On Sat, Apr 05 2014, David Bremner wrote: > john.wyzer@gmx.de writes: > >> Would it be possible to add the configurable option to also decrypt >> encrypted messages on the fly while indexing to make them searchable, >> too? >> >> That would be really great for people that consider gnupg mainly an >> encryption for transport or have their complete hard drive encrypted... > > As far I understand an attacker could reconstruct the message from the > index, so one question is whether the extra complexity in notmuch is > worth the minimal extra security over decrypting on delivery and storing > plaintext on the (presumably encrypted) disk. Of course decrypting on > delivery may be inconvenient (or impossible). I have CCed the two people > who have implemented most of the crypto related stuff in notmuch so they > can comment. Indexing encrypted email is a bit of a foot-gun, since, as David mentions, it is apparently possible to reconstruct encrypted messages From the index. It therefore needs to be approached with care. I think decrypting on "delivery" (or mail fetch or whatever) sounds difficult and unwieldy. In either event, it seems out of the scope of notmuch. If a user figured out how to have that done, no changes to notmuch would be needed afaict. I don't think it would be difficult modify notmuch new to decrypt at indexing time. Given that gnupg agent would be used for accessing the users private key for decryption, the interface would be fairly straightforward. A couple of decryption options could be added to notmuch new: * don't decrypt: don't attempt to decrypt and index any encrypted message (default) * decrypt always: fail if any encrypted message could not be decrypted * decrypt opportunistically: attempt to decrypt, but continue indexing if an encrypted message could not be decrypted If something like this is enabled, we should make sure we make the dangers clear to the users. jamie.