Thunderbird, Enigmail and OpenPGP for Windows - Secure Email

Posted10 August 2016

Table of Contents

...Loading Table of Contents...

    Mozilla Thunderbird is free and open source software that allows you to exchange and store email for multiple accounts with multiple service providers. Enigmail and GnuPG improve the security and privacy of your email correspondence by adding support for OpenPGP end-to-end encryption to Thunderbird. They also allow you to sign your messages digitally and verify the digital signatures of others.

    Required reading

    What you will get from this guide

    • The ability to manage multiple email accounts using a single tool
    • The ability to read and compose messages while disconnected to the Internet
    • The ability to send and receive encrypted emails
    • The ability to digitally sign your emails and authenticate signed email from others

    1. Introduction to Thunderbird

    Thunderbird is a free and open source, cross-platform email client for sending, receiving and storing email. An email client is an application that lets you download and manage your messages — from multiple accounts with multiple providers — without a browser.

    Gnu Privacy Guard (GPG) is free and open source software capable of encrypting, decrypting and digitally signing messages and files. It also generates and manages the public and private keys needed to do so.

    Enigmail is a Thunderbird add-on that allows you to access the encryption and authentication features provided by GnuPG, which must be installed for Enigmail to work.

    1.0 Things you should know about Thunderbird before you start

    You will need at least one email account to use Thunderbird. If you want to create a new account to use with Thunderbird, refer to the RiseUp guide.

    Like all email clients, Thunderbird makes a copy of your messages available on your computer. This includes the emails you send as well as those you receive. As a result, it is particularly important that you implement device encryption (such as BitLocker) when you decide to use Thunderbird.

    Thunderbird cannot protect your device if you open malicious attachments or click on malicious links. Do not open unsolicited attachments and exercise caution when clicking on links that were sent to you by email. Learn how to Protect your device from Malware and Hackers guide.

    1.1 Other tools like the Thunderbird

    Thunderbird is available for Microsoft Windows, Mac OS X and GNU/Linux. Securely managing multiple email accounts is a complex task, and we strongly recommend Thunderbird for this purpose. However, if you prefer to use an alternative we recommend the following free and open source tools:

    • Claws Mail is available for GNU Linux and Microsoft Windows
    • Sylpheed is available for Mac OS X, GNU Linux and Microsoft Windows
    • K9 Mail and OpenKeychain are available for Android
    • Mailpile has a beta available for GNU/Linux and Microsoft Windows (and should be available for Mac OS X in the future)

    The security advantages of Thunderbird are significant, particularly when compared to commercial alternatives like Microsoft Outlook.

    2. Install and configure Thunderbird

    2.1 Install Thunderbird

    To install Thunderbird, follow the steps below:

    Step 1. Browse to the Thunderbird download page at https://www.mozilla.org/en-US/thunderbird

    Figure 1: The Thunderbird download page

    Step 2. Click [Free Download].

    Figure 2: Downloading Thunderbird

    Step 3. Click [Save File] to start downloading Thunderbird.

    Step 4. Right-click on the downloaded Thunderbird file and select [Open] to extract the file.

    Figure 3: Opening the downloaded Thunderbird file

    Figure 4: Extracting Thunderbird

    Step 5. Click [Next] to begin the set-up process of Thunderbird.

    Figure 5: Mozilla Thunderbird Setup window

    Step 6. Select [Standard] through the Mozilla Thunderbird Setup window.

    Figure 6: Setup options in the Mozilla Thunderbird Setup window

    Step 7. Check [Use Thunderbird as my default mail application], if you would prefer to have Thunderbird as your default mail application.

    Step 8. Click [Next] to continue.

    Step 9. Click [Install] to start installing Thunderbird.

    Figure 7: Starting to install Thunderbird

    Figure 8: Installing Thunderbird

    Step 10. Click [Finish] to complete the installation process of Thunderbird.

