@@ -135,78 +135,6 @@ List of known algorithms that Dovecot supports as of writing.
135135Mail crypt plugin can operate using ** either** global keys or folder keys.
136136Using both is not supported.
137137
138- ### Folder Keys Mode
139-
140- In this mode, for the user a key pair is generated. Then for each folder a key
141- pair is generated. This folder is encrypted using the user's key pair. A user
142- can have more than one key pair but only one can be active.
143-
144- * [[ setting,crypt_user_key_curve]] must be set.
145- * [[ setting,mail_attribute]] must be set, as is is used to store the keys.
146-
147- #### Unencrypted User Keys
148-
149- In this version of the folder keys mode, each user's private key is stored
150- unencrypted on the server.
151-
152- Example config for folder keys with Maildir:
153-
154- ``` [dovecot.conf]
155- mail_plugins {
156- mail_crypt = yes
157- }
158- mail_attribute {
159- dict file {
160- path = %{home}/Maildir/dovecot-attributes
161- }
162- }
163-
164- crypt_user_key_curve = secp521r1
165- ```
166-
167- #### Encrypted User Keys
168-
169- In this version of the folder keys mode, the users private key is stored
170- encrypted on the server.
171-
172- Example config for mandatory encrypted folder keys with Maildir:
173-
174- ``` [dovecot.conf]
175- mail_plugins {
176- mail_crypt = yes
177- }
178- mail_attribute {
179- dict file {
180- path = %{home}/Maildir/dovecot-attributes
181- }
182- }
183-
184- crypt_user_key_curve = secp521r1
185- crypt_user_key_require_encrypted = yes
186- ```
187-
188- The password that is used to decrypt the users master/private key, must be
189- provided via password query:
190-
191- ``` [dovecot.conf]
192- passdb sql {
193- query = SELECT email as user, password, '%{password | sha256}' AS userdb_crypt_user_key_password \
194- FROM virtual_users \
195- WHERE email='%{user}'
196- }
197- ```
198-
199- #### Choosing Encryption Password
200-
201- DO NOT use passwords directly. It can contain ` % ` which is interpreted as
202- variable expansion and can cause errors. Also, it might be visible in
203- debug logging. Suggested approaches are base64 encoding, hex encoding
204- or hashing the password. With hashing, you get the extra benefit that
205- password won't be directly visible in logs.
206-
207- Another issue that you must consider when using user's password is that
208- when the password changes, ** you must re-encrypt the user private key** .
209-
210138### Global keys
211139
212140In this mode, all keying material is taken from the settings:
@@ -344,6 +272,78 @@ crypt_global_private_key main {
344272}
345273```
346274
275+ ### Folder Keys Mode
276+
277+ In this mode, for the user a key pair is generated. Then for each folder a key
278+ pair is generated. This folder is encrypted using the user's key pair. A user
279+ can have more than one key pair but only one can be active.
280+
281+ * [[ setting,crypt_user_key_curve]] must be set.
282+ * [[ setting,mail_attribute]] must be set, as is is used to store the keys.
283+
284+ #### Unencrypted User Keys
285+
286+ In this version of the folder keys mode, each user's private key is stored
287+ unencrypted on the server.
288+
289+ Example config for folder keys with Maildir:
290+
291+ ``` [dovecot.conf]
292+ mail_plugins {
293+ mail_crypt = yes
294+ }
295+ mail_attribute {
296+ dict file {
297+ path = %{home}/Maildir/dovecot-attributes
298+ }
299+ }
300+
301+ crypt_user_key_curve = secp521r1
302+ ```
303+
304+ #### Encrypted User Keys
305+
306+ In this version of the folder keys mode, the users private key is stored
307+ encrypted on the server.
308+
309+ Example config for mandatory encrypted folder keys with Maildir:
310+
311+ ``` [dovecot.conf]
312+ mail_plugins {
313+ mail_crypt = yes
314+ }
315+ mail_attribute {
316+ dict file {
317+ path = %{home}/Maildir/dovecot-attributes
318+ }
319+ }
320+
321+ crypt_user_key_curve = secp521r1
322+ crypt_user_key_require_encrypted = yes
323+ ```
324+
325+ The password that is used to decrypt the users master/private key, must be
326+ provided via password query:
327+
328+ ``` [dovecot.conf]
329+ passdb sql {
330+ query = SELECT email as user, password, '%{password | sha256}' AS userdb_crypt_user_key_password \
331+ FROM virtual_users \
332+ WHERE email='%{user}'
333+ }
334+ ```
335+
336+ #### Choosing Encryption Password
337+
338+ DO NOT use passwords directly. It can contain ` % ` which is interpreted as
339+ variable expansion and can cause errors. Also, it might be visible in
340+ debug logging. Suggested approaches are base64 encoding, hex encoding
341+ or hashing the password. With hashing, you get the extra benefit that
342+ password won't be directly visible in logs.
343+
344+ Another issue that you must consider when using user's password is that
345+ when the password changes, ** you must re-encrypt the user private key** .
346+
347347## Base64-encoded Keys
348348
349349Mail-crypt plugin can read keys that are base64 encoded. This is intended
0 commit comments