1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
|
.TH "DOVEADM-PW" "1" "March 2025" "78ffb79" "Dovecot"
.SH "NAME"
\fBdoveadm-pw\fR - Dovecot's password hash generator and validator
.SH "SYNOPSIS"
.P
\fBdoveadm\fR \[lB]\fIGLOBAL OPTIONS\fR\[rB] \fBpw -l\fR
.P
\fBdoveadm\fR \[lB]\fIGLOBAL OPTIONS\fR\[rB] \fBpw\fR \[lB]\fB-p\fR \fIpassword\fR\[rB] \[lB]\fB-r\fR \fIrounds\fR\[rB] \[lB]\fB-s\fR \fIscheme\fR\[rB] \[lB]\fB-u\fR \fIuser\fR\[rB] \[lB]\fB-V\fR\[rB]
.P
\fBdoveadm\fR \[lB]\fIGLOBAL OPTIONS\fR\[rB] \fBpw\fR \fB-t\fR \fIhash\fR \[lB]\fB-p\fR \fIpassword\fR\[rB] \[lB]\fB-u\fR \fIuser\fR\[rB]
.SH "DESCRIPTION"
.P
\fBdoveadm pw\fR is used to generate password hashes for different password \fIscheme\fR s and optionally verify the generated hash.
.P
All generated password hashes have a {\fIscheme\fR} prefix, for example {\fBSHA512-CRYPT.HEX\fR}. All passdbs have a default scheme for passwords stored without the {\fIscheme\fR} prefix. The default scheme can be overridden by storing the password with the scheme prefix.
.P
If you want to use this feature to verify or generate passwords without configuring Dovecot first, you can use \fBdoveadm -O pw\fR to do so.
.SH "GLOBAL OPTIONS"
.P
Global doveadm(1)
.P
\fB-D\fR
.RS 0
.RS 4
.P
Enables \fIverbosity\fR and debug messages.
.RE 0
.RE 0
.P
\fB-O\fR
.RS 0
.RS 4
.P
Do not read any config file, just use defaults. The \fBdovecot_storage_version\fR setting defaults to the latest version, but can be overridden with
.RE 0
.RE 0
.P
\fB-k\fR
.RS 0
.RS 4
.P
Preserve entire environment for doveadm, not just \fBimport_environment\fR setting.
.RE 0
.RE 0
.P
\fB-v\fR
.RS 0
.RS 4
.P
Enables verbosity, including progress counter.
.RE 0
.RE 0
.P
\fB-i\fR \fIinstance-name\fR
.RS 0
.RS 4
.P
If using multiple Dovecot instances, choose the config file based on this instance name.
.P
See \fBinstance_name\fR setting for more information.
.RE 0
.RE 0
.P
\fB-c\fR \fIconfig-file\fR
.RS 0
.RS 4
.P
Read configuration from the given \fIconfig-file\fR. By default it first reads config socket, and then falls back to \fI/etc/dovecot/dovecot.conf\fR. You can also point this to config socket of some instance running compatible version.
.RE 0
.RE 0
.P
\fB-o\fR \fIsetting\fR\fB=\fR\fIvalue\fR
.RS 0
.RS 4
.P
Overrides the configuration \fIsetting\fR from \fI/etc/dovecot/dovecot.conf\fR and from the userdb with the given \fIvalue\fR. In order to override multiple settings, the \fB-o\fR option may be specified multiple times.
.RE 0
.RE 0
.SH "OPTIONS"
.P
\fB-l\fR
.RS 0
.RS 4
.P
List all supported password \fIscheme\fR s and exit successfully.
.P
There are up to three optional password \fIscheme\fRs: \fBBLF-CRYPT\fR (Blowfish crypt), \fBSHA256-CRYPT\fR and \fBSHA512-CRYPT\fR. Their availability depends on the system's currently used libc.
.RE 0
.RE 0
.P
\fB-p\fR \fIpassword\fR
.RS 0
.RS 4
.P
was given doveadm(1) will prompt interactively for one. (Beware that using this option means the plain text password will be in your shell history!)
.RE 0
.RE 0
.P
\fB-r\fR \fIrounds\fR
.RS 0
.RS 4
.P
The password \fIscheme\fR s \fBBLF-CRYPT\fR, \fBSHA256-CRYPT\fR and \fBSHA512-CRYPT\fR supports a variable number of encryption \fIrounds\fR. The following table shows the minimum/maximum number of encryption \fIrounds\fR per scheme. When the \fB-r\fR option was omitted the default number of encryption rounds will be applied.
.P
| Scheme | Minimum | Maximum | Default | | ------ | ------- | ------- | ------- | | BLF-CRYPT | 4 | 31 | 5 | | SHA256-CRYPT | 1000 | 999999999 | 5000 | | SHA512-CRYPT | 1000 | 999999999 | 5000 |
.RE 0
.RE 0
.P
\fB-s\fR \fIscheme\fR
.RS 0
.RS 4
.P
The password \fIscheme\fR which should be used to generate the hashed password. By default the \fBCRYPT\fR \fIscheme\fR will be used (with the $2y$ bcrypt format). It is also possible to append an encoding suffix to the \fIscheme\fR. Supported encoding suffixes are: \fB.b64\fR, \fB.base64\fR and \fB.hex\fR.
.P
See also password_schemes for more details about password schemes.
.RE 0
.RE 0
.P
\fB-t\fR \fIhash\fR
.RS 0
.RS 4
.P
option. When no password was specified, doveadm(1) will prompt interactively for one.
.RE 0
.RE 0
.P
\fB-u\fR \fIuser\fR
.RS 0
.RS 4
.P
name must also be given, because the user name is a part of the generated hash. For more information about Digest-MD5 please read also auth_digest_md5. For other schemes, this is not required.
.RE 0
.RE 0
.P
\fB-V\fR
.RS 0
.RS 4
.P
When this option is given, the hashed password will be internally verified. The result of the verification will be shown after the hashed password, enclosed in parenthesis.
.RE 0
.RE 0
.SH "EXAMPLE"
.P
An ARGON2ID hash (best security at time of this writing, though can be heavy on a busy server):
.P
.RS 2
.nf
doveadm pw -s ARGON2ID
``ldas;l;als;las;lkas
.fi
.RE
.P
Enter new password: Retype new password: {ARGON2ID}$argon2id$v=19$m=65536,t=3,p=1$AOrrkaFmGxCFtX+NCSHFkg$N3rlzYFqyNkCwrOingnDJ/qDQ09yGHgQa8PQfbu7rIE
.P
.RS 2
.nf
Alternatively, a SHA512-CRYPT hash:
```sh
doveadm pw -s SHA512-CRYPT
.fi
.RE
.P
.RS 2
.nf
Enter new password:
Retype new password:
{SHA512-CRYPT}$6$qAvxfQ2UbA1QTXSg$SB2aMEK76DBObt.KqTjF5.yDMceaD3dkG2UvrKQD0rZ9PKii/VAn.VS0nBsDqJX18kXieMi8AWJr0f7Ae9dAp/
.fi
.RE
.SH "REPORTING BUGS"
.P
Report bugs, including \fIdoveconf -n\fR output, to the Dovecot Mailing List \fI\(ladovecot@dovecot.org\(ra\fR. Information about reporting bugs is available at: https://dovecot.org/bugreport.html
.SH "SEE ALSO"
.P
doveadm(1)
|