    Figure 9: Completing the installation process of Thunderbird

    2.2 Add an email account to Thunderbird

    To add an email account to Thunderbird, follow the steps below.

    Step 1. Launch Thunderbird and the following window will appear (once you have set [e-mail] as default):

    Figure 1: First launch of Thunderbird

    Step 2. Click [Skip this and use my existing email] to open the Mail Account Setup screen.

    Figure 2: The Mail Account Setup screen

    Step 3. Type the name, email address and password that correspond to the account you wish to access using Thunderbird.

    Step 4. Uncheck the box next to [Remember my password].

    Step 5. Click [Continue]. Thunderbird will check the configuration of the email service you have entered.

    Figure 3: Thunderbird after verifying the configuration of an email service

    You probably want to leave "IMAP (remote folders)" selected. IMAP stores the master copy of your email folders (including the Inbox, Drafts, Templates, Sent and Trash folders) on the server and makes a local copy on your device. This allows you to access the same messages from multiple devices while keeping your folders in sync. (POP, on the other hand, retrieves your messages from the server and stores them on the first device to which they are downloaded. This does not mean they are actually deleted from the server, but it does make it much more difficult to access your email from multiple devices.)

    Important: Make sure that both the Incoming and Outgoing information shown on the screen above display SSL (Secure Sockets Layer) or STARTTLS (Start Transport Layer Security). Either one indicates that your email provider supports basic encryption.

    Step 6. Click [Done] to create your account and enter the main Thunderbird interface.

    Figure 4: The main Thunderbird interface

    Note: To add another email account, click File in the menu bar and select [New > Existing Mail Account]. Then, simply repeat the steps above.

    Each time you launch Thunderbird, you will be asked to enter the passphrase for each account you have added.

    Figure 5: The Mail Server Password Required screen

    Step 7. Type your passphrase.

    Figure 6: Entering a password into the Mail Server Password Required screen

    Step 8. Click [OK] to sign in to your account(s) using Thunderbird.

    3. Improve Thunderbird's security and usability

    This section explains how to configure Thunderbird's preferences to help defend your system against attacks that originate in emails. For more information, see Protect yourself from Malware & Hackers.

    3.1 Disable HTML email

    Thunderbird allows you to include colours, fonts, images and other formatting in the emails you write. It does this by sending messages that include HTML — the same technology used in webpages — rather than just basic text. It also has the ability to display HTML messages sent to you by others. Unfortunately, viewing HTML email can expose you to some of the attacks used to target web browsers. And writing HTML email sometimes prevents GnuPG encryption from working properly.

    To display HTML emails as plain text, follow the steps below:

    Step 1. Click to display the Thunderbird Menu.

    Step 2. Select [View > Message Body As > Plain Text].

    Figure 1: Disabling the display of HTML email

    To write email in plain text, follow the steps below:

    Step 1. Click to display the Thunderbird Menu.

    Step 2. Select [Options > Account Settings].

    Figure 2: Selecting Account Settings on Thunderbird

    Step 3. Select [Composition & Addressing] under your email address.

    Figure 3: The Composition & Addressing screen with Compose messages in HTML format unchecked

    Step 4. Uncheck the [Compose messages in HTML] box.

    Step 5. Click [OK].

    3.2 Configuring Thunderbird's security preferences

    To modify Thunderbird's security preferences, follow the steps below:

    Step 1. Click to activate the Thunderbird menu bar.

    Step 2. Select [Options > Options].

    Figure 1: Selecting Options through the Thunderbird menu bar

    Step 3. Click the Security tab.

    Figure 2: Thunderbird's security preferences screen

    Step 4. Click the Passwords sub-tab.

    Figure 3: The Passwords tab

    To view or remove email account passphrases stored on your computer, click [Saved Passwords].

    Figure 4: The Saved Passwords window

    To remove all of the passphrases saved by Thunderbird, click [Remove All]. You can also remove individual passphrases.

