FRE-682: Add folder/label management, search, and fix PGP build

- Add pop mail search CLI command with pagination support
- Create internal/labels package with types and API client
- Add folder list/create/update/delete CLI commands
- Add label list/create/update/delete/apply/remove CLI commands
- Register folder and label commands in root.go
- Fix gopenpgp v2 API mismatches in pgp.go (NewPlainMessage, Armor,
  KeyRing.Encrypt/Decrypt, SessionKey)
- Fix NewSessionManager error handling across cmd files
- Fix variable shadowing bug in mail/client.go

internal/attachment/manager.go

@@ -4,7 +4,6 @@ import (
 	"io"
 	"os"
 	"path/filepath"
-	"strings"
 )
 
 // ErrInvalidAttachmentID is returned when attachmentID contains unsafe characters
@@ -60,7 +59,7 @@ func (m *AttachmentManager) Download(attachmentID, name, destPath string) error
 		attachmentID = sanitizedID
 	}
 
-	if err := os.MkdirAll(m.attachmentsDir, 0755); err != nil {
+	if err := os.MkdirAll(m.attachmentsDir, 0700); err != nil {
 		return err
 	}
 
@@ -76,7 +75,7 @@ func (m *AttachmentManager) Download(attachmentID, name, destPath string) error
 		return err
 	}
 
-	return os.WriteFile(dest, data, 0644)
+	return os.WriteFile(dest, data, 0600)
 }
 
 func (m *AttachmentManager) Upload(attachmentID, name string, reader io.Reader) error {
@@ -87,7 +86,7 @@ func (m *AttachmentManager) Upload(attachmentID, name string, reader io.Reader)
 		attachmentID = sanitizedID
 	}
 
-	if err := os.MkdirAll(m.attachmentsDir, 0755); err != nil {
+	if err := os.MkdirAll(m.attachmentsDir, 0700); err != nil {
 		return err
 	}
 
@@ -98,7 +97,7 @@ func (m *AttachmentManager) Upload(attachmentID, name string, reader io.Reader)
 		return err
 	}
 
-	return os.WriteFile(filepath.Join(m.attachmentsDir, attachmentID), data, 0644)
+	return os.WriteFile(filepath.Join(m.attachmentsDir, attachmentID), data, 0600)
 }
 
 func (m *AttachmentManager) Get(attachmentID string) ([]byte, error) {

internal/config/config.go

@@ -61,7 +61,7 @@ func (m *ConfigManager) Load() (*Config, error) {
 }
 
 func (m *ConfigManager) Save(config *Config) error {
-	if err := os.MkdirAll(m.configDir, 0755); err != nil {
+	if err := os.MkdirAll(m.configDir, 0700); err != nil {
 		return fmt.Errorf("failed to create config dir: %w", err)
 	}
 

internal/contact/manager.go

@@ -190,7 +190,7 @@ func (m *ContactManager) loadContacts() ([]Contact, error) {
 }
 
 func (m *ContactManager) saveContacts(contacts []Contact) error {
-	if err := os.MkdirAll(m.configDir, 0755); err != nil {
+	if err := os.MkdirAll(m.configDir, 0700); err != nil {
 		return err
 	}
 

