diff --git a/src/Command/UsersCheckPasswordCommand.php b/src/Command/UsersCheckPasswordCommand.php
index 2adf3c36..3f2589d9 100644
--- a/src/Command/UsersCheckPasswordCommand.php
+++ b/src/Command/UsersCheckPasswordCommand.php
@@ -148,7 +148,7 @@ protected function execute(InputInterface $input, OutputInterface $output): ?int
             false === $userDbLookup &&
             false === $user->hasMailCrypt() &&
             null === $user->getMailCryptPublicKey()) {
-            $this->mailCryptKeyHandler->create($user, $password);
+            $this->mailCryptKeyHandler->create($user, $password, true);
         }
 
         // Optionally set mail_crypt environment variables for checkpassword-reply command
diff --git a/src/Handler/MailCryptKeyHandler.php b/src/Handler/MailCryptKeyHandler.php
index 423437d9..8f6a285d 100644
--- a/src/Handler/MailCryptKeyHandler.php
+++ b/src/Handler/MailCryptKeyHandler.php
@@ -60,8 +60,9 @@ public function toPkcs8(string $privateKey): string
 
     /**
      * @throws Exception
+     *
      */
-    public function create(User $user, string $password): void
+    public function create(User $user, string $password, ?bool $mailCryptEnable = false): void
     {
         $pKey = openssl_pkey_new([
             'private_key_type' => self::MAIL_CRYPT_PRIVATE_KEY_TYPE,
@@ -80,6 +81,10 @@ public function create(User $user, string $password): void
         // Clear variables with confidential content from memory
         $keyPair->erase();
 
+        if (true === $mailCryptEnable) {
+            $user->setMailCrypt(true);
+        }
+
         $this->manager->flush();
     }
 
diff --git a/src/Handler/RegistrationHandler.php b/src/Handler/RegistrationHandler.php
index af4eab7d..5832c49f 100644
--- a/src/Handler/RegistrationHandler.php
+++ b/src/Handler/RegistrationHandler.php
@@ -46,15 +46,12 @@ public function handle(Registration $registration): void
         $user = $this->buildUser($registration);
 
         // Update password, generate MailCrypt keys, generate recovery token
+        // key material for mailCrypt is always generated, but only enabled if MAIL_CRYPT >= 2
+        $mailCryptEnable = $this->mailCrypt >= 2;
         $this->passwordUpdater->updatePassword($user, $registration->getPlainPassword());
-        $this->mailCryptKeyHandler->create($user, $registration->getPlainPassword());
+        $this->mailCryptKeyHandler->create($user, $registration->getPlainPassword(), $mailCryptEnable);
         $this->recoveryTokenHandler->create($user);
 
-        // Enable mailbox encryption
-        if ($this->mailCrypt >= 2) {
-            $user->setMailCrypt(true);
-        }
-
         // We used to erase sensitive data here, but it's now done in RegistrationController
         // as we need to print the plainRecoveryToken beforehand