    Important: We recommend that you protect your passphrases using a tool designed specifically for that purpose. See KeePassX for more information. However, if you do intend to allow Thunderbird to remember them for you, it is extremely important that you set a master password so that Thunderbird can encrypt your other passwords. In fact, even if you do not want Thunderbird to store your email account passphrases, you might still want to set a master password. Doing so will ensure that Thunderbird encrypts any passphrase you might accidentally ask it to save. If you do this, be sure to remember your master password or record it somewhere safe (like in a KeePassX database). And be aware that Thunderbird will ask you for that master password every time you restart the application.

    Step 5. Check the [Use a master password] box to activate the following screen:

    Figure 5: Change Master Password window

    Step 6. Type a strong passphrase into both fields and click [OK].

    3.3 Configuring Thunderbird's privacy preferences

    Cookies contain information that is sent to your browser by the websites you visit. When you return to those sites, you send the corresponding cookies back to them, along with your request for content. Cookies are used for a number of reasons. For example, websites that require you to sign in often use them to remember whether or not you have done so. But cookies can also be used to track your online activities.

    Thunderbird accepts cookies primarily to support RSS feeds and newsgroups, not for email. We recommend that you disable support for cookies in Thunderbird. If this prevents you from using a feature of Thunderbird that you need, you can always go back and enable it.

    You can tell Thunderbird not to accept cookies by following the steps below:

    Step 1. Click to activate the Thunderbird menu bar.

    Step 2. Select [Options > Options].

    Step 3. Click the Privacy tab.

    Figure 1: The Privacy tab

    Step 4. Uncheck the following boxes:

    • Allow remote content in messages. (You can still enable remote content on a per-message basis.)
    • Remember web sites and links I've visited.
    • Accept cookies from sites

    4. Sending and receiving encrypted messages

    GNU Privacy Guard (GnuPG or GPG) is free and open source encryption software developed by the GNU Project. It is compliant with the OpenPGP standard and was designed to inter-operate with Pretty Good Privacy (PGP), a commercial equivalent developed by Phil Zimmermann and maintained by Symantec.

    Enigmail is a Thunderbird add-on that allows you to access GnuPG's encryption features from within Thunderbird.

    GnuPG relies on a form of public-key cryptography that requires each user to generate his or her own pair of keys. This key pair can be used to encrypt, decrypt and sign digital content such as email messages. It includes a private key and a public key:

    • Your private key is extremely sensitive. Anyone who managed to obtain a copy of this key would be able to read encrypted content that was meant only for you. They could also sign messages so they appeared to have come from you. Your private key is, itself, encrypted to a passphrase that you will choose when generating your key pair. You should choose a strong passphrase and take care not to let anyone gain access to your private key. You will use your private key to decrypt messages sent to you by those who have a copy of your public key.

    • Your public key is meant to be shared with others and can not be used to read an encrypted message or fake a signed one. Once you have a correspondent’s public key, you can begin sending her encrypted messages. Only she will be able to decrypt and read these messages because only she has access to the private key that matches the public key you are using to encrypt them. Similarly, in order for someone to send you encrypted email, they must obtain a copy of your public key. It is important to verify that the public key you are using to encrypt email actually does belong to the person with whom you are trying to communicate. If you or your correspondent are tricked into encrypting email with the wrong public key, your conversation will not be secure.

    GnuPG and Enigmail also let you attach digital signatures to your messages. If you sign a message using your private key, any recipient with a copy of your public key can verify that it was sent by you and that its content was not tampered with. Similarly, if you have a correspondent's public key, you can verify his digital signatures.

    4.1 Install GnuPG and Enigmail

    This section walks you through the installation of GnuPG and Enigmail.

    4.1.1 Install GnuPG

    To install GnuPG, follow the steps below:

    Step 1. Browse to the Gpg4win download page at https://www.gpg4win.org/.

    Figure 1: The Gpg4win website

    Step 2. Click [Download Gpg4win].

