According to /etc/kopano/webapp/config-files.php we should change standard password key for account data encryption. The file only documents how many characters and bits should be used (bits and characters…) . It would be better if that file also documented how this should be chanced. Now it just says:

  • Standard password key for account data encryption. We recommend to change the default value for security reasons
  • and a length of 16 characters. Data is only encrypted when the openssl module is installed
  • IV vector should be 8 bits long

I used this:
$ head -c 8 /dev/urandom | xxd -ps
$ head -c 4 /dev/urandom | xxd -ps

Thinking about it, I should also been able to use “pwgen -s -y 16 1” and “pwgen -s -y 8 1”, probably better.

On another note, the file /etc/kopano/webapp/config-files.php is readable by all, wouldn’t it be better if the owner of that file was www-data, and not readable by all? This is on Debian 8.10 with kopano-webapp-plugin-files