Closed ghost closed 10 years ago
Thanks for your feedback.
It depends on the threat model the user is interested in. Some users would like to protect their data at rest on their device, while others just want to make dragnet surveillance harder and are therefor mainly interested in the end-to-end encryption properties in transit.
It's true that users should set a passphrase to secure the key on disk. This requires them to enter the passphrase each time the app is opened, which can be annoying for "in transit threat model" users and lead them to use a different mail client without the PGP hassle. This is why we let users decide for themselves.
We'll try to work on making the warning/information in the UI better though to make this more clear.
Technically not forbidden by PGP specs, but should be highly discouraged with a warning.