diff --git a/migrations/20260428124349-remove-salt-from-mail-address-keys.js b/migrations/20260428124349-remove-salt-from-mail-address-keys.js
new file mode 100644
index 0000000..c24f142
--- /dev/null
+++ b/migrations/20260428124349-remove-salt-from-mail-address-keys.js
@@ -0,0 +1,18 @@
+'use strict';
+
+const TABLE_NAME = 'mail_address_keys';
+const COLUMN_NAME = 'salt';
+
+/** @type {import('sequelize-cli').Migration} */
+module.exports = {
+  async up(queryInterface) {
+    await queryInterface.removeColumn(TABLE_NAME, COLUMN_NAME);
+  },
+
+  async down(queryInterface, Sequelize) {
+    await queryInterface.addColumn(TABLE_NAME, COLUMN_NAME, {
+      type: Sequelize.STRING(64),
+      allowNull: false,
+    });
+  },
+};
diff --git a/src/modules/account/account.service.spec.ts b/src/modules/account/account.service.spec.ts
index 0e45a9e..0f9085f 100644
--- a/src/modules/account/account.service.spec.ts
+++ b/src/modules/account/account.service.spec.ts
@@ -111,7 +111,6 @@ describe('AccountService', () => {
         publicKey: keysAttrs.publicKey,
         encryptionPrivateKey: keysAttrs.encryptionPrivateKey,
         recoveryPrivateKey: keysAttrs.recoveryPrivateKey,
-        salt: keysAttrs.salt,
       });
     });
 
diff --git a/src/modules/account/account.service.ts b/src/modules/account/account.service.ts
index 019d3f8..b28a99b 100644
--- a/src/modules/account/account.service.ts
+++ b/src/modules/account/account.service.ts
@@ -19,7 +19,6 @@ export interface MailAddressKeyBundle {
   publicKey: string;
   encryptionPrivateKey: string;
   recoveryPrivateKey: string;
-  salt: string;
 }
 
 @Injectable()
@@ -78,7 +77,6 @@ export class AccountService {
       publicKey: keys.publicKey,
       encryptionPrivateKey: keys.encryptionPrivateKey,
       recoveryPrivateKey: keys.recoveryPrivateKey,
-      salt: keys.salt,
     };
   }
 
diff --git a/src/modules/account/domain/mail-address-keys.domain.ts b/src/modules/account/domain/mail-address-keys.domain.ts
index e72e45b..3916276 100644
--- a/src/modules/account/domain/mail-address-keys.domain.ts
+++ b/src/modules/account/domain/mail-address-keys.domain.ts
@@ -4,7 +4,6 @@ export interface MailAddressKeysAttributes {
   publicKey: string;
   encryptionPrivateKey: string;
   recoveryPrivateKey: string;
-  salt: string;
   createdAt: Date;
   updatedAt: Date;
 }
@@ -15,7 +14,6 @@ export class MailAddressKeys {
   readonly publicKey!: string;
   readonly encryptionPrivateKey!: string;
   readonly recoveryPrivateKey!: string;
-  readonly salt!: string;
   readonly createdAt!: Date;
   readonly updatedAt!: Date;
 
diff --git a/src/modules/account/dto/create-mail-account.dto.ts b/src/modules/account/dto/create-mail-account.dto.ts
index dfb0efc..b4b3dfb 100644
--- a/src/modules/account/dto/create-mail-account.dto.ts
+++ b/src/modules/account/dto/create-mail-account.dto.ts
@@ -25,13 +25,6 @@ export class MailAddressKeyBundleDto {
   @IsString()
   @IsNotEmpty()
   recoveryPrivateKey!: string;
-
-  @ApiProperty({
-    description: 'Base64-encoded Argon2id salt used to derive the keystore key',
-  })
-  @IsString()
-  @IsNotEmpty()
-  salt!: string;
 }
 
 export class CreateMailAccountDto {
diff --git a/src/modules/account/models/mail-address-keys.model.ts b/src/modules/account/models/mail-address-keys.model.ts
index 3810b30..6930778 100644
--- a/src/modules/account/models/mail-address-keys.model.ts
+++ b/src/modules/account/models/mail-address-keys.model.ts
@@ -41,10 +41,6 @@ export class MailAddressKeysModel extends Model {
   @Column(DataType.TEXT)
   declare recoveryPrivateKey: string;
 
