Thunderbird: Set Up PGP Encryption For Emails

Do you want to be on the safe side and encrypt your emails in Thunderbird? We’ll show you how to do this with the “Enigmail” add-on.

If you want to prevent third parties from viewing your emails, you can secure your emails using PGP encryption. To do this, you need two things: A free program that contains the GnuPG crypto component, i.e. it generates your key and encrypts and decrypts emails. And secondly, an add-on that enables the use of PGP encryption in Thunderbird.

Why encrypt at all?

Would you send your digital messages as postcards? Probably not. Non-encrypted emails behave similarly to postcards – third parties or any system that processes your emails can read their content. Suppose you want to protect yourself against this, for example, when sending sensitive data or discussing a critical topic. In that case, the PGP encryption of emails is the first choice to wrap your postcard in an envelope. To open this envelope and read the message, your counterpart now needs a key.

The plain text of the email is converted into an illegible, cryptic form by encryption. This can only be made legible again with the appropriate key. In our postscript emails – is it worth it? Learn more about encryption. The whole thing works with PGP encryption, which we briefly explain below:

PGP stands for Pretty Good Privacy and uses a so-called general critical procedure in which there is an assigned pair of keys.

This key pair consists of a public and a private key. Your counterpart downloads the public key from a so-called key server and can use it to send you encrypted emails. Only you have the secret remote access, and therefore you should not lose or send it under any circumstances. Thus, messages to your email address are encrypted with your public key and can then only be decrypted again with your private key. This procedure is also called the asymmetric procedure because the sender and receiver use two different keys.

In an article by the c’t it is explained how exactly email encryption works with PGP.

Setup of OpenPGP from Thunderbird 78.2.0

• Step 1: Click on the three-line menu above and select the new menu item ” OpenPGP Key Manager ” via ” Extras “.
• 2nd step: It continues via ” Generate ” and ” New Key Pair “.
• 3rd step: Select the identity you want to create the key for. Under ” Key expiry ” and ” Advanced settings “, you can make settings for the expiry time as well as the essential type and length. Then continue with ” Generate key “.
• 4th step: Thunderbird will now automatically generate your private and public key. Confirm the process with ” Confirm “. That was about it. Upload your public access, e.g. to keys.openpgp.org, or send it directly to your contacts.
• 5th step: You can now activate OpenPGP by default when composing your emails. To do this, go to ” Send with encryption only ” under Options in the menu.

Encryption in older Thunderbird versions

To encrypt your emails in older Thunderbird versions, you must first install Gpg4win and then add the Enigmail add-on to Thunderbird. To do this, follow our instructions:

Installation of Gpg4win

Gpg4win is the first component in the interaction of encryption in Thunderbird. The software contains the required GnuPG (GPG) crypto components. These generate and manage keys and encrypt and decrypt emails and files.

Download Gpg4win for Windows. Then follow our step-by-step instructions:

• Step 1: Run the downloaded. EXE file as usual. We recommend installing the file with administrator rights. Click on ” Next ” until you reach the above window. You can deselect GpgOL as this is an extension for Outlook. Click on ” Next “.
• 2nd step: Select your target directory via ” Search ” and then click on ” Install “. The encryption program will now be installed. This gives you the essential tool for setting up PGP encryption in Thunderbird, and you can continue with the next section.

Installation and setup of Enigmail

The second component is the “Enigmail” add-on. Enigmail acts as the middle man, so to speak, to integrate and use the crypto component GnuPG in Thunderbird. In this section, we will show you how to install and set up Enigmail. OpenPGP has been an integral part of the email client since Thunderbird 78.2.0, and no additional add-on is required. If you still have an older version, follow our step-by-step instructions or take a look at the brief instructions for installing Enigmail. Otherwise, follow the instructions for setting up OpenPGP from Thunderbird 78.2.0.

• Step 1: Start Thunderbird, open the three-line menu in the upper right corner and select ” Add-ons “> ” Add-ons “.
• 2nd step: Click on ” Extensions ” on the left, look for ” Enigmail ” in the bar at the top and press [Enter].
• 3rd step: Click ” + Add to Thunderbird ” to install Enigmail as an add-on. When asked, click on ” Add ” again. Then restart your Thunderbird again.
• 4th step: The setup wizard will now automatically search for GnuPG, which we already installed in the previous section. Then click on ” Done “.
• 5th step: Now you need to create your key. To do this, open the Thunderbird menu using the [Alt] key and select ” Enigmail “> ” Manage keys “.
• 6th step: Now navigate via ” Generate ” to ” New key pair “.
• 7th step: Select the desired account under ” Account / User ID ” and enter a passphrase. Note that the passphrase should be as secure as possible. Tips + tricks for creating secure passwords and phrases can be found here. You can optionally set expiry date. Otherwise, select ” Key will never be invalid ” and then click on ” Generate key “.
• 8th step: Click on ” Generate Key ” again.
• 9th step: Enigmail then creates a revocation certificate. Click on ” Generate certificate ” and, if asked, save the revocation certificate at your desired location and confirm the creation again with your passphrase.
• 10th step: Finally, new to setting up your key pair, navigate back over the Thunderbird menu to ” Enigmail “> ” Setup Wizard ” and clicking the ” Set Up “. The key is now activated, and you can use it to encrypt and sign your emails. In the following instruction, we will also show you how you can upload your key to a public server to also receive encrypted emails from people who do not yet have your key.

Upload your key

In the following, we will briefly explain how you can upload your public key to a server. This ensures that the person you are talking to can search for your key and send you an encrypted message. Otherwise, you also have the option of simply sending your public key to the person you are speaking to as an attachment.

• Step 1: Go to ” Enigmail ” in the Thunderbird menu at the top right and then to ” Manage Keys “.
• 2nd step: Make a right-click on your account for which you have created a key. Now select ” Upload public key to key server “. This allows other people to download your key to send you an encrypted email. Only you can then open the email with your private key.

Quick start Guide

1. Start Thunderbird, open the three-line menu in the upper right corner and select ” Add-ons “> ” Add-ons “.
2. Click on ” Extensions ” and search for ” Enigmail “.
3. Select ” + to Thunderbird Add ” and s tartan Thunderbird again.
4. In the setup wizard, click Done.
5. Open the Thunderbird menu by pressing [Alt] and select ” Enigmail “> ” Manage Keys “.
6. Now navigate via ” Generate ” to ” New key pair “.
7. Select the desired account under ” Account / User ID ” and enter a passphrase. Make a note of this. Select ” Key will never be invalid ” and then click on ” Generate key “.
8. Click on ” Generate Key ” again.
9. Go to ” Generate Certificate ” and save the revocation certificate when asked. Confirm again with your passphrase.
10. Navigate finally back over the Thunderbird menu to ” Enigmail “> ” Setup Wizard ” and click here to ” set up “.