===============
== bacardi55 ==
===============
ἕν οἶδα ὅτι οὐδὲν οἶδα

Encrypt emails with Thunderbird and GPG

- Permalink
Categories: linux -- Tags: #encryption #gpg #thunderbird

Introduction

Following my previous email about my new GPG key, I decided to give thunderbird a change since I’ve been using (neo)mutt for a long time. I love neomutt and it’s very efficient and powerful. I don’t know if I’ll stick with thunderbird, but thought it would be good to gave it a fair shot.

I’m not going to talk about how to install or configure thunderbird, I’m just going to highlight here what I had to do to manage my gpg key for email encryption with thunderbird. This page also assume that you have already created your gpg keys.

Important thing to note: thunderbird can either use its internal GPG key support or it can be configured to use an external gnupg installation. I choose the later and not the built-in support. If you want to use thunderbird included gpg support, this page is not for you :).

Configuration

To enable external GnuPG support in Thunderbird, go to the config editor (at the bottom of the thunderbird settings page) and earch for mail.openpgp.allow_external_gnupg and set its value to true.

Then, go to the account settings you want to configure and click on the End-To-End Encryption entry in the left sidebar. Click on the Add Key button and select the Use your external key through GnuPG option. You’re being asked for the Secret Key ID, which are the last 16 characters of your primary key fingerprint.

Your key should now be added on your account.

But it is not enough to actually send encrypted email yet! If you try, you’ll most probably see something like Unable to send the message, because there is a problem with your personal key. The configured key ID ‘XXXXXXXXXXXXXXXX’ cannot be found on your keyring..

Turns out, you also need to import the public key in thunderbird. For this, run:

gpg --export --armor --output pubkey.asc email@example.com

And then, in thunderbird, open the OpenPGP Key Manager, and then on the new popup go to file → Import Public Key from file and select the pubkey.asc created above. On the next popup, click on Accepted (unverified) then Import. On the next screen, click on View Details and manage key acceptance to change the verification to Yes, I've verified in person this key has the correct fingerprint (duh, I created myself, so yes it’s verified!) and validate.

The new key should appear in the openpgp key manager now. And sending an encrypted email should work without error message.

Testing

To test that everything is working correctly, one can use the friendly bot Edward, a service from the FSF (righly) called Email Self Defense. I suggest you read their documentation for a longer and better explaination of how to configure and use their service, but in a nutshell:

  1. Send an unencrypted email to edward-en@fsf.org with your public key attached. To do so, in the window where you write your mail, click on the arrow of the attach button (top right) and then click on My OpenPGP Public Key. Then add at least one word as subject and in the body and send the message.
  2. You should receive a few minutes later an encrypted (with your public key) email back from Edward. You should be asked to enter your private key password to decrypt the email. The content of the email should show a message indicating that your public key was received.
  3. Then to send an encrypted email to Edward, you need to import its public key. It is attached in the received email. Either import it directly in thunderbird, or import it with gnupg. Normally, I would import it with gnupg using gpg --import key.asc but because it is a test and won’t need this key globally in my system, for this specific use case I just imported with thunderbird using the top right OpenPGP button to accept it (as non verified, it is enough).
  4. Write another email to Edward, but this time you can encrypt it. Either via the message at the bottom where thunderbird tells you that OpenPGP end-to-end encryption is possible (and clicking on the Encrypt button), or by using the OpenPGP button at the top and selecting the Encrypt option.
  5. A few minutes later, you should receive an encypted email back with a message indicating that I received your message and decrypted it. Your signature was verified. as well as a copy of what you sent.

And that’s it, you can now sign or encrypt emails now :).

Conclusion

There was many steps to configure and test this and I found it was harder than with neomutt, but at least it is configured properly and working now and thus can secure my emails again. At an age where end-to-end encryption in real time messaging is at risk (in the EU at least), it’s good to know the good old tech is still there to protect us…

I’m not sure how long I’ll stick with thunderbird, but at least I know how to configure it now.

Contact

If you find any issue or have any question about this article, feel free to reach out to me via webmentions, email, mastodon, matrix or even IRC, see the About page for details.

Releated Posts