DOVEADM-MAILBOX-CRYPTOKEY(1) Dovecot DOVEADM-MAILBOX-CRYPTOKEY(1)
NAME
doveadm-mailbox-cryptokey - Mail crypt plugin management
SYNOPSIS
doveadm [-o crypt_user_key_password=password] [GLOBAL OPTIONS] mailbox
cryptokey export|generate|list|password [options] [arguments]
DESCRIPTION
Generate new keypair for user or folder. The new keypair is marked as
active.
OPTIONS
doveadm mailbox cryptokey can be used to manage user's cryptographic
keys.
GLOBAL OPTIONS
Global doveadm(1)
-D
Enables verbosity and debug messages.
-O
Do not read any config file, just use defaults. The dovecot_stor-
age_version setting defaults to the latest version, but can be over-
ridden with
-k
Preserve entire environment for doveadm, not just import_environment
setting.
-v
Enables verbosity, including progress counter.
-i instance-name
If using multiple Dovecot instances, choose the config file based on
this instance name.
See instance_name setting for more information.
-c config-file
Read configuration from the given config-file. By default it first
reads config socket, and then falls back to /etc/dovecot/dove-
cot.conf. You can also point this to config socket of some instance
running compatible version.
-o setting=value
Overrides the configuration setting from /etc/dovecot/dovecot.conf
and from the userdb with the given value. In order to override mul-
tiple settings, the -o option may be specified multiple times.
-f formatter
Specifies the formatter for formatting the output. Supported format-
ters are:
flow
prints each line with key=value pairs.
pager
prints each key: value pair on its own line and separates records
with form feed character (^L).
tab
prints a table header followed by tab separated value lines.
table
prints a table header followed by adjusted value lines.
-o crypt_user_key_password=password
Dovecot option, needed if you use password protected keys
OPTIONS
-A
If the -A option is present, the command will be performed for all
users. Using this option in combination with system users from
userdb { driver = passwd } is not recommended, because it contains
also users with a lower UID than the one configured with the
first_valid_uid setting.
When the SQL userdb module is used, make sure that the
userdb_sql_iterate_query setting setting matches your database lay-
out.
When using the LDAP userdb module, make sure that the userdb_fields
setting and userdb_ldap_iterate_fields setting settings match your
LDAP schema. Otherwise doveadm(1) will be unable to iterate over all
users.
-F file
Execute the command for all the users in the file. This is similar
to the -A option, but instead of getting the list of users from the
userdb, they are read from the given file. The file contains one
username per line.
--no-userdb-lookup
Do not perform userdb lookup. Use the USER environment variable to
specify the username.
-S socket_path
The option's argument is either an absolute path to a local UNIX do-
main socket, or a hostname and port (hostname:port), in order to
connect a remote host via a TCP socket.
This allows an administrator to execute doveadm(1) mail commands
through the given socket.
-u user/mask
Run the command only for the given user. It's also possible to use
'*' and '?' wildcards (e.g. -u *@example.org).
SUBCOMMANDS
export [-U] | mailbox-mask
-U
Operate on user keypair only
Exports user's or folder's keypair(s) in PEM format. If the keys are
password protected, -o is needed.
generate [-Rf [-U] | mailbox-mask]
-U
Operate on user keypair only
-R
Re-encrypt all folder keys with current active user key
-f
Force keypair creation, normally keypair is only created if none
found
Generates new keypair for user or folder. If you want to generate new
user key and use it to secure your folder keys, use generate -u username
-UR.
If you want to password-protect your key here, use -o.
list [-U] | mailbox-mask
-U
Operate on user keypair only
List all keys for user or folder. No password is required.
password [-N | -n password] [-O|-o password] [-C]
-O
Ask for old password
-o old-password
Provide old password
-N
Ask for new password
-n new-password
Provide new password
-C
Clear (unset/remove) password. Your key will not be protected by
password.
Set, change or clear password from your user key.
SEE ALSO
doveadm(1), doveadm-mailbox(1)
78ffb79 March 2025 DOVEADM-MAILBOX-CRYPTOKEY(1)
Generated by dwww version 1.16 on Tue Dec 16 06:02:10 CET 2025.