It looks like ProtonMail released new account management features just a few weeks ago, including the capability for "organization admins to access the emails of other organization users" while still preserving end-to-end encryption.
>while all organization accounts are end-to-end encrypted, it is still possible for organization admins to access the emails of other organization users. Thus, organizational oversight and management is still possible, even with end-to-end encryption. Furthermore, administrative read permissions are also granted or revoked automatically when admin users are created or demoted.
I wonder how can they provide this without either storing encryption keys on their servers or reencrypting (client-side!) all email during such events.
Interesting! You could probably do it by using the key of an existing admin to decrypt the escrow key and then reencrypt it with the public key of the new admin, all client-side.
Very intersting, I might give the solution another go in the future. Still, at this pace it will take them a long time until they are on par with a "normal" e-mail solution (it might be worth the trouble though).
I wonder how can they provide this without either storing encryption keys on their servers or reencrypting (client-side!) all email during such events.