Encrypt and sign email with Thunderbird using GPG

envelope-secured

Learn how to digitally sign, verify, encrypt, and decrypt Gmail (or any other email) using the Enigmail add-on for Tunderbird Mail in Ubuntu.

Reading time:
8 min

Why would you want to use this functionality in Ubuntu?

Why would you bother using Thunderbird Mail to encrypt or digitally sign your messages sent from GMail or Yahoo! Mail, etc ...?

Good question. Not everyone will have this requirement.

It all boils down to how private you want to keep the information in your emails (bear in mind that the webmail interfaces to Gmail and other email providers can't be used to encrypt and sign your email).

For example, a business using Gmail may wish to encrypt any intellectual property contained in their emails. In the event that their Gmail account has been compromised, the intruder will not be able to read any of these emails because the intruder does not have the private key. If they manage to steal the private key, they still need to know its passphrase in order to use that private key!

Also, these days evil people will sometimes try to spoof email. So if you get an email from somebody that you think you know, how can you be sure that it was actually sent from them?

If someone digitally signs their outgoing email messages, then (as long as their private key remains private) there is no question about who sent the signed email. Digitally signing an email also allows the recipient to prove that the email has not been tampered with in any way.

If you're still not sure why somebody would want to sign their data (outgoing mail in this case), then you may want to read our gpg guide about digital signatures.

If you need help setting up Thunderbird, you may want to read our article about Thunderbird Mail (IMAP vs POP3).

The Enigmail Add-on

The Enigmail add-on uses the Gnu Privacy Guard (GPG) implementation of the OpenPGP standard to perform encryption and decryption of email, and also to digitally sign and verify email messages.

Enigmail uses public-key cryptography (also known as asymmetric encrytion) so you'll need to have a key pair (that is a public key and a private key).

You can generate a key pair through Enigmail (shown below), however if you want to get your hands dirty and learn a bit more about the gpg command line tool, you could read our GPG Encryption Guide - Part 1.

Just A Quick Warning!

Note that the first time you carry out the configuration of Enigmail and the key pair, it may take some time to set everything up.

You may decide that you only want to encrypt email when necessary (that is when it contains information that you would like to remain private in the event that your Gmail account or Yahoo mail account is compromised).

Also, you're about to set up the steps required to keep your information private. This privacy boils down to a private key located on your desktop or laptop (you may decide to import your private key onto all your desktops and laptops).

However, once you start using encrypted mail, you will not be able to read anything that has been encrypted without your private key. This means you may only be able to encrypt/decrypt email on specific devices (to put it another way, you may not be able to read all of your email on all of your devices).

It is your responsibility to keep your private key and its passphrase safe (we recommend that you keep an encrypted copy of your exported private key in a safe place in case your hard drive gets wiped and you loose your private key - steps for encrypting your private key in a safe manner are outlined in the "Backing Up Your Private Key" section of this GPG Guide).

OK, with all that out of the way... below, you'll find step by step guides for each part of the set-up along with guides for using the features for the first time. Just click on a heading to show the relevant section.

  1. From "Tools" in the top menu bar, select "Add-ons" as shown below:

  2. Then search for "enigmail" in the search box.

    Once it's been found, click the "Install" button.

  3. Once Enigmail has been installed, you'll need to restart Thunderbird. Click on the "Restart now" link that is shown in the screenshot below (or just close & restart the application yourself).

  4. Close the Add-ons tab if its sill open.

    In the top menu bar, you'll now see an extra menu item called OpenPGP as appeared.

Setting Up Your Key Pair

  1. To set up Enigmail, from the OpenPGP menu, click on "Setup Wizard".

    A window will open as shown below, select "Yes, I would like the wizard to get me started" (should be the default), then click "Next"

  2. Next, you'll need to configure whether or not you want to sign your outgoing emails. Some people find that signing all outgoing email is overkill (pick whatever suits your requirements). If you'd just like the option to sign them, select "No, I want to create per-recipient rules for emails that need to be signed" as shown below, then click "Next".

  3. Now, you'll need to configure whether or not you want all outgoing email to be encrypted by default Most people will just want the option to be able to encrypt an outgoing email, so if this suits your requirements pick "No, I will create per-recipient rules for those that sent me their public key" as shown in the screenshot below (should be selected by default), then click "Next".

  4. Next you'll be asked if you want Thunderbird/Enigmail to tweak your email settings so that signing and encrypting run more smoothly on your machine. Most people will want to select "Yes" then click "Next" as shown below. (Note that you can take a look at what is being tweaked with the "Details" button. If desired, you may choose to skip some of the tweaks ... or you can say no to the lot by selecting "No, thanks").

  5. Now you need to configure a key pair to use.

    If you do not have a key pair yet, please skip to the next step.

    If you already have verified or trusted key(s) on your gpg keyring they will be found by Enigmail, you can select one of those. In the screenshot below, we already have a key pair for Tutonics, so we select that then click "Next".

    Note that if you have no keys on your gpg keyring, but do have a private key to import, you'll can select "I have existing public and private keys that I would like to import", browse to the key file location and import them.

