Proton Mail Bridge for Linux's requirement for a secret-service adds complexity to the installation process. Even using the pass utility as suggested, GPG also needs to be installed and a GPG key generated to initialize the password store. Removing the secret service requirement would simplify the installation, reduce the 'weight' of the installation (number of steps and installed packages), and simplify what needs to be backed up. Storing the vault key is also a security hazard as it makes the data (credentials, email messages, etc.) recoverable for anyone with the home directory or a backup of the directory.

Using a KDF (e.g. Argon2, PBKDF2, etc.) would simplify and improve security, since the key is never in the server's persistent storage. There may be other cryptographic constructs with similar or additional properties.

• Use the IMAP/SMTP password as input to the KDF.
• The derived key(s) are used to encrypt messages and other private data directly, or used to wrap a data encryption key (that, in turn, encrypts the messages).
• With this change, a sync would only occur after the first IMAP or SMTP connection is established from the mail app, but most clients should either stay connected or connect relatively often. Syncs with the Proton servers could continue as long as the service is running. Or for even greater security, stop (and wipe the password/keys from memory) when the client disconnects.