On Mon, Aug 15, 2016 at 07:42:39AM +0900, David Bremner wrote:
> Daniel Kahn Gillmor <dkg@fifthhorseman.net> writes:
> > +Supported options for **reindex** include
> > +
> > +    ``--try-decrypt``
> > +
> > +        For each message, if it is encrypted, try to decrypt it while
> > +        indexing.  If decryption is successful, index the cleartext
> > +        itself.  Be aware that the index is likely sufficient to
> > +        reconstruct the cleartext of the message itself, so please
> > +        ensure that the notmuch message index is adequately
> > +        protected. DO NOT USE THIS FLAG without considering the
> > +        security of your index.
> 
> What can we say about re-indexing without the flag, when the user has
> previously indexed cleartext? I guess this is at least partly a question
> for Olly: if we delete terms from a xapian document, how recoverable are
> those terms and  positions? I suppose it might depend on backend, but
> does deleting terms provide at least same level of security as deleting
> files in modern file systems

That seems a fair assessment.  Probably the main extra security you'd
get is that there are less likely to be existing tools to get at the
data, and that it's spread over more places so it's harder to locate it
all so you can reconstruct the plain text (whereas if a deleted file
contained the plain text, it would be fairly easy to locate if you can
guess part of it, or at least write a bit of code to recognise likely
candidates).

> (i.e. not much against determined state level actors, but good enough
> to defeat most older brothers)

"Good enough against big brother, but not Big Brother"

Cheers,
    Olly