Long term encrypted email storage policy

EQ Admin

EQ Forum Admin
Staff member
What concerns should a user that expects long term privacy have over the long term privacy of their emails?

This question came to mind while reading the help associated with the SCRYPTmail help next to the PGP key strength options:

PGP Encrypted Email Storage Policy.jpg


In general, should a user of encrypted email be deleting / destroying old copies of email after is reaches a certai age such as 3-5 years old?

For encrypted email service providers, should they plan on "recrypting" (double encrypting?) old email within stronger encryption as time passes?

The logic there would be similar to that of a zip file containing zip files. The newest zip using the best reasonable encryption possible and contains the older zips that had used older probably "weaker" encryption from the perspective of users at some future point in time.

The goal would be to help prevent old email from being easier to decrypt if a server is compromised or an account is subpoenaed many years after the email was sent.
 

SCRYPTmail

Email Service Provider
Good catch. To better answer that, I probably should explain a little how its all working. There are 2 actions you can do with SCRYPTmail:
  1. Send Email
  2. Receive Email
When you send an email, you encrypting with public key of the recipient. (In reality its little different, you encrypt email with symmetrical encryption like AES, and AES key get encrypted with PGP public key ) That generally apply to any PGP emails providers.
When you receive email you using private key to decrypt email and can read it in plain text.

It's pretty simple to this point. What differs SCRYPTmail from other providers, is that most of them store received emails in such PGP format permanently, which essentially will get old and be susceptible for an attack. Like 512 bit PGP keys become insecure.
With SCRYPTmail in other hand, when you receive email, AES key gets copied into user folder object and discarded from email. Doing such way, your email are stored always encrypted with AES-256, and PGP part of it discarded at the very moment you receive new email. To keep this way, you just need to login regularly into your mailbox to check for new emails.

So answering the question: no. With SCRYPTmail you don't have to re-encrypt email every 3-5 years, or until AES-256 show major flaw. What you need is regularly login into account, or if you decide not to use it anymore delete account from settings panel.

However with other encrypted email services, which using same PGP encryption, they should be concerned their emails get compromised in a few years.
 
Last edited:

Rockman

Valued Member
That's pretty slick and I have always had the concern about getting locked out of my own older email due to expired or revoked certificates or keys. I also would like to know how to download and archive email to secure, offline storage in plain text?
 

SCRYPTmail

Email Service Provider
That's pretty slick and I have always had the concern about getting locked out of my own older email due to expired or revoked certificates or keys. I also would like to know how to download and archive email to secure, offline storage in plain text?
If you asking about option to download old emails from SCRYPTmail - it is in our features list.
 
Top