from Dovecot configuration files.
The public half of the provisioned keypairs are used to generate and encrypt keys for symmetric encryption. The symmetric keys are used to encrypt and decrypt individual files. Symmetric encryption is faster and more suitable for block mode storage encryption. The symmetric key used to encrypt a file is stored, after being encrypted with the public asymmetric key, together with the file.
The mail crypt plugin provides encryption at rest for emails.
Encryption of the messages is performed using the symmetric Advanced Encryption Standard (AES) algorithm in Galois/Counter Mode (GCM) with 256 bit keys. Integrity of the data is ensured using Authenticated Encryption with Associated Data (AEAD) with SHA256 hashing.
The encryption keys for the symmetric encryption are randomly generated. These keys in turn are encrypted using a key derived with from the provisioned private key.
Provisioned private keys can be Elliptic Curve (EC) keys or RSA Encryption is done using the Integrated Encryption Scheme (IES). This algorithm is usable both with EC and RSA keys.
Using per-folder keys is not considered production quality, but global keys are fine.
Note
Improper configuration or use can make your emails unrecoverable! Treat encryption with care and backup encryption keys!
This page assumes you are using configuring mail encryption from scratch with a recent version of Dovecot. If you are upgrading from an older version, see mail_crypt_save_version
for possible backwards compatibility issues.
mail_crypt_acl_require_secure_key_sharing
Default | no |
---|---|
Value | boolean |
If enabled, you cannot share a key to groups or someone without a public key.
mail_crypt_curve
Default | no |
---|---|
Value | string |
Defines the elliptic curve to use for key generation.
Any valid curve supported by the underlying cryptographic library is allowed.
Example:
plugin {
mail_crypt_curve = secp521r1
}
This must be set if you wish to use folder keys rather than global keys.
With global keys (either RSA or EC keys), all keying material is taken from the plugin environment and no key generation is performed.
In folder-keys mode, a key pair is generated for the user, and a folder-specific key pair is generated. The latter is encrypted by means of the user's key pair.
For EdDSA, you need to use X448 or X25519, case sensitive.
mail_crypt_global_private_key
Default | [None] |
---|---|
Value | string |
Private key(s) to decrypt files. Key(s) must be in PEM format, using pkey format.
You can define multiple keys by appending an increasing number to the
setting label, e.g.: mail_crypt_global_private_key2
.
mail_crypt_global_public_key
Default | [None] |
---|---|
Value | string |
Public key to encrypt files. Key must be in PEM format, using pkey format.
mail_crypt_private_key
Default | [None] |
---|---|
Value | string |
Private key to decrypt user's master key. Key must be in PEM format, using pkey format.
mail_crypt_private_password
Default | [None] |
---|---|
Value | string |
Password to decrypt user's master key or environment private key.
mail_crypt_require_encrypted_user_key
Default | [None] |
---|---|
Value | boolean |
If true, require user key encryption with password.
mail_crypt_save_version
Default | 2 |
---|---|
Value | unsigned integer |
Sets the version of the mail_crypt compatibility desired.
Version | Description |
---|---|
0 |
Decryption is active; no encryption occurs. |
1 |
Do not use (implemented for legacy reasons only). |
2 |
Encryption and decryption are active. |
While mail crypt plugin does not support setting encryption algorithm, it is possible to specify one with FS crypt.
Dovecot supports all algorithms in OpenSSL that have an OID assigned, and additionally few more (with official OIDs).
In particular, XTS, CCM and CTR modes are not supported, due to the way they would need to be handled. Some operating systems limit the available algorithms with policies.
It is recommended to use AES-GCM or ChaCha20-Poly1305 algorithm, with SHA256 or greater.
Algorithm setting format is <algorithm name>‐<mode>‐<hash algorithm;>. E.g. aes-256-gcm-sha256
or chacha20-poly1305-sha256
.
Note that hash algorithm is used for various hashing purposes, not just data integrity, so it is always required.
Files encrypted with one algorithm can be decrypted even if the configuration specifies different algorithm, as the parameters are stored in the file.
List of known algorithms that Dovecot supports as of writing.