    Figure 2: Ggp4win download page

    Step 3. Click [Gpg4win 2.3.1] or any other latest release.

    Figure 3: Downloading Gpg4win

    Step 4. Click [Save File] to download Gpg4win.

    Step 5. Right-click on the downloaded gpg4win file and select [Open].

    Figure 4: Opening gpg4win file

    Step 6. Select a language for the set-up of Gpg4win.

    Figure 5: Installer Language

    Step 7. Click [Next] to begin the installation process of Gpg4win.

    Figure 6: Gpg4win Setup window

    Step 8. Read the License Agreement and click [Next].

    Figure 7: Gpg4win License Agreement

    Step 9. Select which features of Gpg4win you want to install. The default are fine.

    Figure 8: Gpg4win features

    Step 10. Choose the location where you would like to install Gpg4win and select [Next].

    Figure 9: Gpg4win installation location

    Step 11. Select [Next].

    Figure 10: Gpg4win install options

    Step 12. Choose a Start Menu Folder for the Gpg4win shortcuts. click [Next] to start installing Gpg4win.

    Figure 11: Selecting Gpg4win shortcuts

    Step 13. Click [Next] to start installing Gpg4win.

    Figure 12: Installing Gpg4win

    Step 14. Click [Next].

    Figure 13: Proceeding with the installation process of Gpg4win

    Step 15. Click [Finish] to complete the installation process of Gpg4win.

    Figure 14: Completing the installation process of Gpg4win

    4.1.2 Install Enigmail

    To install Enigmail, follow the steps below.

    Step 1. Launch Thunderbird and sign in to your account.

    Figure 1: Thunderbird

    Step 2. Click .

    Figure 2: Opening the Add-ons Manager

    Step 3. Select [Add-ons] to open the Add-ons Manager.

    Figure 2: Opening the Add-ons Manager

    Step 4. Type [Enigmail] into the search field in the upper, right-hand corner of the Add-ons Manager and press Enter.

    Figure 3: Finding the Enigmail add-on

    Step 5. Click [Install] next to the entry for Enigmail to begin installing the add-on.

    Figure 4: Installing Enigmail

    When Thunderbird is done installing the add-on, it will let you know.

    Figure 5: Enigmail installed

    Step 6. Click [Restart now] to restart Thunderbird and to complete the installation of Enigmail.

    When Thunderbird restarts, it will automatically launch the Enigmail Setup wizard, through which you can generate encryption keys.

    4.2 Generate encryption keys and configure Enigmail

    This section covers the generation of a GnuPG key pair and the configuration of Enigmail.

    4.2.1 Generate encryption keys

    To generate a GnuPG key pair, follow the steps below.

    Step 1. Click and select [Enigmail > Setup Wizard]. This will open the GnuPG Setup Wizard.

    Figure 1: The Enigmail Setup Wizard

    Step 2. Select [Start setup now] and click [Next].

    Step 3. Select [I prefer a standard configuration (recommended for beginners)] and click [Next].

    Figure 2: Configuring Enigmail

    Step 4. Choose a strong passphrase and type it into the two fields shown in the following screen:

    Figure 3: Choosing a passphrase for your GnuPG key pair

    Note: This passphrase will be used to encrypt your private key, which is what allows you to sign emails you send and decrypt emails you receive. It should not be shared with anyone. As such, it is important that you choose a strong passphrase and that you do not forget it. You can learn more from the Create and maintain strong passphrases guide.

    Figure 4: Entering a passphrase for your GnuPG key pair

    Step 5. Click [Next] to generate a pair of encryption keys.

    Wait until the key generation is completed.

    Figure 5: Key creation

    When Enigmail has finished generating your GnuPG key pair, it will let you know, and a Generate Revocation Certificate button will appear.

