As I understand the BoxCryptor system the user's password is used to encrypt the user's RSA public and private keys, and the user's RSA public key is used to encrypt the individual file AES keys.
As changing the user's password only re-encrypts the user's RSA keys it seems possible that a previously compromised RSA private key could allow an attacker permanent access to the user's encrypted files - even newly created files with new AES file keys, and even if they change their password.
Of course, I take steps to prevent my password and RSA private key from being compromised. But, I was wondering if there was a way to force BoxCryptor to:
1. Generate a new RSA key pair
2. Re-encrypt all AES file keys with the new RSA public key
3. Encrypt the new RSA key pair file with a new password
This would re-secure all of the files in BoxCryptor even if the user's password and/or RSA private key were compromised.
At the moment, the only way I can think of doing this is to
1: Decrypt everything
2. Set up a completely new BoxCryptor account
3: Encrypt everything again
Of course, this is not ideal as it will take time and will require a re-upload of all of my cloud data (since the every file will have been newly encrypted).
Forcing the generation of a new RSA key pair would be much simpler, as it wouldn't require the decryption of all of my files (just the AES file key), nor the setting up of a new account, and the only part of the file that would be changed would be the file key header, meaning only minimal data need be uploaded.
Thanks for any information on this!