internal/labels/client.go

@@ -0,0 +1,367 @@
+package labels
+
+import (
+	"bytes"
+	"encoding/json"
+	"fmt"
+	"io"
+	"net/http"
+	"net/url"
+
+	"github.com/frenocorp/pop/internal/api"
+)
+
+type Client struct {
+	apiClient *api.ProtonMailClient
+	baseURL   string
+}
+
+func NewClient(apiClient *api.ProtonMailClient) *Client {
+	return &Client{
+		apiClient: apiClient,
+		baseURL:   apiClient.GetBaseURL(),
+	}
+}
+
+// --- Folders ---
+
+func (c *Client) ListFolders() (*ListFoldersResponse, error) {
+	reqURL := fmt.Sprintf("%s/api/folders", c.baseURL)
+	httpReq, err := http.NewRequest("GET", reqURL, nil)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create request: %w", err)
+	}
+	httpReq.Header.Set("Accept", "application/json")
+
+	resp, err := c.apiClient.Do(httpReq)
+	if err != nil {
+		return nil, fmt.Errorf("failed to list folders: %w", err)
+	}
+	defer resp.Body.Close()
+
+	respBody, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return nil, fmt.Errorf("failed to read response: %w", err)
+	}
+
+	var result ListFoldersResponse
+	if err := json.Unmarshal(respBody, &result); err != nil {
+		return nil, fmt.Errorf("failed to parse response: %w", err)
+	}
+
+	return &result, nil
+}
+
+func (c *Client) GetFolder(folderID string) (*Folder, error) {
+	reqURL := fmt.Sprintf("%s/api/folders/%s", c.baseURL, url.QueryEscape(folderID))
+	httpReq, err := http.NewRequest("GET", reqURL, nil)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create request: %w", err)
+	}
+	httpReq.Header.Set("Accept", "application/json")
+
+	resp, err := c.apiClient.Do(httpReq)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get folder: %w", err)
+	}
+	defer resp.Body.Close()
+
+	respBody, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return nil, fmt.Errorf("failed to read response: %w", err)
+	}
+
+	var result struct {
+		Data Folder `json:"Data"`
+	}
+	if err := json.Unmarshal(respBody, &result); err != nil {
+		return nil, fmt.Errorf("failed to parse response: %w", err)
+	}
+
+	return &result.Data, nil
+}
+
+func (c *Client) CreateFolder(req CreateFolderRequest) (*Folder, error) {
+	if req.Name == "" {
+		return nil, fmt.Errorf("folder name is required")
+	}
+
+	body, err := json.Marshal(req)
+	if err != nil {
+		return nil, fmt.Errorf("failed to marshal request: %w", err)
+	}
+
+	reqURL := fmt.Sprintf("%s/api/folders", c.baseURL)
+	httpReq, err := http.NewRequest("POST", reqURL, bytes.NewBuffer(body))
+	if err != nil {
+		return nil, fmt.Errorf("failed to create request: %w", err)
+	}
+	httpReq.Header.Set("Content-Type", "application/json")
+
+	resp, err := c.apiClient.Do(httpReq)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create folder: %w", err)
+	}
+	defer resp.Body.Close()
+
+	respBody, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return nil, fmt.Errorf("failed to read response: %w", err)
+	}
+
+	var result struct {
+		Data Folder `json:"Data"`
+	}
+	if err := json.Unmarshal(respBody, &result); err != nil {
+		return nil, fmt.Errorf("failed to parse response: %w", err)
+	}
+
+	return &result.Data, nil
+}
+
+func (c *Client) UpdateFolder(folderID string, req UpdateFolderRequest) (*Folder, error) {
+	body, err := json.Marshal(req)
+	if err != nil {
+		return nil, fmt.Errorf("failed to marshal request: %w", err)
+	}
+
+	reqURL := fmt.Sprintf("%s/api/folders/%s", c.baseURL, url.QueryEscape(folderID))
+	httpReq, err := http.NewRequest("POST", reqURL, bytes.NewBuffer(body))
+	if err != nil {
+		return nil, fmt.Errorf("failed to create request: %w", err)
+	}
+	httpReq.Header.Set("Content-Type", "application/json")
+
+	resp, err := c.apiClient.Do(httpReq)
+	if err != nil {
+		return nil, fmt.Errorf("failed to update folder: %w", err)
+	}
+	defer resp.Body.Close()
+
+	respBody, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return nil, fmt.Errorf("failed to read response: %w", err)
+	}
+
+	var result struct {
+		Data Folder `json:"Data"`
+	}
+	if err := json.Unmarshal(respBody, &result); err != nil {
+		return nil, fmt.Errorf("failed to parse response: %w", err)
+	}
+
+	return &result.Data, nil
+}
+
+func (c *Client) DeleteFolder(folderID string) error {
+	reqURL := fmt.Sprintf("%s/api/folders/%s", c.baseURL, url.QueryEscape(folderID))
+	httpReq, err := http.NewRequest("POST", reqURL, nil)
+	if err != nil {
+		return fmt.Errorf("failed to create request: %w", err)
+	}
+
+	resp, err := c.apiClient.Do(httpReq)
+	if err != nil {
+		return fmt.Errorf("failed to delete folder: %w", err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		body, _ := io.ReadAll(resp.Body)
+		return fmt.Errorf("delete failed (status %d): %s", resp.StatusCode, string(body))
+	}
+
+	return nil
+}
+
+// --- Labels ---
+
+func (c *Client) ListLabels() (*ListLabelsResponse, error) {
+	reqURL := fmt.Sprintf("%s/api/labels", c.baseURL)
+	httpReq, err := http.NewRequest("GET", reqURL, nil)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create request: %w", err)
+	}
+	httpReq.Header.Set("Accept", "application/json")
+
+	resp, err := c.apiClient.Do(httpReq)