    Figure 6: Enigmail ready to generate a revocation certificate

    You should generate a revocation certificate so you can let others know when a particular key is no longer valid. This may happen if you:

    • Stop using a keypair
    • Lose a private key
    • Forget the passphrase for a private key
    • Believe a private key has been compromised or shared with others

    It is particularly important that you generate a revocation certificate if you plan to upload your public key to a keyserver. There is no other way to "delete" a key once you have uploaded it, and you do not want old or compromised keys sitting around on a keyserver confusing people.

    Step 6. Click [Create Revocation Certificate].

    *Figure 7: Enigmail asking for your login passphrase

    Step 7. Type the passphrase you chose when creating your GnuPG key pair.

    Step 8. Choose a file name and location for your revocation certificate.

    Figure 8: Choosing a name and location for your revocation certificate

    In this example, we will put the revocation certificate in the Documents folder, but you can store it anywhere safe.

    Step 9. Click [Save] to display Enigmail's warning about the importance of keeping your revocation certificate safe.

    Figure 9: Revocation certificate warning

    Step 10. Click [OK] to return to the Setup Wizard.

    Figure 10: The Enigmail Setup Wizard

    Step 11. Click [Next] to complete the key generation process.

    Figure 11: The Enigmail Thank you screen

    Step 12. Click [Finish] to exit the Setup Wizard and return to Thunderbird.

    4.2.2 Configure Enigmail to work with your email account

    You must enable Enigmail for each email account in Thunderbird, through which you want to send and receive GnuPG encrypted email. To do so, follow the steps below.

    Step 1. Click and select [Options > Account Settings].

    Figure 1: Opening Thunderbird's Account Settings

    This will open the Account Settings screen.

    Figure 2: Thunderbird's Account Settings screen

    Step 2. Click [OpenPGP Security] under the account with which you want to send and receive encrypted email.

    Figure 3: Enigmail's OpenPGP settings for an email account in Thunderbird

    This screen allows you to set various Enigmail preferences related to email encryption. If you generated your GnuPG key pair by following the instructions in the previous section – after adding a single account to Thunderbird – that account should already be configured to work with Enigmail. It should also be linked to the key pair you generated. If it is not, continue with Step 3, below. If it is, you can skip to Figure 6.

    Step 3. Check the box next to [Enable OpenPGP support (Enigmail) for this identity].

    Step 4. Click [Select Key...] to open the Select OpenPGP Key for Encryption window.

    Figure 4: Enigmail's Select OpenPGP Key for Encryption screen

    Step 5. Select the key pair you want to use for this email account.

    Figure 5: Selecting a key pair for a particular email account in Thunderbird

    Step 6. Click [Select Key...] to link this key pair with this email account and return to the OpenPGP Security settings screen.

    Below, we recommend two optional, non-default settings.

    Figure 6: Configuring Enigmail for this email account

    Step 7. Check the [Use PGP/MIME by default] box.

    With this box checked, Enigmail is better able to encrypt email attachments, including their file names.

    Step 8. Check the [sign encrypted messages] box.

    With this box checked, Enigmail will digitally sign all encrypted email sent through this account unless you specifically tell it not to. Unencrypted messages will remain unsigned by default.

    Step 9. Click [OK] to return to Thunderbird.

    4.2.3 Viewing and managing your key properties

    Once you have generated your GnuPG key pair and configured your email account to work with Enigmail, you can view and manage the properties of your key pair by following the steps below.

    Step 1. Click and select [Enigmail > Key Management].

    Figure 1: Opening Enigmail's Key Management screen

    This will activate your Enigmail Key Management screen.

    Figure 2: Enigmail's Key Management screen

    Step 2. Double-click the name of your key pair to view or edit its properties.

    Figure 3: Key pair properties

    The Key Properties window displays important information about your GnuPG key pair:

    • Key ID: The key ID shown above for ekaterina@riseup.net is 0x89CD0FFB. (This corresponds to the last eight digits of the full key fingerprint below.)
    • Key fingerprint: The key fingerprint for the same key pair is 8614 C809 3DDF F5D3 756A 8308 F391 86F1 89CD 0FFB. Your key fingerprint is not something you need to keep secret. In fact, it is meant to be shared.
    • Expiration date: This key pair will no longer work after 30 May, 2021.