Encryption algorithm | Supported size | Supported modes |
---|---|---|
chacha20 | - | poly13051,3 |
aes | 128, 192, 256 | gcm1, cbc2 |
camellia | 128, 192, 256 | cbc2 |
aria | 128, 192, 256 | cbc2 |
seed | - | cbc2 |
sm4 | - | cbc2 |
des-ede3 | - | cbc2 |
1 Uses AEAD integrity.
2 Uses HMAC integrity.
3 Requires recent enough OpenSSL.
Plugin settings may be dynamically set via userdb extra fields. To provide mail_crypt_global_private_key
and mail_crypt_global_public_key
as userdb attributes, you can base64 encode the original contents, such as PEM file. For example,
$ cat ecprivkey.pem | base64 -w0
All external keys must be in PEM format, using pkey format.
Mail crypt plugin can operate using either global keys or folder keys. Using both is not supported. To perform any encryption, mail_crypt_save_version
must be specified and non-zero.
In this mode, the user is generated a key pair, and each folder is generated a key pair, which is encrypted using the user's key pair. A user can have more than one key pair but only one can be active.
mail_crypt_save_version
must be 2
.
mail_crypt_curve
must be set.
mail_attribute_dict
must be set, as is is used to store the keys.
In this version of the folder keys mode, the users' private key is stored unencrypted on the server.
Example config for folder keys with Maildir:
mail_attribute_dict = file:%h/Maildir/dovecot-attributes
mail_plugins = $mail_plugins mail_crypt
plugin {
mail_crypt_curve = secp521r1
mail_crypt_save_version = 2
}
In this version of the folder keys mode, the users private key is stored encrypted on the server.
Example config for mandatory encrypted folder keys with Maildir:
mail_attribute_dict = file:%h/Maildir/dovecot-attributes
mail_plugins = $mail_plugins mail_crypt
plugin {
mail_crypt_curve = secp521r1
mail_crypt_save_version = 2
mail_crypt_require_encrypted_user_key = yes
}
The password that is used to decrypt the users master/private key, must be provided via password query:
# File: /etc/dovecot/dovecot-sql.conf.ext
password_query = SELECT \
email as user, password, \
'%w' AS userdb_mail_crypt_private_password \
FROM virtual_users WHERE email='%u';
DO NOT use password directly. It can contain %
which is interpreted as variable expansion and can cause errors. Also, it might be visible in debug logging. Suggested approaches are base64 encoding, hex encoding or hashing the password. With hashing, you get the extra benefit that password won't be directly visible in logs.
Another issue that you must consider when using user's password is that when the password changes, you must re-encrypt the user private key.
In this mode, all keying material is taken from plugin environment. You can use either Elliptic Curve (EC) keys (recommended) or RSA keys. No key generation is automatically performed.
A good solution for environments where no user folder sharing is needed is to generate per-user EC key pair and encrypt that with something derived from user's password. The benefit is that it can be easier to do key management when you can do the EC re-encryption steps in case of password change in your user database instead of dovecot's database.
You should not configure mail_crypt_curve
when using global keys.
In order to generate an EC key, you must first choose a curve from the output of this command:
$ openssl ecparam -list_curves
If you choose the curve prime256v1
, generate an EC key with the command:
$ openssl ecparam -name prime256v1 -genkey | openssl pkey -out ecprivkey.pem
Then generate a public key out of your private EC key
$ openssl pkey -in ecprivkey.pem -pubout -out ecpubkey.pem
These keys can now be used with this configuration:
mail_plugins = $mail_plugins mail_crypt
plugin {
mail_crypt_global_private_key = <ecprivkey.pem
mail_crypt_global_public_key = <ecpubkey.pem
mail_crypt_save_version = 2
}
If you have an EC private key which begins with something like:
-----BEGIN EC PRIVATE KEY-----
With possibly parameters like this before that:
-----BEGIN EC PARAMETERS-----
BgUrgQQACg==
-----END EC PARAMETERS-----
You must convert it to pkey format with:
$ openssl pkey -in oldkey.pem -out newkey.pem
Then newkey.pem
can be used with mail-crypt plugin.
Added: 3.0.0
You can use EdSDA keys by using algorithm X25519
or X448
(case sensitive).