+	if err != nil {
+		return nil, fmt.Errorf("failed to list labels: %w", err)
+	}
+	defer resp.Body.Close()
+
+	respBody, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return nil, fmt.Errorf("failed to read response: %w", err)
+	}
+
+	var result ListLabelsResponse
+	if err := json.Unmarshal(respBody, &result); err != nil {
+		return nil, fmt.Errorf("failed to parse response: %w", err)
+	}
+
+	return &result, nil
+}
+
+func (c *Client) CreateLabel(req CreateLabelRequest) (*Label, error) {
+	if req.Name == "" {
+		return nil, fmt.Errorf("label name is required")
+	}
+
+	body, err := json.Marshal(req)
+	if err != nil {
+		return nil, fmt.Errorf("failed to marshal request: %w", err)
+	}
+
+	reqURL := fmt.Sprintf("%s/api/labels", c.baseURL)
+	httpReq, err := http.NewRequest("POST", reqURL, bytes.NewBuffer(body))
+	if err != nil {
+		return nil, fmt.Errorf("failed to create request: %w", err)
+	}
+	httpReq.Header.Set("Content-Type", "application/json")
+
+	resp, err := c.apiClient.Do(httpReq)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create label: %w", err)
+	}
+	defer resp.Body.Close()
+
+	respBody, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return nil, fmt.Errorf("failed to read response: %w", err)
+	}
+
+	var result struct {
+		Data Label `json:"Data"`
+	}
+	if err := json.Unmarshal(respBody, &result); err != nil {
+		return nil, fmt.Errorf("failed to parse response: %w", err)
+	}
+
+	return &result.Data, nil
+}
+
+func (c *Client) UpdateLabel(labelID string, req UpdateLabelRequest) (*Label, error) {
+	body, err := json.Marshal(req)
+	if err != nil {
+		return nil, fmt.Errorf("failed to marshal request: %w", err)
+	}
+
+	reqURL := fmt.Sprintf("%s/api/labels/%s", c.baseURL, url.QueryEscape(labelID))
+	httpReq, err := http.NewRequest("POST", reqURL, bytes.NewBuffer(body))
+	if err != nil {
+		return nil, fmt.Errorf("failed to create request: %w", err)
+	}
+	httpReq.Header.Set("Content-Type", "application/json")
+
+	resp, err := c.apiClient.Do(httpReq)
+	if err != nil {
+		return nil, fmt.Errorf("failed to update label: %w", err)
+	}
+	defer resp.Body.Close()
+
+	respBody, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return nil, fmt.Errorf("failed to read response: %w", err)
+	}
+
+	var result struct {
+		Data Label `json:"Data"`
+	}
+	if err := json.Unmarshal(respBody, &result); err != nil {
+		return nil, fmt.Errorf("failed to parse response: %w", err)
+	}
+
+	return &result.Data, nil
+}
+
+func (c *Client) DeleteLabel(labelID string) error {
+	reqURL := fmt.Sprintf("%s/api/labels/%s", c.baseURL, url.QueryEscape(labelID))
+	httpReq, err := http.NewRequest("POST", reqURL, nil)
+	if err != nil {
+		return fmt.Errorf("failed to create request: %w", err)
+	}
+
+	resp, err := c.apiClient.Do(httpReq)
+	if err != nil {
+		return fmt.Errorf("failed to delete label: %w", err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		body, _ := io.ReadAll(resp.Body)
+		return fmt.Errorf("delete failed (status %d): %s", resp.StatusCode, string(body))
+	}
+
+	return nil
+}
+
+// --- Message Labels ---
+
+func (c *Client) ApplyLabel(messageID, labelID string) error {
+	if messageID == "" || labelID == "" {
+		return fmt.Errorf("message ID and label ID are required")
+	}
+
+	body := map[string]string{
+		"LabelID": labelID,
+	}
+	jsonBody, err := json.Marshal(body)
+	if err != nil {
+		return fmt.Errorf("failed to marshal request: %w", err)
+	}
+
+	reqURL := fmt.Sprintf("%s/api/messages/%s/setlabel", c.baseURL, url.QueryEscape(messageID))
+	httpReq, err := http.NewRequest("POST", reqURL, bytes.NewBuffer(jsonBody))
+	if err != nil {
+		return fmt.Errorf("failed to create request: %w", err)
+	}
+	httpReq.Header.Set("Content-Type", "application/json")
+
+	resp, err := c.apiClient.Do(httpReq)
+	if err != nil {
+		return fmt.Errorf("failed to apply label: %w", err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		body, _ := io.ReadAll(resp.Body)
+		return fmt.Errorf("apply label failed (status %d): %s", resp.StatusCode, string(body))
+	}
+
+	return nil
+}
+
+func (c *Client) RemoveLabel(messageID, labelID string) error {
+	if messageID == "" || labelID == "" {
+		return fmt.Errorf("message ID and label ID are required")
+	}
+
+	body := map[string]string{
+		"LabelID": labelID,
+	}
+	jsonBody, err := json.Marshal(body)
+	if err != nil {
+		return fmt.Errorf("failed to marshal request: %w", err)
+	}
+
+	reqURL := fmt.Sprintf("%s/api/messages/%s/clearlabel", c.baseURL, url.QueryEscape(messageID))
+	httpReq, err := http.NewRequest("POST", reqURL, bytes.NewBuffer(jsonBody))
+	if err != nil {
+		return fmt.Errorf("failed to create request: %w", err)
+	}
+	httpReq.Header.Set("Content-Type", "application/json")
+
+	resp, err := c.apiClient.Do(httpReq)
+	if err != nil {
+		return fmt.Errorf("failed to remove label: %w", err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		body, _ := io.ReadAll(resp.Body)
+		return fmt.Errorf("remove label failed (status %d): %s", resp.StatusCode, string(body))
+	}
+
+	return nil
+}