    Before others can send you encrypted email, they must have a copy of your public key. You can learn more about sharing keys in Section 4.3. Your key fingerprint is an important part of how others can make sure that the key they have for you is actually yours. We discuss key verification in Section 4.4.

    (Optional) Changing the expiration date of a key pair

    If you need to change the expiration date of your GnuPG key pair, follow the steps below. This is most useful as a way to extend the expiration date, as it approaches, if you need more time to generate a new key pair and inform those with whom you communicate using encrypted email.

    Step 1. Click [Change] next to the expiry date of your key pair.

    Figure 1: Changing the expiration date of a key pair

    This will activate the change expiration date screen shown below.

    Figure 2: Enigmail Change Expiration Date screen

    Note: The number of years shown at the bottom of the screen does not necessarily match the current expiration date. If you click [OK] without changing anything, you may temporarily reduce the life-span of your key pair.

    Step 2. Type the number of years, starting from today, that you would like this key pair to function.

    Figure 3: Changing the expiration date of a GnuPG key pair

    Step 3. Click [OK] to enter the passphrase for your private key.

    Figure 4: Entering a private key passphrase

    Step 4. Type your passphrase.

    Step 5. Click [OK] to change the expiration date of your GnuPG key pair.

    (Optional) Changing the passphrase for a private key

    We recommend changing your passphrase from time to time just in case it has been compromised without your knowledge. If you would like to change the passphrase that protects your private key, follow the steps below.

    Step 1. Click [Select action...] and select [Change passphrase].

    Figure 1: Changing a passphrase

    Step 2. Type your current passphrase for your private key.

    Figure 2: Entering a private key passphrase

    Step 3. Click [OK].

    Step 4. Type your new passphrase and click [OK].

    Figure 3: Entering a new private key passphrase

    Step 5. Re-enter your new passphrase and click [OK].

    Figure 4: Re-entering a new private key passphrase

    You have now changed your private key passphrase.

    4.3 Exchanging public keys

    Before you can start sending encrypted email messages to one another, you and your correspondents need to exchange public keys. You also need to confirm the validity of any key you receive by confirming that it really belongs to the person you believe sent it.

    4.3.1 Sending your public key as an email attachment

    To send a public key using Enigmail both you and your correspondent will need to perform the following steps:

    Step 1. Open Thunderbird and click [Write] to write an email.

    Step 2. Select [Enigmail > Attach Public Key...]. (Alternatively, click the [Attach My Public Key] button right on top of your email address, skip the following steps, and go directly to step 4.)

    Figure 1: Attaching a public key

    Step 3. Select the key you would like to send (typically the one associated with the email account you are currently using).

    Figure 2: Selecting which public key to attach

    Step 4. Click [Send]. Your key will not appear as an attachment until just before the email is sent.

    Figure 3: An attached public key about to be sent

    Step 5. Type your GnuPG passphrase and press Enter if prompted.

    4.3.2 Importing a public key attached to an email

    Both you and your correspondent must follow the steps below to import each other's public keys.

    An attached public key should be visible in the lower, left-hand corner of the email in which it was sent:

    Figure 1: A public key attached to an email

    Step 1. Right-click on the attachment and select [Import OpenPGP Key] to import your correspondent's public key.

    Figure 2: Importing an OpenPGP Key

    Step 2. Click [Yes] to import your correspondent's public key.

    Figure 3: Enigmail Confirm window

    Step 3. Click [OK] to close the window telling you that the key(s) were successfully imported.

    Figure 4: Public Key successfully imported

    Step 4. Click and select [Enigmail > Key Management].

