[Users] Commands to encrypt account password
lmfrm
lmfrm at nanogroup.xyz
Thu Mar 10 01:53:32 CET 2022
For scripting purposes I need to know how to encrypt my account password
in two different ways. Don't worry, I will explain.
1) How do I derive the 35-digit hexadecimal code Claws
generates from my raw account password (as found in Configuration > Edit
accounts > [select account] & Edit > Account > Basic > Password)? Due
to CRAM-MD5 being enabled the password can't be entered raw, but this
leaves me without a way to generate the hex code myself.
2) How do I encrypt my raw account password from the command line
(exact command and syntax) to produce the send/recv blobs generated in
~/.claws-mail/passwordrc?
I lost the original link but here's what it said about how Claws
encrypts passwords in ~/.claws-mail/passwordrc:
"Unless --with-password-encryption=old is active, account passwords are
stored encrypted using AES-256-CBC, using following scheme:
----------------------------------------------------------------------
Encryption/decryption key is derived from either PASSCRYPT_KEY, or
user-selected master passphrase, using PBKDF2, using salt from
'master_passphrase_salt', and number of rounds (iterations) from
'master_passphrase_pbkdf2_rounds'.
IV (initialization vector) for the cipher is filled with random bytes.
Encryption
----------
We prepare a buffer long enough to fit the NULL-terminated password
string plus one cipher block in it, with one block of random data at
the beginning, followed by the password we want to encrypt (in UTF-8),
rest is padded with zero bytes.
The minimal buffer size is 128+blocksize, and if the password (including
the trailing NULL byte) is longer than 128 bytes, the size is increased
by another 128 bytes until it is long enough to fit the password plus
one cipher block. This is to make it harder to guess the password
length from length of the encrypted string. So for example, if the
password (again, including the trailing NULL byte) is 129 characters
long, our buffer will be 256+blocksize bytes long.
We encrypt the buffer using the encryption key and IV mentioned above,
resulting in ciphertext of the same length as the buffer.
We base64-encode the ciphertext, and store it as:
"{algorithm,rounds}encodedciphertext"
"rounds" is an integer value set to number of PBKDF2 rounds used to
generate the key derivation used as encryption key."
It seems like openssl would be the tool but I have no way of
knowing the syntax. Thank you very much and happy day!
More information about the Users
mailing list