Thunderbird and OpenPGP
Version 78.2.1 of the Thunderbird email client has support for end-to-end encryption (e2ee) built right in. This integration means you no longer need add-ons like Enigmail.
Thunderbird uses OpenPGP for encryption, which is a free, nonproprietary protocol. Based on the freeware versions of Phil Zimmerman’s Pretty Good Privacy (PGP), it’s now very much its own thing.
Thunderbird’s OpenPGP integration allows you to encrypt a message. Then, only the people you want to read your message will be able to do so. It also lets you digitally sign a message so your recipient can be confident the message hasn’t been altered in transit.
OpenPGP uses the principle of pairs of public and private (or “secret”) encryption keys. To use OpenPGP, you must have a public and private key pair. Public keys are shared with anyone to whom you want to send encrypted messages, whereas private keys are never shared with anyone else. Private keys can also be used to decrypt messages encoded with the matching public key.
The sender’s email client generates a random key which is used to encrypt the message. The random key is then encrypted with the recipient’s public key, and the encrypted message and key are then sent to the recipient. The recipient’s email program uses the recipient’s private key to decrypt the random key. The random key can then be used to decrypt the encoded message.
Why not just use the recipient’s public key to encrypt the message? This would work for messages sent to a single recipient, but it would be too cumbersome for those sent to multiple people.
The most efficient way to distribute a message to several people is to encrypt the message using the random key. This is because no public or private keys have been involved at that point, making the encryption on the message person-agnostic.
For each recipient, the random key is encrypted using that person’s public key. All of the encrypted keys are then sent with the message. Each recipient can decrypt the copy of the random key that was encrypted using their public key, and then use the random key to decrypt the message.
Thankfully, once OpenPGP is set up, all of this happens automatically.
We tested Thunderbird’s OpenPGP integration on an Ubuntu 20.10 computer. On a Windows 10 PC, all the Thunderbird menu items, settings, and dialogs were named the same and in the same locations. So, if you’re running Windows, you should be able to follow the instructions below, as well!
Checking the Thunderbird Version
OpenPGP integration arrived in Thunderbird 78.2.1, so you’ll want to make sure you’re running that version or higher. You can use your package manager to upgrade if necessary.
If you use Enigmail, refer to the upgrade instructions on the Mozilla support pages. They include advice about backing up your old Thunderbird profile before you upgrade. This way, if something goes wrong, you can go back to the previous version.
By default, Thunderbird 78.x retains the classic three-pane email interface: the accounts and folders in the sidebar, the list of received emails at the top, and the content of the highlighted email at the bottom.
If you can’t see the Thunderbird menu bar, right-click the space to the right of the last tab, and then select “Menu Bar” from the context menu. To see which version of Thunderbird you have, click Help > About Thunderbird.
We’re running version 78.5.0, so the OpenPGP integration will definitely be present.
If this is the first time you’ve used Thunderbird, configure your email address and account details, and then verify that email is functioning normally. You have to have a working email account inside Thunderbird before you can set up OpenPGP.
Generating a Key Pair
To generate a key pair, click “Tools,” and then select “OpenPGP Key Manager.”
Click Generate > New Key Pair.
A screen full of options will appear. Click the “Identity” drop-down menu and select the email address for which you want to generate keys. If you have multiple identities configured in your Thunderbird client, make sure you select the appropriate email address.
Under “Key Expiry,” select the lifespan of your keys or select “Key Does Not Expire.”
In “Advanced Settings,” you can select the type of encryption and key size (the defaults are fine in most cases).
When you’re happy with your selections, click “Generate Key.”
You’ll be asked to confirm that you want to generate the keys for that email address; click “Confirm.”
After your keys have been generated, an entry will appear in the “OpenPGP Key Manager” dialog.
If you generate keys for any other email addresses, those details will be listed here, as well. To view the configuration of any of the listed keys, just highlight the entry in the list, and then click View > Key Properties.
Select the radio button next to “Yes, Treat This Key as a Personal Key,” and then click “OK” when you’re ready to proceed.
Exchanging Public Keys
You have to have the public key for each person to whom you’re going to send encrypted messages. They’ll also need yours to send encrypted messages back. There are a few ways you can get someone’s public key. They might send it to you unannounced or you can ask them for it. You can even try to find it online.
Whenever you receive an email with an attached public key, Thunderbird includes an “OpenPGP” button to the right of the email header; click it to import the public key.
You might receive some warnings. For example, if the message wasn’t encrypted or digitally signed, you’ll be told so.
If you’ve just asked this person to send you their public key, you can be pretty sure this is from them. If there’s any doubt, just double-check with them via text, phone, or any other non-email method.
If you’re satisfied the public key definitely belongs to the person sending the message, click “Import.”
The name of the sender and their email address will appear as confirmation. Click “OK” to import the key.
Some information about the imported public key will then appear. You’ll see who owns the key, the email address associated with it, the number of bits the encryption is using, and when the public key was created.
Click “View Details and Manage Key Acceptance.”
If you’re positive the key came from its owner, select the radio button next to “Yes, I’ve Verified in Person This Key Has the Correct Fingerprint,” and then click “OK.”
That’s half the battle! We now have Alwa’s public key, so let’s send him ours. To do so, just start a new email to the person to whom you want to send your key or reply to one of their emails. In the email menu bar, click Options > Attach My Public Key.
Then, you just type the body of your email and send it as usual. Again, Thunderbird includes an “OpenPGP” indicator at the bottom right of the status bar to let you know the message uses OpenPGP. If the email is encrypted, you’ll also see a padlock icon, and if it’s digitally signed, you’ll see a cogwheel icon.
The options for encryption and digitally signing emails are available in the “Security” section of the email menu bar. You can also attach your public key from this menu.
When you’re ready, just send your email.
Reading Encrypted Emails
Alwa can now reply to you and use encryption. When you receive an encrypted, email you don’t have to do anything special to read it—just open it as usual. “OpenPGP” in the email header will include green checkmarks to verify that OpenPGP has decrypted the email and that the digital signature has also been verified.
The subject line of an encrypted email will be displayed as an ellipsis (…) until you open it. This prevents anyone from seeing the subject of any encrypted emails you receive.
Some people do make their public keys available online. To upload yours, you first have to export it.
To do so, click “Tools,” and then select “OpenPGP Key Manager.” Highlight the key you want to export in the “OpenPGP Key Manager” dialog, and then click File > Export Public Key(s) to File.
Save the exported file to your computer (be sure to note where you save it). Next, open your web browser and navigate to the OpenPGP Key Repository. Here, you can search for existing keys using the email address, key ID, or fingerprint.
You can also upload your own key. To do so, just click “Upload,” and then browse to the location of your exported file.
Once your key is uploaded, people can search for, find, and download or import it into their own email clients.
You can also search for online keys in Thunderbird. Just click “Tools,” and then select “OpenPGP Key Manager.” Then, click Keyserver > Discover Keys Online.
When the “OpenPGP Prompt” dialog appears, type the email address of the person you’re looking for, and then click “OK.”
If a match is found, Thunderbird will offer to import the key for you; click “OK” to do so.
Keep Your Secrets, Well, Secret
Admittedly, not every email needs to be locked down with encryption and verified by a digital signature. However, for some people—like dissidents in oppressive regimes, whistleblowers, or journalists’ sources—privacy can be a matter of life or death.
Whenever you need more privacy, Thunderbird makes it easy!