    Figure 5: Opening Enigmail's Key Management window

    You should now be able to see your correspondent's public key:

    Figure 6: A new public key displayed in Enigmail's Key Management screen

    4.4 Validating and signing public keys

    You should now verify that the key you have imported actually belongs to the person you believe sent it to you. This is a process that you (and your email correspondents) should go through for each public key you receive. Once you verify the key, you will sign it so that GnuPG knows that it is valid.

    4.4.1 Validating someone else's public key

    To validate your correspondent's public key, contact him using a means of communication that allows you to be absolutely certain that you are talking to the right person. In-person meetings are best, but voice and video conversations are acceptable if you are confident you can recognise his voice or appearance. This conversation does not have to be confidential, as long as you refrain from discussing sensitive topics. You will be exchanging public key fingerprints, which do not need to be kept secret.

    Both you and your correspondent should verify the fingerprints of the public keys you have exchanged. A fingerprint is a unique series of numbers and letters that identifies a GnuPG key pair. You can use the Enigmail Key Management screen to view the fingerprint of the key pairs you have generated and of the public keys you have imported.

    To view the fingerprint of a particular key pair, follow the steps below.

    Step 1. Click and select [Enigmail > Key Management].

    Figure 1: Opening Enigmail's Key Management window

    Step 2. Double-click a key pair to open the Enigmail Key Properties window.

    Figure 2: Enigmail's Key Properties screen

    In the Key Properties window, you will be able to see the fingerprint of the selected key pair. For example, the fingerprint of ekaterina@riseup.net is 8614 C809 3DDF F5D3 756A 8303 F391 86F1 89CD 0FFB.

    Your correspondent should carry out these steps as well. So, to verify fingerprints:

    1. Read the fingerprint of your keypair to your correspondent
    2. Have him verify that the fingerprint he has for your public key matches what you just told him
    3. Have your correspondent read you the fingerprint for his keypair
    4. Verify that the fingerprint you have for his public key matches what he just told you

    If the fingerprints don't match, exchange public keys again and repeat the process.

    Note: Because key fingerprints are not themselves sensitive, you can easily write down the fingerprint that your correspondent reads off to you. Then, when you have more time, you can verify that it matches the fingerprint you have for his public key using Enigmail's Key Management screen. (This is also why some people print their GnuPG fingerprints on their business cards.)

    4.4.2 Signing someone else's valid public key

    Once you have verified a correspondent's key, you should sign it. This will tell Enigmail to remember that you consider this key valid.

    Important: If you sign some else's public key and make your signed copy of their key publicly available, it can easily expose the fact that you exchange sensitive information with that person. To prevent this from happening by accident, always check the Local signature box when signing a correspondent's public key.

    You can sign a validated public key by following the steps below.

    Step 1. Click and select [Enigmail > Key Management].

    Step 2. Right-click the public key you want to sign and select [Sign Key].

    Figure 1: Signing someone else's public key

    Step 3. Make sure your key pair is selected next to Key for signing.

    Figure 2: Enigmail Key Sign screen

    Step 4. Click [I have done very careful checking].

    Note: Other options (such as I have not checked at all) may not allow you to send encrypted messages to the owner of this key. And, due to a bug in Enigmail, it may be difficult to change this setting later. We therefore recommend that you always select I have done very careful checking when signing a correspondent's public key.

    Step 5. Check the [Local signature (cannot be exported)] box.

    Important: Unless you are very confident with GnuPG – and know for a fact that the owner of this public key wants your signature of his key to be public – you should check this box.

    Step 6. Click [OK].

    Figure 3: Entering the passphrase for your private key to sign someone else's public key

    Step 7. Type the passphrase for your private key.

    Step 8. Click [OK] to sign this public key. This will tell Enigmail that you have verified the identity of its owner, which will allow you to send her encrypted email.

    4.5 Encrypting and decrypting email messages

    GnuPG only protects the content of email and attachments you encrypt. The following information is never encrypted:

    • The Subject line
    • The sender's email address
    • The recipients' email addresses
    • Any real names that might be associated with senders and recipients (Elena S. Katerina <ekaterina@riseup.net>, for example)

    Furthermore, if you configure Enigmail to use Inline PGP instead of PGP/MIME, the file names of attachments you send will remain unencrypted.

