Thunderbird/Encrypting your email

Overview
To encrypt the email we use the common add-on Enigmail which uses GnuPG, an implementation of OpenPGP. By using Enigmail/GnuPG you can also sign messages so the receiver can verify that you are the original sender and that it is not forged. First we need to install Thunderbird (if not installed already), Enigmail and GnuPG.

Gentoo Linux
Gentoo users just emerge the package mail-client/mozilla-thunderbird with the useflag crypt enabled, this will pull the package x11-plugins/enigmail and it's dependencies.

Debian/Ubuntu Linux
Debian-based distributions need to install IceDove (Thunderbird rebranded due to legal issues) and Enigmail. This will also pull all the dependencies.

Windows/Other
Windows users and distributions without package managers need to download and install Thunderbird manually. Enigmail must also be installed manually and can be downloaded from https://addons.mozilla.org, first select Thunderbird under 'Other applications', search for enigmail and download it. If you are using Firefox you need to make sure you download it and not try to install it directly. Also, Enigmail requires the application GnuPG to run which must also be installed manually. From site select download and find a binary version to download, current version is: gnupg-w32cli-1.4.9.exe. Don't be scared if this site looks confusing.

After installing GnuPG go back to Thunderbird, select 'Tools' -> 'Add-ons', click 'Install' and select Enigmail from where you previously downloaded it. After installing you need to restart Thunderbird.

Key pairs
GnuPG uses two pair of keys, a public and private. The public key is used by others to encrypting their messages to you and verify that the message was sent by you. The private key is needed to decrypt the messages. You need to distribute the public key to anyone who want to send messages to you, either by giving it to them manually or by uploading it to a keyserver. A keyserver is a database of public keys associated with an email adress. While the public and private key has a strong relation one cannot be used to generate the other. If you are interested in learning more about how this works read Public-key_cryptography on Wikipedia. EnigMail allows you to specify how much you trust a key. Keep your private key secure! If your private key is compromised others may decrypt your messages and sign messages under your identity.



To generate a key pair go to the key management under the new menu OpenPGP (this pops up the first time you start Thunderbird with Enigmail) and follow the instructions. Basically you have to enter a passphrase, most other settings is good enough already. I recommend that you use a strong passphrase for your keys even if this means that you have to enter it each time you send a message. This will make it more secure in case the private the is compromised.

It might also be a good idea to upload your public key to a keyserver by first selecting your key in the list then select 'keyserver' in key management and chose 'Upload public key'. You may also choose to create more than one key pair and use per-recipient rules on which key to use when sending. For instance you can use one pair normally and another pair when you want to be extra secure.

Sending messages
After writing you message as usual select 'Sign message' and 'Encrypt message' under the OpenPGP menu. Depending on you settings these might already be selected. When you hit send Enigmail checks if the you have the receivers public key and if not it will open the key management and ask you to import the key, either from a keyserver or from a file. After selecting the key you need to enter your passphrase and then the message is sent.