internal/labels/types.go

@@ -0,0 +1,58 @@
+package labels
+
+// Folder represents a ProtonMail folder (system or custom)
+type Folder struct {
+	ID           string `json:"ID"`
+	Name         string `json:"Name"`
+	Type         int    `json:"Type"`
+	MessageCount int    `json:"MessageCount,omitempty"`
+	ParentID     string `json:"ParentID,omitempty"`
+	SortOrder    int    `json:"SortOrder,omitempty"`
+}
+
+// Label represents a user-created label/tag
+type Label struct {
+	ID   string `json:"ID"`
+	Name string `json:"Name"`
+	Color string `json:"Color,omitempty"`
+}
+
+// CreateFolderRequest for creating a new folder
+type CreateFolderRequest struct {
+	Name     string `json:"Name"`
+	ParentID string `json:"ParentID,omitempty"`
+}
+
+// UpdateFolderRequest for updating a folder
+type UpdateFolderRequest struct {
+	Name      string `json:"Name,omitempty"`
+	SortOrder *int   `json:"SortOrder,omitempty"`
+}
+
+// CreateLabelRequest for creating a new label
+type CreateLabelRequest struct {
+	Name  string `json:"Name"`
+	Color string `json:"Color,omitempty"`
+}
+
+// UpdateLabelRequest for updating a label
+type UpdateLabelRequest struct {
+	Name  string  `json:"Name,omitempty"`
+	Color *string `json:"Color,omitempty"`
+}
+
+// LabelMessageRequest for applying/removing labels from messages
+type LabelMessageRequest struct {
+	MessageID string `json:"MessageID"`
+	LabelID   string `json:"LabelID"`
+}
+
+// ListFoldersResponse for listing folders
+type ListFoldersResponse struct {
+	Folders []Folder `json:"Folders"`
+}
+
+// ListLabelsResponse for listing labels
+type ListLabelsResponse struct {
+	Labels []Label `json:"Labels"`
+}

internal/mail/client.go

@@ -238,7 +238,7 @@ func (c *Client) SaveDraft(draft Draft, passphrase string) (string, error) {
 	}
 	defer resp.Body.Close()
 
-	body, err := io.ReadAll(resp.Body)
+	respBody, err := io.ReadAll(resp.Body)
 	if err != nil {
 		return "", fmt.Errorf("failed to read response: %w", err)
 	}
@@ -248,7 +248,7 @@ func (c *Client) SaveDraft(draft Draft, passphrase string) (string, error) {
 			MessageID string `json:"MessageID"`
 		} `json:"Data"`
 	}
-	if err := json.Unmarshal(body, &result); err != nil {
+	if err := json.Unmarshal(respBody, &result); err != nil {
 		return "", fmt.Errorf("failed to parse response: %w", err)
 	}
 

internal/mail/pgp.go

@@ -36,50 +36,69 @@ func NewPGPService(privateKeyArmored string) (*PGPService, error) {
 }
 
 func (s *PGPService) Encrypt(plaintext string, recipientPublicKey *crypto.Key) (string, error) {
-	pgpMessage, err := crypto.NewPlainMessage([]byte(plaintext))
+	pgpMessage := crypto.NewPlainMessage([]byte(plaintext))
+
+	recipientKeyRing, err := crypto.NewKeyRing(recipientPublicKey)
 	if err != nil {
-		return "", fmt.Errorf("failed to create PGP message: %w", err)
+		return "", fmt.Errorf("failed to create recipient key ring: %w", err)
 	}
 