    Therefore it is important to choose your subject lines carefully, consider creating a GnuPG key for at least one email account that does not include your real name and always use PGP/MIME.

    Finally, when you send encrypted email, a copy — encrypted to your public key — will be placed in your Sent mail folder.

    4.5.1 Sending encrypted email

    Once you and your correspondent have successfully imported, validated and signed each other's public keys, you can begin exchanging encrypted messages.

    You can encrypt the content of your email messages by following the steps below:

    Step 1. In Thunderbird, click [Write] and compose an email to a recipient for whom you have a signed public key.

    Figure 1: Thunderbird's Compose Window

    Important: Both the padlock button (which indicates that your message will be encrypted) and the pencil button (which indicates that your message will be signed) should light up as soon as you enter an email address for which you have a valid, signed public key. You should also see "This message will be signed and encrypted" toward the upper, right-hand corner of the window. This is because:

    • By default, Enigmail automatically encrypts email to correspondents for whom you have a valid public key

    • We enabled sign encrypted messages, under [Account Settings > OpenPGP Security] in a previous section.

    You can choose not to encrypt or sign a message by disabling the padlock or pencil buttons before clicking [Send]. (You can also configure Thunderbird to send unencrypted email by default. This option is under Manual encryption settings in the Sending tab of Enigmail's Preferences menu.)

    Step 2. Click Enigmail in the compose window menu bar.

    Figure 2: Enabling encryption and signing

    Step 3. Check the Encrypt Message box.

    Step 4. Check the Sign Message box.

    Once you have entered a To: address for which you have a verified public key, the following message should appear in the upper, right-hand corner of the window:

    Figure 3: Enigmail letting you know that it is ready to encrypt and sign a message

    Step 5. Click [Send].

    Step 6. Type the passphrase for your private key.

    Step 7. Click [OK] to send your (encrypted and signed) message.

    4.5.2 Decrypting an email from someone else

    When you click on an encrypted message, Enigmail will prompt you for the passphrase to your private key so it can decrypt the message. Type your passphrase and click [Unlock].

    Figure 1: A decrypted message with a verified signature

    Enigmail will display some information at the top of the message. In the figure above, for example, "Decrypted message; Good signature from Mansour" tells you that:

    • The message was encrypted using your public key (which can be done by anyone)
    • You successfully decrypted it
    • It was signed by someone with the private key that corresponds to the mansour@riseup.net public key that you have imported
    • You have signed that mansour@riseup.net public key, hopefully after verifying that it belongs to the real Mansour.

    FAQ

    Q: What happens if I just install Enigmail and not GnuPG?

    A: That's simple, really. Enigmail just won't work. After all, it's the GnuPG software that provides the encryption engine that Enigmail uses.

    Q: How many email accounts can I set up in Thunderbird?

    A: As many as you like! Thunderbird is an email manager and can easily handle 20 or more email accounts!

    Q: My friend has a Gmail account. Should I convince him to install Thunderbird, Enigmail and GnuPG?

    A: That would be ideal. Just make sure he configures all of his security settings in exactly the same way as you did. Then the two of you will have an extremely effective way of communicating in privacy and safety!

    Q: Remind me one more time, which parts of an email message does Enigmail encrypt?

    A: Enigmail only encrypts the content of messages. Subject lines will not be encrypted, nor will sender and recipient email addresses (or the names associated with those addresses). So, choose your subject lines carefully and consider creating a GnuPG key for at least one email account that does not include your real name.

    Q: I still don't understand the purpose of digitally signing my messages.

    A: A digital signature proves that you're the real sender of a particular message and that the message hasn't been tampered with on its way to your intended recipient. Think of it as the electronic equivalent of the wax seal on an envelope, which contains a very important letter.