Hello, I am testing mail_crypt plugin with per account encryption and wanted to generate a new keypair for an account but noticed that I now end up with 2 keypairs where one is active and the other inactive as you can see below: $ doveadm mailbox cryptokey list -u email at domain.tld -U Folder Active Public ID yes 7b140b4f3d6d68eed2c59259ac5e6f6a280dc82990292dc415b4100d6c797f67 no 1c1dd1c955757da7c19f1eeb6d6c4d0d66e6355baa2d844bc2623052e1aa2f91 Does this mean now that all existing emails get encrypted with both keypairs? or does this mean only the active keypair is used to encrypt new emails? Is it possible to delete the inactive keypair? if yes how? Regards, Mabi
On 3 Jul 2019, at 06:38, mabi via dovecot <dovecot at dovecot.org> wrote:> Is it possible to delete the inactive keypair? if yes how?Wouldn?t you then be unable to encrypt previous emails?
On 4 Jul 2019, at 03:17, @lbutlr via dovecot <dovecot at dovecot.org> wrote:> On 3 Jul 2019, at 06:38, mabi via dovecot <dovecot at dovecot.org> wrote: >> Is it possible to delete the inactive keypair? if yes how? > > Wouldn?t you then be unable to encrypt previous emails?UNencrypt, of course.
??????? Original Message ??????? On Thursday, July 4, 2019 11:17 AM, @lbutlr via dovecot <dovecot at dovecot.org> wrote:> > Is it possible to delete the inactive keypair? if yes how? > > Wouldn?t you then be unable to *unencrypt* previous emails?That's also what I thought but based on my understand and on the documentation of the "mailbox cryptokey generate" doveadm command (https://wiki2.dovecot.org/Plugins/MailCrypt#doveadm_mailbox_cryptokey_generate) if you use the "-R" parameter you re-encrypt all the mails with the new key. See the description of that "-R" parameter: -R - Re-encrypt all folder keys with current active user key Someone please correct me here if I am wrong...