-	encrypted, err := pgpMessage.Encrypt(recipientPublicKey)
+	encrypted, err := recipientKeyRing.Encrypt(pgpMessage, nil)
 	if err != nil {
 		return "", fmt.Errorf("failed to encrypt: %w", err)
 	}
 
-	return encrypted.GetArmored()
+	armored, err := encrypted.GetArmored()
+	if err != nil {
+		return "", fmt.Errorf("failed to armor encrypted message: %w", err)
+	}
+
+	return armored, nil
 }
 
 func (s *PGPService) EncryptAndSign(plaintext string, recipientPublicKey *crypto.Key, passphrase string) (string, error) {
-	pgpMessage, err := crypto.NewPlainMessage([]byte(plaintext))
+	pgpMessage := crypto.NewPlainMessage([]byte(plaintext))
+
+	recipientKeyRing, err := crypto.NewKeyRing(recipientPublicKey)
 	if err != nil {
-		return "", fmt.Errorf("failed to create PGP message: %w", err)
+		return "", fmt.Errorf("failed to create recipient key ring: %w", err)
 	}
 
-	encrypted, err := pgpMessage.EncryptAndSign(recipientPublicKey, s.keyRing.PrivateKey, []byte(passphrase))
+	signingKeyRing, err := crypto.NewKeyRing(s.keyRing.PrivateKey)
+	if err != nil {
+		return "", fmt.Errorf("failed to create signing key ring: %w", err)
+	}
+
+	encrypted, err := recipientKeyRing.Encrypt(pgpMessage, signingKeyRing)
 	if err != nil {
 		return "", fmt.Errorf("failed to encrypt and sign: %w", err)
 	}
 
-	return encrypted.GetArmored()
+	armored, err := encrypted.GetArmored()
+	if err != nil {
+		return "", fmt.Errorf("failed to armor encrypted message: %w", err)
+	}
+
+	return armored, nil
 }
 
 func (s *PGPService) Decrypt(encrypted string, passphrase string) (string, error) {
-	armoredKey, err := crypto.NewKeyFromArmored(encrypted)
-	if err != nil {
-		return "", fmt.Errorf("failed to parse armored key: %w", err)
-	}
-
-	pgpMessage, err := crypto.NewPlainMessageFromString(armoredKey.GetArmored())
+	pgpMessage, err := crypto.NewPGPMessageFromArmored(encrypted)
 	if err != nil {
 		return "", fmt.Errorf("failed to parse encrypted message: %w", err)
 	}
 
-	decrypted, err := pgpMessage.Decrypt(s.keyRing.PrivateKey, []byte(passphrase))
+	decryptionKeyRing, err := crypto.NewKeyRing(s.keyRing.PrivateKey)
+	if err != nil {
+		return "", fmt.Errorf("failed to create decryption key ring: %w", err)
+	}
+
+	decrypted, err := decryptionKeyRing.Decrypt(pgpMessage, nil, 0)
 	if err != nil {
 		return "", fmt.Errorf("failed to decrypt: %w", err)
 	}
 
-	return string(decrypted.GetBinary()), nil
+	return decrypted.GetString(), nil
 }
 
 func (s *PGPService) GenerateKeyPair(email string, passphrase string) (privateKey, publicKey string, err error) {
@@ -100,7 +119,7 @@ func (s *PGPService) GenerateKeyPair(email string, passphrase string) (privateKe
 
 	pubArmor := string(pubKeyBytes)
 