-  @AllowNull(false)
-  @Column(DataType.STRING(64))
-  declare salt: string;
-
   @BelongsTo(() => MailAddressModel)
   declare address: MailAddressModel;
 }
diff --git a/src/modules/account/repositories/mail-address-keys.repository.spec.ts b/src/modules/account/repositories/mail-address-keys.repository.spec.ts
index f2f15ba..c82af00 100644
--- a/src/modules/account/repositories/mail-address-keys.repository.spec.ts
+++ b/src/modules/account/repositories/mail-address-keys.repository.spec.ts
@@ -34,7 +34,6 @@ describe('MailAddressKeysRepository', () => {
         publicKey: attrs.publicKey,
         encryptionPrivateKey: attrs.encryptionPrivateKey,
         recoveryPrivateKey: attrs.recoveryPrivateKey,
-        salt: attrs.salt,
       };
       keysModel.create.mockResolvedValue(
         attrs as unknown as MailAddressKeysModel,
@@ -46,7 +45,6 @@ describe('MailAddressKeysRepository', () => {
       expect(result.id).toBe(attrs.id);
       expect(result.mailAddressId).toBe(attrs.mailAddressId);
       expect(result.publicKey).toBe(attrs.publicKey);
-      expect(result.salt).toBe(attrs.salt);
     });
   });
 
diff --git a/src/modules/account/repositories/mail-address-keys.repository.ts b/src/modules/account/repositories/mail-address-keys.repository.ts
index 05c0831..3cf6003 100644
--- a/src/modules/account/repositories/mail-address-keys.repository.ts
+++ b/src/modules/account/repositories/mail-address-keys.repository.ts
@@ -11,7 +11,6 @@ export interface CreateMailAddressKeysParams {
   publicKey: string;
   encryptionPrivateKey: string;
   recoveryPrivateKey: string;
-  salt: string;
 }
 
 @Injectable()
@@ -44,7 +43,6 @@ export class MailAddressKeysRepository {
       publicKey: model.publicKey,
       encryptionPrivateKey: model.encryptionPrivateKey,
       recoveryPrivateKey: model.recoveryPrivateKey,
-      salt: model.salt,
       createdAt: model.createdAt as Date,
       updatedAt: model.updatedAt as Date,
     };
diff --git a/src/modules/account/user.controller.ts b/src/modules/account/user.controller.ts
index 0600397..b4065f6 100644
--- a/src/modules/account/user.controller.ts
+++ b/src/modules/account/user.controller.ts
@@ -53,7 +53,6 @@ export class UserController {
         publicKey: dto.keys.publicKey,
         encryptionPrivateKey: dto.keys.encryptionPrivateKey,
         recoveryPrivateKey: dto.keys.recoveryPrivateKey,
-        salt: dto.keys.salt,
       },
     });
 
diff --git a/src/modules/provisioning/provisioning.guard.ts b/src/modules/provisioning/provisioning.guard.ts
index b513aba..7102d87 100644
--- a/src/modules/provisioning/provisioning.guard.ts
+++ b/src/modules/provisioning/provisioning.guard.ts
@@ -2,6 +2,7 @@ import {
   type CanActivate,
   type ExecutionContext,
   Injectable,
+  ForbiddenException,
 } from '@nestjs/common';
 import { AccountService } from '../account/account.service.js';
 import type { UserPayload } from '../auth/jwt-payload.dto.js';
diff --git a/test/fixtures.ts b/test/fixtures.ts
index 07f8330..059a2d3 100644
--- a/test/fixtures.ts
+++ b/test/fixtures.ts
@@ -193,7 +193,6 @@ export function newMailAddressKeyBundle(
     publicKey: random.hash({ length: 64 }),
     encryptionPrivateKey: random.hash({ length: 128 }),
     recoveryPrivateKey: random.hash({ length: 128 }),
-    salt: random.hash({ length: 24 }),
     ...attrs,
   };
 }