I am a privacy newb. Where am I going wrong?
You’ve always wanted to encrypt your emails. End-to-end encryption. Too bad none of your normie friends would ever bother with GPG, so you can’t send encrypted emails to anyone.
Autocrypt. Now we’re talking. You get your mom / gf / wife to install and set up K-9 on their phone. Argh, what a pain, now they hate you for it. But it’s OK, at least all your emails are now e2e encrypted.
A year later, they upgrade their phone, and guess what, they didn’t transfer their keys — obviously. Now they can’t read any of your old emails. They can read all the boring emails from all of their normie friends, but they can’t read your super cool secret emails that are all encrypted, and they don’t have the key.
OR, better yet. They install K9 on their phone. But they also use a laptop. Obviously. So you get them to install Thunderbird / Enigmail, walk them through the autocrypt setup message, which is easy enough, but now they hate you even more. But at work, they use gmail / yahoo / hotmail webmail, and they can’t read any of your emails. Sad.
Now, I am thinking. What is the purpose of email encryption? What are we trying to achieve? Do YOU encrypt emails? What are YOU getting from it, realistically?
Is it better (in terms of normies not losing their keys) for the key to be stored on the email server (not the email client) and be encrypted with the user’s password? Then, as long as the user can access their email account, whether from their phone or web, they have access to their key.