Also wanting to re-encrypt old mail to new key, ideally without export/import... Is this "complete" or not? There was a similar request many years ago... looks like it has now disappeared.

This was marked as completed a couple days ago. However, I cannot find a re-encryption option in the Proton Mail settings.
How exactly was this implemented? Or why was this marked as completed?

After some time I confirm this is already working, but it is the lack of documentation what it makes it hard to do.

Here is what I did to re-encrypt my entire mailbox, moving from an old key 2048 length to a new ECC key:
1.- Perform a backup of the entire mailbox using Proton tool for it.
2.- Create a new key for the account and for the mailbox, marking them as PRIMARY.
3.- Mark the old key as obsolete, so it is not used to encrypt anything.
4.- Restore the backup done at step 1 using Proton tool. All the mails are stored in the same folders they were before with a tag, but you can remove the tag and they are exactly as they were earlier.
5.- Remove the old key. I had to contact Proton support for this, as it was being blocked because of the Proton Drive, even if no files were there. Support needs to remove your entire Drive and all your data, so ensure you have a copy of the data there before asking for it.

This would be an excellent feature, I was looking for such an option today to upgrade my mail from older keys to newer, stronger keys. This became especially evident after importing a large portion of mail from a legacy provider account which was encrypted with one of those older keys and after removing one of these keys, made all of my older mail unreadable, forcing me to have to re-import the key.

I agree that the re-encryption could have some risks, but I had assumed that during the conversion we would be working in a copy and only once all steps are successfully done, the original data would be removed.

For me, these would be the key parts it should ensure:

- Integrity of the data: this means that we need to work in "a copy" to allow the rollback if something goes wrong without loosing data.
- Folder structure for messages and tags are kept as they are in the original encryption.

I truly hope this gets implemented soon, otherwise we are using a service with a expire date depending on when you first logged in; of course, nowadays you can assume you lose data and can create new keys and forget about previous data, but this is currently a no-sense to me.

I agree, the option of uniformity should be available. However, for implementation this imposes great risk. What if anything goes wrong during the decryption and reencryption? This could corrupt any number of emails. So my caveat is that this optionality be available to users via support ticket to protonmail engineers. I would expect a low volume of tickets.

However, I would like to point out an interesting thought. Automating it may not be so tough. Before Boxcryptor service was bought by Dropbox, they did have a feature to decrypt or encrypt entire folder contents. What they did was make a new folder, appended "_{decrypted/encrypted}" to it, and proceeded the conversion in linear fashion from the old folder to the new one.

Two cents to make this feature request more specific.

I contacted support and it seems this is not available, which is a security breach.

Old accounts have as per old standards GPG 2048 keys, which are not as secure as current ECC ones and also, the key can be compromised. We can create a new key but it only works for new emails, existing ones cannot be re-encrypted with the new key.

We have heard by Proton team multiple times, even in Andy Yen's interview that Proton products are designed to be covered even if a data breach happens, as all the data is encrypted. If old mails cannot be re-encrypted with newer and more secure keys, this is only partially true, as GPG keys 2048 long are not secure enough in long term and in the future, current ECC will be became outdated as well.

If this feature is implemented in a way that the existing emails are re-encrypted with new keys and all the folder estructure and details are kept, being transparent to the user, Proton mail will increase its security a lot in long term and ensures to all the Proton users that their data will be safe as per latest standards and if a private key is compromised, all the data can be still retained securely after re-encrypt everything with a new key.

As a long-time Proton-supporter (amongst the first users), my encryption keys for emails are rather old and somewhat not state of the art anymore (e.g. RSA 2048-bit).

The current feature to generate new keys requires me to keep the old keys for old emails intact - but I'm looking for a feature that would actually allow me to REPLACE my existing key with a more modern and secure key for ANY of my emails.

That would require all existing emails to be decrypted on the client with the existing key and encrypted with the new key/algorithm but would allow for an actual upgrade of security.

Drawbacks of the existing feature are: If, for whatever reason, an existing key has been compromised, old emails would remain "unprotected" even when a new key has been generated --> somewhat undermines the privacy/security vision of Proton.

PS.: This should also be possible for the account key =)