Currently, notmuch has the levers needed to set coherent crypto policy
around how cleartext is indexed, which also has an impact on how
messages are rendered.  But we don't have a lot of documentation about
how to do sensible things.  This is an initial attempt to address

The first example shows a way to selectively index specific messages.

The next two examples are about aligning the existing database with
crypto indexing policy

The default crypto policy is to not index cleartext, and to only
decrypt messages on display when explicitly requested.

The other sensible crypto policy is to index cleartext while stashing
session keys. messages indexed in this way will be searchable, and
will be decrypted on display automatically unless the user explicitly
asks for it to *not* be decrypted.

The policy for indexing *new* messages is stored in the database as
the config variable index.decrypt.

But setting policy for new messages doesn't retroactively affect
already indexed messages.

This patch attempts to document ways that someone can efficiently
align their pre-existing database with their new policy.

I'm not sure this is the right place to document these examples, but i
do want them to be user-facing and relatively easy to find.  I'm happy
to entertain suggestions for where else we should put them.
 doc/man1/notmuch-reindex.rst | 38 ++++++++++++++++++++++++++++++++++++++
 1 file changed, 38 insertions(+)

diff --git a/doc/man1/notmuch-reindex.rst b/doc/man1/notmuch-reindex.rst
index 54490f29..cd7c91a0 100644
--- a/doc/man1/notmuch-reindex.rst
+++ b/doc/man1/notmuch-reindex.rst
@@ -44,10 +44,48 @@ Supported options for **reindex** include
     See also ``index.decrypt`` in **notmuch-config(1)**.
+A user just received an encrypted message without indexing its
+cleartext.  After reading it (via ``notmuch show --decrypt=true``),
+they decide that they want to index its cleartext so that they can
+easily find it later and read it without having to have access to
+their secret keys:
+ notmuch reindex --decrypt=true
+A user wants to change their policy going forward to start indexing
+cleartext.  But they also want indexed access to the cleartext of all
+previously-received encrypted messages.  Some messages might have
+already been indexed in the clear (as in the example above). They can
+ask notmuch to just reindex the not-yet-indexed messages:
+  notmuch config set index.decrypt true
+  notmuch reindex tag:encrypted and not property:index.decryption=success
+Later, the user changes their mind, and wants to stop indexing
+cleartext (perhaps their threat model has changed, or their trust in
+their index store has been shaken).  They also want to clear all of
+their old cleartext from the index.  Note that they compact the
+database afterward as a workaround for
+  notmuch config set index.decrypt false
+  notmuch reindex property:index.decryption=success
+  notmuch compact

notmuch mailing list

Reply via email to