    If you have been successful with setting up your existing keys, you'll be shown a summary of the actions, just click "Next". Finally, you've reached the last step, just click "Finish". If you've reached this point, you can skip the rest of this section (steps 6, 7, and 8)

  6. Generating A New Key Pair

    You can generate a new key pair by selecting "I want to create a new key pair for signing and encrypting my email", as shown below then click "Next"

  7. If you've chosen to create a new key pair, you'll see the window shown in the screenshot below, enter and confirm your passphrase. (Your passphrase is used to protect your private key. Later, when you use your private key you'll be prompted to enter the passphrase. Choose a strong passphrase and don't forget it). Then click "Next".

    You'll then be asked to confirm the details (as shown below) before key creation starts. Click "Next".

  8. You'll now see the window shown below. Key generation can take a few minutes, so just get on with other stuff (which helps to generate the random data required in key creation) like surfing the web ...

    When key generation has been completed, you'll see the popup window shown below. It asks you if you'd like to create a revocation certificate.

    If you forget your passphrase, or accidentally destroy your private key, or lose your private key, or if your private key is compromised/stolen, this revocation certificate may be published in order to notify others that your related public key should no longer be used. It's a good idea to create this revocation certificate now, so click "Generate Certificate", and save the ascii armored file to a very safe place. You'll be asked to enter your private key's passphrase to sign the revocation cert.

    Once the revocation cert has been created, you'll see the popup window shown in the screenshot below which has some advice about where to store the cert.

    That's it!, you'll then see the window shown below, just click "Finish".

With your key-pair now set up, if it's a new key-pair, you'll need to let your friends know about your public key You can do this as explained in our GPG Encryption Guide Part 1, or you can upload it to a keyserver if you'd like to make it available for anybody to use. To upload your public key to a keyserver you'll need to do the following:

From the OpenPGP menu at the top bar, select "Key Management", then search for the key you just set up (start typing the persons name into the search box and the key will appear, as shown in the image below for our example user "Vladimir").

Select that key, then go to the top menu again and select "Keyserver", then "Upload Public Keys" as per screenshot below.

Then click "OK" to carry out the upload.

Your friends will now be able to find your public key easily.

When you go to write an email, you'll see an "OpenPGP" button at the top. By clicking this you will open up a popup window where you can select "Sign Message" (this is shown below). Select that, then click OK. Now when you send your message, it will be digitally signed.

On the receiving side, an email's signature will be verified automatically as long as the senders public key is known to the recipient.

If the sender's public key is not known, the following "Unverified" message will be visable in the recipient's Thunderbird window:

If you know their key is on a keyserver, in order to get that public key, click on "Details" at the end of the unverified message. Then click "Import Public Key". You'll then see the popup window shown below:

Click "Import", then you'll see:

Select (or type) the name of the keyserver, then Click "OK" (the default name should be fine). Note that keyservers will normally talk to each other, so you may be able to use any keyserver if they've had a chance to sync. Once that key is loaded, you'll see the "UNTRUSTED" message below:

You need to sign their public key by clicking on "Details" again (at the end of the blue message this time). Click sign senders key, then you'll be presented with the popup window below. Call your friend and ask them for their key's fingerprint (or if they have a website showing their key's fingerprint, verify against that). If it matched what you have, then select "I have done very careful checking". Then click OK, and enter your passphrase when prompted.

Note that you can see their key's fingerprint in the popup window and they can see their key's fingerprint by opening a terminal (Ctrl+Alt+t) and running the command (in this case for Vladimir):

gpg --fingerprint Vladimir

By leaving out the name Vladimir, fingerprints for all keys on their keyring will be displayed, from which they can select the appropriate one and confirm it with you. The verification is now complete. Any further email from that specific sender will be verified. You'll see a green message like the one below:

To send a signed and encrypted email, when writing the email click on the "OpenPGP" button to open the popup shown below. Select both "Sign Message" and "Encrypt Message", then click "OK".

When you go to send an encrypted email for the first time, you'll get a popup like the one below asking if you want the saved copy to be encrypted before being saved that is before being saved to the "Sent" folder, do you want it to be encrypted?

Not everybody will have the same requirement here, the most secure thing to do is to encrypt the message. Otherwise if your webmail account (for example gmail account or yahoo mail account) gets compromised, the intruder will be able to read the mail you sent. Note that you can also get Enigmail to remember your preference by clicking that checkbox.

We chose to encrypt our's by clicking "Encrypt Message". Now click on "Send". If the sender doesn't have the recipient's public key, you'll get the following:

Click on "Download missing keys", then you'll see the following box.

Click OK to import the recipient's public key. Then click OK again, to get the following popup:

Click OK.

You'll now see the following window where you can select the recipients:

Note that there is no trust for the newly downloaded public key.

You should verify the key's fingerprint as described earlier.

Once you've verified the key fingerprint is OK, you should sign that key which will change the trust to "Trusted". To sign it, open a terminal using Ctrl+Alt+t, then run the command (put the relevant name in place of Tutonics):

gpg --edit-key Tutoincs

Then in gpg cli, run:

sign

You'll be asked to confirm, then to enter the passphrase for your private key (the passphrase may not be required if you entered it recently - depending on how gpg is configured). When you type "quit" to exit the cli, you'll be prompted about saving your changes, choose "y".

Now in the Thunderbird Enigmail window, if you press the "Refresh Key List" button, you'll see the trust of the above key is now marked as "trusted" as shown below:

Select the recipients key, then click "OK". On the recipient's side, they will need to enter their private key passphrase to decrypt the message.

And that's it, a verified and decrypted email!

Thanks To Mozilla Foundation And The Enigmail Project

Thank you for reading this article.
Please share if you liked it.