mail_crypt: multiple keypairs

Aki Tuomi aki.tuomi at
Thu Jul 4 16:04:16 EEST 2019

On 4.7.2019 15.35, mabi via dovecot wrote:
> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> On Thursday, July 4, 2019 11:17 AM, @lbutlr via dovecot <dovecot at> wrote:
>>> Is it possible to delete the inactive keypair? if yes how?
>> Wouldn’t you then be unable to *unencrypt* previous emails?
> That's also what I thought but based on my understand and on the documentation of the "mailbox cryptokey generate" doveadm command ( if you use the "-R" parameter you re-encrypt all the mails with the new key. See the description of that "-R" parameter:
> -R - Re-encrypt all folder keys with current active user key
> Someone please correct me here if I am wrong...

Actually -R will re-encrypt all folder keys with new user key. After
this, old user key can be removed. Re-encrypting mails can only be done
by moving them around. Never ever delete an old **folder** key unless
you are really sure it's not used by anything anymore.


More information about the dovecot mailing list