DOVEADM-PW(feed) - phpMan

DOVEADM-PW(1)                       Dovecot                      DOVEADM-PW(1)
NAME
       doveadm-pw - Dovecot's password hash generator and validator
SYNOPSIS
       doveadm [GLOBAL OPTIONS] pw -l
       doveadm  [GLOBAL  OPTIONS] pw [-p password] [-r rounds] [-s scheme] [-u
       user] [-V]
       doveadm [GLOBAL OPTIONS] pw -t hash [-p password] [-u user]
DESCRIPTION
       doveadm pw is used to generate password hashes for  different  password
       scheme s and optionally verify the generated hash.
       All  generated  password  hashes  have  a  {scheme} prefix, for example
       {SHA512-CRYPT.HEX}. All passdbs have a  default  scheme  for  passwords
       stored  without the {scheme} prefix. The default scheme can be overrid-
       den by storing the password with the scheme prefix.
       If you want to use this feature to verify or generate passwords without
       configuring Dovecot first, you can use doveadm -O pw to do so.
GLOBAL OPTIONS
       Global doveadm(1)
       -D
           Enables verbosity and debug messages.
       -O
           Do  not  read any config file, just use defaults. The dovecot_stor-
           age_version setting defaults to the  latest  version,  but  can  be
           overridden with
       -k
           Preserve  entire  environment for doveadm, not just import_environ-
           ment setting.
       -v
           Enables verbosity, including progress counter.
       -i instance-name
           If using multiple Dovecot instances, choose the config  file  based
           on this instance name.
           See instance_name setting for more information.
       -c config-file
           Read  configuration from the given config-file. By default it first
           reads config socket, and  then  falls  back  to  /etc/dovecot/dove-
           cot.conf. You can also point this to config socket of some instance
           running compatible version.
       -o setting=value
           Overrides the configuration setting from  /etc/dovecot/dovecot.conf
           and from the userdb with the given value. In order to override mul-
           tiple settings, the -o option may be specified multiple times.
OPTIONS
       -l
           List all supported password scheme s and exit successfully.
           There are up to three optional password schemes:  BLF-CRYPT  (Blow-
           fish  crypt),  SHA256-CRYPT  and  SHA512-CRYPT.  Their availability
           depends on the system's currently used libc.
       -p password
            was given doveadm(1) will prompt interactively  for  one.  (Beware
           that  using  this  option  means the plain text password will be in
           your shell history!)
       -r rounds
           The password scheme s BLF-CRYPT, SHA256-CRYPT and SHA512-CRYPT sup-
           ports  a  variable number of encryption rounds. The following table
           shows the minimum/maximum number of encryption rounds  per  scheme.
           When  the  -r  option  was omitted the default number of encryption
           rounds will be applied.
           | Scheme | Minimum | Maximum | Default  |  |  ------  |  -------  |
           -------  |  -------  |  | BLF-CRYPT | 4 | 31 | 5 | | SHA256-CRYPT |
           1000 | 999999999 | 5000 | | SHA512-CRYPT | 1000 | 999999999 |  5000
           |
       -s scheme
           The  password  scheme  which  should be used to generate the hashed
           password. By default the CRYPT scheme will be used (with  the  $2y$
           bcrypt format). It is also possible to append an encoding suffix to
           the scheme. Supported encoding  suffixes  are:  .b64,  .base64  and
           .hex.
           See also password_schemes for more details about password schemes.
       -t hash
            option.  When  no  password  was specified, doveadm(1) will prompt
           interactively for one.
       -u user
            name must also be given, because the user name is a  part  of  the
           generated  hash.  For more information about Digest-MD5 please read
           also auth_digest_md5. For other schemes, this is not required.
       -V
           When this option is given, the hashed password will  be  internally
           verified.  The  result  of the verification will be shown after the
           hashed password, enclosed in parenthesis.
EXAMPLE
       An ARGON2ID hash (best security at time of this writing, though can  be
       heavy on a busy server):
         doveadm pw -s ARGON2ID
         ``ldas;l;als;las;lkas
       Enter        new       password:       Retype       new       password:
       {ARGON2ID}$argon2id$v=19$m=65536,t=3,p=1$AOrrkaFmGxCFtX+NCSH-
       Fkg$N3rlzYFqyNkCwrOingnDJ/qDQ09yGHgQa8PQfbu7rIE
         Alternatively, a SHA512-CRYPT hash:
         ```sh
         doveadm pw -s SHA512-CRYPT
         Enter new password:
         Retype new password:
         {SHA512-CRYPT}$6$qAvxfQ2UbA1QTXSg$SB2aMEK76DBObt.KqTjF5.yDMceaD3dkG2UvrKQD0rZ9PKii/VAn.VS0nBsDqJX18kXieMi8AWJr0f7Ae9dAp/
REPORTING BUGS
       Report  bugs, including doveconf -n output, to the Dovecot Mailing List
       <dovecot AT dovecot.org>. Information about reporting  bugs  is  available
       at: https://dovecot.org/bugreport.html
SEE ALSO
       doveadm(1)
78ffb79                           March 2025                     DOVEADM-PW(1)