To generate a suitable keypair, use
$ openssl genpkey -algorithm X448 -out edprivkey.pem
$ openssl pkey -in private.pem -pubout -out edpubkey.pem
Note that ED25519 keys are not suitable for X25519.
WARNING
Use of RSA keys is discouraged, please use mail_crypt_curve
instead.
You can generate an unencrypted RSA private key in the pkey format with the command:
$ openssl genpkey -algorithm RSA -out rsaprivkey.pem
Alternatively, you can generate a password encrypted private key with:
$ openssl genpkey -algorithm RSA -out rsaprivkey.pem -aes-128-cbc -pass pass:qwerty
This does make the password show up in the process listing, so it can be visible for everyone on the system.
Regardless of whether you generated an unencrypted or password encrypted private key, you can generate a public key out of it with:
$ openssl pkey -in rsaprivkey.pem -pubout -out rsapubkey.pem
These keys can then be used with this configuration:
mail_plugins = $mail_plugins mail_crypt
plugin {
mail_crypt_global_private_key = <rsaprivkey.pem
mail_crypt_global_private_password = qwerty
mail_crypt_global_public_key = <rsapubkey.pem
mail_crypt_save_version = 2
}
Mail-crypt plugin can read keys that are base64 encoded. This is intended mostly for providing PEM keys via userdb.
Hence, this is possible:
$ openssl ecparam -name secp256k1 -genkey | openssl pkey | base64 -w0 > ecprivkey.pem
$ base64 -d ecprivkey.pem | openssl ec -pubout | base64 -w0 > ecpubkey.pem
passdb {
driver = static
args = password=pass mail_crypt_global_public_key=<content of ecpubkey.pem> mail_crypt_global_private_key=<content of ecprivkey.pem>
}
mail_plugins = $mail_plugins mail_crypt
plugin {
mail_crypt_save_version = 2
}
mail_crypt_save_version = 0
) If you have encrypted mailboxes that you need to read, but no longer want to encrypt new mail, use mail_crypt_save_version = 0
:
plugin {
mail_crypt_save_version = 0
mail_crypt_global_private_key = <server.key
}
If you are using global keys, mails can be shared within the key scope. The global key can be provided with several different scopes:
dovecot.conf
fileWith folder keys, key sharing can be done to single user, or to multiple users. When a key is shared to a single user, and the user has a public key available, the folder key is encrypted using recipient's public key. This requires the mail_crypt_acl
plugin, which will enable accessing the encrypted shared folders.
If you have mail_crypt_acl_require_secure_key_sharing
enabled, you can't share the key to groups or someone with no public key.
You can use decrypt.rb
to decrypt encrypted files.
fs-crypt is a lib-fs wrapper that can encrypt and decrypt files. It works similarly to the fs-compress wrapper. It can be used to encrypt, e.g.:
fs-crypt comes in two flavors, mail-crypt
and crypt
. (The differences between the two are technical and related to internal code contexts.)
Note that fs-[mail-]crypt and the fs-compress wrapper can be also combined. Please make sure that compression is always applied before encryption. See fs-compress plugin for an example and more details about compression.
Currently the fs-crypt plugin requires that all the files it reads are encrypted. If it sees an unencrypted file it'll fail to read it. The plan is to fix this later.
WARNING
Changed: 3.0.0 fs-crypt requires encryption keys by default.
FS driver syntax:
Note
All parameters to mail-crypt are optional.
crypt:[maybe:][algo=<s>:][set_prefix=<n>:][private_key_path=/path:][public_key_path=/path:][password=password:]<parent fs>
Parameters:
Key | Value |
---|---|
maybe | Allow missing encryption keys. Added: 3.0.0 |
algo | Encryption algorithm. Default is aes-256-gcm-sha256 . |
password | Password for decrypting public key. |
private_key_path | Path to private key. |
public_key_path | Path to public key. |
set_prefix | Read <set_prefix>_public_key and <set_prefix>_private_key . Default is mail_crypt_global . |
Example:
plugin {
fts_index_fs = crypt:set_prefix=fscrypt_index:posix:prefix=/tmp/fts
fscrypt_index_public_key = <server.pub
fscrypt_index_private_key = <server.key
}
To encrypt/decrypt files manually, you can use:
$ doveadm fs get/put crypt private_key_path=foo:public_key_path=foo2:posix:prefix=/path/to/files/root path/to/file
TIP
For doveadm commands that are working with password protected keys, the global -o
option should be used to provide the password. Example:
$ doveadm -o plugin/mail_crypt_private_password=some_password <...doveadm command...>
mailbox cryptokey export
Exports user or folder private keys.
