Hello,
I am testing mail_crypt plugin with per account encryption and wanted to generate a new keypair for an account but noticed that I now end up with 2 keypairs where one is active and the other inactive as you can see below:
$ doveadm mailbox cryptokey list -u email@domain.tld -U
Folder Active Public ID yes 7b140b4f3d6d68eed2c59259ac5e6f6a280dc82990292dc415b4100d6c797f67 no 1c1dd1c955757da7c19f1eeb6d6c4d0d66e6355baa2d844bc2623052e1aa2f91
Does this mean now that all existing emails get encrypted with both keypairs? or does this mean only the active keypair is used to encrypt new emails?
Is it possible to delete the inactive keypair? if yes how?
Regards, Mabi
On 4 Jul 2019, at 03:17, @lbutlr via dovecot <dovecot@dovecot.org> wrote:
On 3 Jul 2019, at 06:38, mabi via dovecot <dovecot@dovecot.org> wrote:
Is it possible to delete the inactive keypair? if yes how?
Wouldn’t you then be unable to encrypt previous emails?
UNencrypt, of course.
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Thursday, July 4, 2019 11:17 AM, @lbutlr via dovecot <dovecot@dovecot.org> wrote:
Is it possible to delete the inactive keypair? if yes how?
Wouldn’t you then be unable to *unencrypt* previous emails?
That's also what I thought but based on my understand and on the documentation of the "mailbox cryptokey generate" doveadm command (https://wiki2.dovecot.org/Plugins/MailCrypt#doveadm_mailbox_cryptokey_genera...) if you use the "-R" parameter you re-encrypt all the mails with the new key. See the description of that "-R" parameter:
-R - Re-encrypt all folder keys with current active user key
Someone please correct me here if I am wrong...
On 4.7.2019 15.35, mabi via dovecot wrote:
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Thursday, July 4, 2019 11:17 AM, @lbutlr via dovecot <dovecot@dovecot.org> wrote:
Is it possible to delete the inactive keypair? if yes how? Wouldn’t you then be unable to *unencrypt* previous emails? That's also what I thought but based on my understand and on the documentation of the "mailbox cryptokey generate" doveadm command (https://wiki2.dovecot.org/Plugins/MailCrypt#doveadm_mailbox_cryptokey_genera...) if you use the "-R" parameter you re-encrypt all the mails with the new key. See the description of that "-R" parameter:
-R - Re-encrypt all folder keys with current active user key
Someone please correct me here if I am wrong...
Actually -R will re-encrypt all folder keys with new user key. After this, old user key can be removed. Re-encrypting mails can only be done by moving them around. Never ever delete an old **folder** key unless you are really sure it's not used by anything anymore.
Aki
participants (3)
-
@lbutlr
-
Aki Tuomi
-
mabi