var_expand_crypt Plugin

This plugin provides generic encrypt/decrypt facility for Config Variables.

It requires a functional lib-dcrypt backend.

For dovecot-auth process this plugin is automatically usable.

Settings

See var-expand-crypt plugin.

Syntax

args=encrypted_value=%{encrypt;key=value,iv=value,noiv=yes,algo=algorithm,format=base64|hex:field}
args=decrypted_value=%{decrypt;key=value,iv=value,noiv=yes,algo=algorithm,format=base64|hex:field}

Key

Value

algo

Algorithm name (defaults to aes-256-cbc)

format

Return format

iv

hex-encoded value

key

hex-encoded value

noiv

Whether iv is included in return value

decrypt expects input in base64 or hex format.

Note

It is usually best to leave iv management to Dovecot, and not use iv and noiv options at all.

Return Formats

Without noiv, encrypt returns iv$encrypted$.

With noiv, just encrypted data is returned. Field(s) are encoded using format.

key and iv must be the length required by the given algo.

Example

%{encrypt;key=f1f2f3f4f5f6f7f8f1f2f3f4f5f6f7f8f1f2f3f4f5f6f7f8f1f2f3f4f5f6f7f8:password} = 93736a0f910df27f89210e096e1d639a$966c2b4f3e7487f6acdb836f8d1dc3e0$
%{decrypt;key=f1f2f3f4f5f6f7f8f1f2f3f4f5f6f7f8f1f2f3f4f5f6f7f8f1f2f3f4f5f6f7f8:encrypted} = pass