Kate's Comment

Thoughts on British ICT, energy & environment, cloud computing and security from Memset's MD

How to send and receive secure, encrypted emails in Thunderbird with PGP

Pretty Good Privacy (PGP) is a great way to send encrypted or verified emails to people whom you know and trust. It is a bit fiddley to setup so I’ve written this guide for using PGP with Thunderbird. This will work for sending documents securely too.

Note that some of the menu items might be named slightly differently depending on which version of Thunderbird you are using but rummage around and you should find them. Also, make sure you’re on Thunderbird’s main “Mail & Newsgroups” window when following these instructions, not on a message window.

Step 1: Set up your own PGP keys with GPG

  1. Download and install GNU Privacy Guard (GPG). Instructions for Win/Lin/Mac are here. Mac users, use GPGtools.
  2. You will be prompted to create a new key pair if you don’t already have one. Do this using your real name and your main email address (you can add other identities later). If you like, open the advanced options. 2048 bit should be enough, but if you’re a tinfoil hat wearing conspiracy theorist, go for 4096. 😉
  3. Choose a password for your new key, and make sure it is a good one! I recommend using our secure password generator and saving it in something like KeePassX. Don’t worry, you won’t have to use it often.
  4. Swap to another app, waggle your mouse around and generally do stuff to help with the randomness generation. Swap back to GPG Keychain Access.
  5. Tada! You now have your own unique PGP key pair. You can give the public portion to anyone, even publish it on the Interwebs (mine is here). DO NOT give anyone your private key though and keep it secured (ie. don’t back it up to an unencrypted device).
  6. Next, you’ll want your key to be listed on a public key server. Just right-click on your new key and select “Upload to public key server”.

It is also advisable to generate a revocation certificate!

The revocation certificate goes in your backup and is as important as the private key because it is the only way to invalidate a key that was submitted to a key server.

Reasons to revoke a key? Because you lost your pass-phrase, you want to upgrade your encryption, you believe your private key has been compromised, etc.

For example, see Juan’s keys here; note some have been revoked.

– thanks to Juan Martinez for this infonugget!

Step 2: Getting PGP working with Thunderbird

  1. Download and install the Enigmail addon for Thunderbird. There are instructions on the page, but in short:
    1. Download the .xpi addon file
    2. In Thunderbird go to “Tools”->”Addons”
    3. Click the cog wheel symbol (top left) and select “Install Add-On From File”
    4. Browser to the .xpi file’s folder, select it and click “Open”
  2. Restart Thunderbird
  3. Enigmail is now installed! 🙂

You now need to enable PGP for each of your identities (you may have one or many; I have about 10 email address which all come to the same account), as follows:

  1. Go to “Tools”->”Account settings”->”Manage identities”->”Select identity”->”Edit…”->”OpenPGP Security”
  2. On this tab you need to:
    1. Tick the “Enable OpenPGP support (Enigmail) for this identity” checkbox
    2. Select “Use specific OpenPGP key”
    3. Click “Select Key…” and select your key (should be obvious which).
      1. Note: If you don’t specify it and instead use the “Use email address of this identity to identify OpenPGP key” option then “Attach My Public Key” option (see below) will be greyed out (known bug).
    4. Click Okay
    5. Rinse and repeat for any other identities.
  3. Once complete leave the identities / accounts pages and we’re ready to test it:
    1. Open a new message (<CTRL>+n or <CMD>+n on MacOS). Note you now have a little pencil and key symbol bottom left.
    2. You can press <CTRL>/<CMD>+<SHIFT>+s to sign a message and/or <CTRL>/<CMD>+<SHIFT>+e to encrypt it. Generally if you encrypt you should sign too!
      • “Signing” enables the recipient to verify that you really sent them the email. Emails are very easy to spoof so this is valuable!
      • “Encrypting” messages does what it says on the tin; it will mean that only the recipient can decrypt your message (OpenGPG encrypts it with their public key so they need their private key to decrypt it)

Step 3: Exchange keys with people you trust

You can sign messages right away – this will confirm your identity, however it is only really of value if you have someone sign your key (stating that they trust you to some degree). So:

  1. Find someone you know who has PGP. If you know me then I’ll be happy to sign your key.
  2. Write them an email and from the menu select “Tools”->”Attach My Public Key” (from the main menubar, not the message one).
  3. For good measure also sign the message (<CTRL>/<CMD>+<SHIFT>+s).
  4. Make sure that you use plaintext only:
    1. Select “Options”->”Format”->”Plain Text Only”
    2. Delete your pretty HTML sig if you have one (this can mess up signing)
  5. Hit send (<CTRL>+<ENTER> or <CMD>+<ENTER>)
    • You’ll be asked what to do with the attachment (your public key). I normally use “Encrypt/sign each attachment separately and send the message using inline PGP”; it seems to be the most compatible with other email clients.
    • You’ll be warned about HTML messages too, even if you have followed the above steps. Ignore it.
    • Finally, the first time you’ll be asked for your password. I save mine in my keychain for convenience (I have a 16 character crypto-strong user password and on-disk encryption so I feel confident

You should also get your friend(s) to send you their public key(s), and this is what they should do when receiving yours as well:

  1. Be absolutely certain that it is them that sent you the key! For example, be speaking to them on the phone while doing so, or get them to text you with a code which is included in the email. Only do the following if you are sure it is them.
  2. You should see a cyan bar at the top which says “Untrusted signature”. This is fine; you’ve not yet set the trust by signing it (we will do that shortly)
    • You might get a pink warning about signature verification failing; this probably means they sent you some HTML. It can be safely ignored with the above checks – take the opportunity to educate them by pointing them to this blog post though! 😉
  3. Once you’ve the email, right-click on the attachment and click “Import PGP key”.
  4. Now to sign/trust their key. Right clicking on “Details” top right of the message to sign and set trust on keys doesn’t always seem to work, so instead:
    1. Go to “OpenPGP”->”Key Management”
    2. Right-click on your friend’s key and select “Sign Key”. Answer the question about checking honestly (this is important for maintaining the PGP web’s integrity)
    3. Right-click on your friend’s key and select “Set Owner Trust”. This is just for you; how much do you trust this person? In general, reserve ultimate trust only for yourself!
    4. Upload the details: “Keyserver”->”Upload Public Keys”->Select any Keyserver->Click OK.

You’re now basically done! Time to test it properly. I recommend the following steps:

  1. Send your friend a signed (not not encrypted) message asking them to reply in kind.
    • You should both get a green bar an “Good trusted signature” or words to that effect.
    • Note that there seems to be a bug with some versions of Thunderbird and the handling of HTML signatures. If you have HTML in your signature I recommend you delete it whenever using PGP or make an identity with a plain text sig.
  2. Send you friend an encrypted and signed message, asking them to respond in kind.
    • Since encrypting with PGP means that only the person with the private key matching the public key you used to encrypt the message can decrypt it, signing it as well might be viewed as overkill. However, there are possible attack modes where someone might pretend to be you and signing it proves that it is really from you. In general do not trust encrypted but not signed messages (it is trivial to spoof email addresses)
    • If all goes well you’ll momentarily see a big block of text (ASCII armoured PGP encoding) and then Thunderbird will automatically decrypt it and show you the message.

Further information:

3 comments