CLI
doveadm mailbox cryptokey export [-U] <mailbox> [-A] [-S socket-path] [-u user]
Argument(s) | Type | Description |
---|---|---|
-U | boolean | Operate on user keypair only. |
mailbox | string | Mailbox mask. |
-A | boolean | Apply operation to all users. |
-S | string | Path to doveadm socket. |
-u | string | UID of user to apply operation to. |
Parameter | Type | Description |
---|---|---|
userKey | boolean | Operate on user keypair only. |
mailbox | string | Mailbox mask. |
allUsers | boolean | Apply operation to all users. |
socketPath | string | Path to doveadm socket. |
user | string | UID of user to apply operation to. |
mailbox cryptokey generate
Generate new keypair for user or folder.
To generate new active user key and re-encrypt all your keys with it can be done with
doveadm mailbox cryptokey generate -u username -UR
This can be used to generate new user keypair and re-encrypt and create folder keys.
Note
You must provide a password if you want to generate password-protected
keypair right away. You can also use doveadm mailbox cryptokey password
to secure it.
CLI
doveadm mailbox cryptokey generate [-U] [-R] [-f] <mailbox> [-A] [-S socket-path] [-u user]
Argument(s) | Type | Description |
---|---|---|
-U | boolean | Operate on user keypair only. |
-R | boolean | Re-encrypt all folder keys with current active user key |
-f | boolean | Force keypair creation, normally keypair is only created if none found. |
mailbox | string | Mailbox mask. |
-A | boolean | Apply operation to all users. |
-S | string | Path to doveadm socket. |
-u | string | UID of user to apply operation to. |
Parameter | Type | Description |
---|---|---|
userKeyOnly | boolean | Operate on user keypair only. |
reEncryptBoxKeys | boolean | Re-encrypt all folder keys with current active user key |
force | boolean | Force keypair creation, normally keypair is only created if none found. |
mailbox | string | Mailbox mask. |
allUsers | boolean | Apply operation to all users. |
socketPath | string | Path to doveadm socket. |
user | string | UID of user to apply operation to. |
mailbox cryptokey list
List all keys for user or mailbox.
CLI
doveadm mailbox cryptokey list [-U] <mailbox> [-A] [-S socket-path] [-u user]
Argument(s) | Type | Description |
---|---|---|
-U | boolean | Operate on user keypair only. |
mailbox | string | Mailbox mask. |
-A | boolean | Apply operation to all users. |
-S | string | Path to doveadm socket. |
-u | string | UID of user to apply operation to. |
Parameter | Type | Description |
---|---|---|
userKey | boolean | Operate on user keypair only. |
mailbox | string | Mailbox mask. |
allUsers | boolean | Apply operation to all users. |
socketPath | string | Path to doveadm socket. |
user | string | UID of user to apply operation to. |
mailbox cryptokey password
Sets, changes or clears password for user's private key.
CLI
doveadm mailbox cryptokey password [-C] [-N] [-n new-password] [-O] [-o old-password] [-A] [-S socket-path] [-u user]
Argument(s) | Type | Description |
---|---|---|
-C | boolean | Clear password. |
-N | boolean | Ask new password. |
-n | string | New password. |
-O | boolean | Ask old password. |
-o | string | Old password. |
-A | boolean | Apply operation to all users. |
-S | string | Path to doveadm socket. |
-u | string | UID of user to apply operation to. |
Parameter | Type | Description |
---|---|---|
clearPassword | boolean | Clear password. |
askNewPassword | boolean | Ask new password. |
newPassword | string | New password. |
askOldPassword | boolean | Ask old password. |
oldPassword | string | Old password. |
allUsers | boolean | Apply operation to all users. |
socketPath | string | Path to doveadm socket. |
user | string | UID of user to apply operation to. |