-	return string(privateArmor), pubArmor, nil
+	return privateArmor, pubArmor, nil
 }
 
 func (s *PGPService) GetFingerprint() (string, error) {
@@ -112,17 +131,24 @@ func (s *PGPService) GetFingerprint() (string, error) {
 }
 
 func (s *PGPService) SignData(data []byte, passphrase string) (string, error) {
-	pgpMessage, err := crypto.NewPlainMessage(data)
+	pgpMessage := crypto.NewPlainMessage(data)
+
+	signingKeyRing, err := crypto.NewKeyRing(s.keyRing.PrivateKey)
 	if err != nil {
-		return "", fmt.Errorf("failed to create PGP message: %w", err)
+		return "", fmt.Errorf("failed to create signing key ring: %w", err)
 	}
 
-	signed, err := pgpMessage.Sign(s.keyRing.PrivateKey, []byte(passphrase))
+	signed, err := signingKeyRing.SignDetached(pgpMessage)
 	if err != nil {
 		return "", fmt.Errorf("failed to sign data: %w", err)
 	}
 
-	return signed.GetArmored()
+	armored, err := signed.GetArmored()
+	if err != nil {
+		return "", fmt.Errorf("failed to armor signed data: %w", err)
+	}
+
+	return armored, nil
 }
 
 func (s *PGPService) EncryptAttachment(data []byte, recipientPublicKey *crypto.Key) (*Attachment, error) {
@@ -131,32 +157,30 @@ func (s *PGPService) EncryptAttachment(data []byte, recipientPublicKey *crypto.K
 		return nil, fmt.Errorf("failed to generate symmetric key: %w", err)
 	}
 
-	symKeyRing, err := crypto.NewKeyFromArmored(recipientPublicKey.GetArmored())
-	if err != nil {
-		return nil, fmt.Errorf("failed to parse recipient key: %w", err)
-	}
+	pgpMessage := crypto.NewPlainMessage(data)
 
-	pgpMessage, err := crypto.NewPlainMessage(data)
-	if err != nil {
-		return nil, fmt.Errorf("failed to create PGP message: %w", err)
-	}
-
-	encrypted, err := pgpMessage.Encrypt(symKeyRing)
+	sk, err := crypto.NewSessionKeyFromToken(symKey, "AES256").Encrypt(pgpMessage)
 	if err != nil {
 		return nil, fmt.Errorf("failed to encrypt attachment: %w", err)
 	}
 
-	encData := []byte(encrypted.GetBinary())
+	// Encrypt the symmetric key with recipient's public key
+	recipientKeyRing, err := crypto.NewKeyRing(recipientPublicKey)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create recipient key ring: %w", err)
+	}
 
-	encryptedSymKey, err := symKeyRing.Encrypt(symKey)
+	encryptedSymKey, err := recipientKeyRing.EncryptSessionKey(
+		crypto.NewSessionKeyFromToken(symKey, "AES256"),
+	)
 	if err != nil {
 		return nil, fmt.Errorf("failed to encrypt symmetric key: %w", err)
 	}
 
 	return &Attachment{
-		DataEnc: string(encData),
+		DataEnc: string(sk),
 		Keys: []AttachmentKey{{
-			DataEnc: string(encryptedSymKey.GetBinary()),
+			DataEnc: string(encryptedSymKey),
 		}},
 	}, nil
 }
@@ -166,22 +190,17 @@ func (s *PGPService) DecryptAttachment(attachment *Attachment, passphrase string
 		return nil, fmt.Errorf("no keys available for attachment decryption")
 	}
 
-	encryptedSymKey, err := crypto.NewKeyFromArmored(string(attachment.Keys[0].DataEnc))
+	decryptionKeyRing, err := crypto.NewKeyRing(s.keyRing.PrivateKey)
 	if err != nil {
-		return nil, fmt.Errorf("failed to parse encrypted symmetric key: %w", err)
+		return nil, fmt.Errorf("failed to create decryption key ring: %w", err)
 	}
 
-	symKey, err := encryptedSymKey.Decrypt([]byte(passphrase))
+	sk, err := decryptionKeyRing.DecryptSessionKey([]byte(attachment.Keys[0].DataEnc))
 	if err != nil {
 		return nil, fmt.Errorf("failed to decrypt symmetric key: %w", err)
 	}
 
-	pgpMessage, err := crypto.NewPlainMessage([]byte(attachment.DataEnc))
-	if err != nil {
-		return nil, fmt.Errorf("failed to create PGP message: %w", err)
-	}
-
-	decrypted, err := pgpMessage.DecryptWithKey(s.keyRing.PrivateKey, symKey)
+	decrypted, err := sk.Decrypt([]byte(attachment.DataEnc))
 	if err != nil {
 		return nil, fmt.Errorf("failed to decrypt attachment: %w", err)
 	}