Mozilla Thunderbird recently integrated OpenPGP directly into the main application. No add-ons are needed for email privacy. OpenPGP̵
Thunderbird and OpenPGP
Version 78.2.1 of the Thunderbird email client has built-in support for end-to-end encryption (e2ee). This integration means that you no longer need add-ons like Enigmail.
Thunderbird uses OpenPGP for encryption, which is a free, non-proprietary protocol. Based on the freeware versions of Phil Zimmerman’s Pretty Good Privacy (PGP), it’s very much its own thing right now.
Thunderbird’s OpenPGP integration allows you to encrypt a message. Then only the people you want to read your message can do this. It also allows you to digitally sign a message, so your recipient can rest assured that the message was not changed in transit.
OpenPGP uses the principle of public and private (or “secret”) encryption key pairs. To use OpenPGP, you must have a public and private key pair. Public keys are shared with anyone you want to send encrypted messages to, while private keys are never shared with anyone else. Private keys can also be used to decrypt messages encrypted with the corresponding public key.
The sender’s email client generates a random key that is used to encrypt the message. The random key is then encrypted with the recipient’s public key and the encrypted message and key are then sent to the recipient. The recipient’s email program uses the recipient’s private key to decrypt the random key. The random key can then be used to decrypt the encrypted message.
Why not just use the recipient’s public key to encrypt the message? This would work for messages sent to a single recipient, but it would be too cumbersome for messages sent to multiple people.
The most efficient way to distribute a message to multiple people is to encrypt the message with the random key. This is because no public or private keys were involved at the time, making the encryption of the message person agnostic.
For each recipient, the random key is encrypted with that person’s public key. All encrypted keys are then sent along with the message. Any recipient can decrypt the copy of the random key encrypted with their public key, and then use the random key to decrypt the message.
Fortunately, this all happens automatically once OpenPGP is set up.
We tested Thunderbird’s OpenPGP integration on an Ubuntu 20.10 computer. On a Windows 10 PC, all Thunderbird menu items, settings, and dialog boxes were given the same name and in the same locations. So if you’re on Windows you should be able to follow the instructions below too!
Check the Thunderbird version
OpenPGP integration has arrived in Thunderbird 78.2.1, so you should make sure you’re using that version or higher. You can use your package manager to upgrade if necessary.
If you are using Enigmail, please refer to the upgrade instructions on the Mozilla support pages. They provide advice on how to back up your old Thunderbird profile before upgrading. This way you can roll back to the previous version if something goes wrong.
Thunderbird 78.x keeps the classic three-panel email interface by default: the accounts and folders in the sidebar, the received emails list at the top, and the content of the flagged email at the bottom.
If you cannot see the Thunderbird menu bar, right-click the space to the right of the last tab and select “Menu Bar” from the context menu. To see what version of Thunderbird you have, click Help> About Thunderbird.
We are running version 78.5.0, so the OpenPGP integration will definitely be there.
If this is your first time using Thunderbird, configure your email address and account information, then check if the email is functioning normally. You must have a working email account in Thunderbird before you can set up OpenPGP.
Generate a key pair
To generate a key pair, click on ‘Tools’ and then select ‘OpenPGP Key Manager’.
Click Generate> New Key Pair.
A screen full of options will appear. Click the “Identity” drop-down menu and select the email address for which you want to generate keys. If you have multiple identities configured in your Thunderbird client, make sure you select the correct email address.
Under ‘Key expires’, select the lifetime of your keys or select ‘Key does not expire’.
In “Advanced Settings” you can select the encryption type and key size (the default settings are fine in most cases).
When you are satisfied with your selections, click on ‘Generate key’.
You will be asked to confirm that you want to generate the keys for that email address; click on ‘Confirm’.
After your keys have been generated, an entry will appear in the “OpenPGP Key Manager” dialog box.
If you generate keys for other email addresses, those details will also be listed here. To view the configuration of one of the listed keys, highlight the item in the list and click View> Key Properties.
Select the radio button next to “Yes, treat this key as a private key” and then click “OK” when you are ready to proceed.
Exchange of public keys
You must have the public key for each person you are going to send encrypted messages to. They also need yours to return encrypted messages. There are a few ways you can get someone’s public key. They may send it to you unannounced or you can ask for it. You can even try to find it online.
Whenever you receive an email with an attached public key, Thunderbird will include an “OpenPGP” button to the right of the email header; click on it to import the public key.
You may receive some warnings. For example, if the message is not encrypted or digitally signed, you will be told.
If you just asked this person to send you their public key, you can be pretty sure it is from them. If there is any doubt, just check with them via text, phone, or some other non-email method.
When you are sure the public key belongs to the person who sent the message, click “Import”.
The sender’s name and email address appear for confirmation. Click “OK” to import the key.
Some information about the imported public key will then appear. You can see who the key is, the email address associated with it, the number of bits the encryption uses, and when the public key was created.
Click on ‘View details and manage key acceptance’.
If you are sure that the key comes from the owner, select the radio button next to “Yes, I personally verified that this key has the correct fingerprint” and click “OK”.
That’s half the battle! We now have Alwa’s public key, so let’s send him ours. To do this, simply start a new email to the person you want to send your key to or reply to one of their emails. In the email menu bar, click Options> Attach My Public Key.
Then just type the body of your email and send it as usual. Again, Thunderbird includes an “OpenPGP” indicator at the bottom right of the status bar to let you know that the message is using OpenPGP. If the email is encrypted you will also see a padlock icon and if it is digitally signed you will see a gear icon.
The options for encrypting and digitally signing emails are available in the “Security” section of the email menu bar. You can also add your public key from this menu.
When you’re done, just send your email.
Read encrypted emails
Alwa can now answer and use encryption. When you receive an encrypted email, you don’t need to do anything special to read it – just open it as usual. “OpenPGP” in the email header will contain green check marks to verify that OpenPGP has decrypted the email and that the digital signature has also been verified.
The subject line of an encrypted email appears as an ellipsis (…) until you open it. This prevents anyone from seeing the subject of encrypted emails you receive.
Some people make their public keys available online. To upload yours, you need to export it first.
To do this, click on “Tools” and then select “OpenPGP Key Manager”. Highlight the key you want to export in the “OpenPGP Key Manager” dialog box, then click File> Export Public Key (s) to File.
Save the exported file to your computer (note where you save it). Then open your web browser and navigate to the OpenPGP Key Repository. Here you can search for existing keys using the email address, key ID or fingerprint.
You can also upload your own key. To do this, just click on ‘Upload’ and browse to the location of your exported file.
After your key is uploaded, people can search, find and download it or import it into their own email clients.
You can also search for online keys in Thunderbird. Just click on ‘Tools’ and then select ‘OpenPGP Key Manager’. Then click on Keyserver> Discover Keys Online.
When the “OpenPGP Prompt” dialog box appears, enter the email address of the person you are looking for, then click “OK”.
If it finds a match, Thunderbird offers to import the key for you; click “OK” to do this.
Keep your secrets, well, secret
Granted, not every email needs to be locked with encryption and verified by a digital signature. However, for some people – such as dissidents in oppressive regimes, whistleblowers, or journalist sources – privacy can be a matter of life or death.
When you need more privacy, Thunderbird makes it easy for you!