How to Use Enigmail with Thunderbird | Security in-a-Box
how-to booklet
29/05/09 12:36 PM
hands-on guides
How to Use Enigmail with Thunderbird
Enigmail is a Thunderbird add-on that allows you to increase the privacy of your email communication
through the use of public key encryption. This method of encryption lets you send confidential emails to any
correspondent who has sent you their public key. Only the owner of the private key that corresponds to that
public key will be able to read the contents of your messages. Similarly, if you give a copy of your own
public key to your email contacts and keep the corresponding private key secret, only you will be able to
read encrypted messages from those contacts.
Enigmail also allows you to attach digital signatures to your messages. Digital signatures help to prevent
other people from sending emails that appear to have come from you. Public key encryption lets you use
your own private key to digitally sign messages to anyone who has a copy of your public key. Similarly, if
you have a correspondent's public key, you can verify the signatures that she has created using her private
key.
The following sections will explain how to:
Install Enigmail and GnuPG;
Create a key pair, which includes your public and private keys;
Exchange and validate public keys;
Send and receive encrypted email; and
Create and verify digital signatures.
4.1 How to Install Enigmail and GnuPG
In order to use Enigmail, you must install both the Thunderbird add-on itself and the GNU Privacy Guard
(GnuPG) encryption software.
portable security
Avast - anti-virus
Spybot - anti-spyware
Comodo Firewall
KeePass - secure password
storage
TrueCrypt - secure file
storage
Cobian Backup
Undelete Plus - file recovery
Eraser - secure file removal
CCleaner - temporary file
removal
Riseup - secure email service
Pidgin - secure instant
messaging
VaultletSuite - secure email
client
Thunderbird - secure email
client
Registering email
accounts
Security Settings
How to Use Enigmail with
Thunderbird
FAQ and Review
Firefox - secure Web browser
Tor - anonymity and
circumvention
4.1.1 How to Install Enigmail
To download and install the Enigmail add-on for Thunderbird, perform the following steps:
Step 1. Right-click this link to Enigmail and then choose the Save Link As... option to download the
Enigmail add-on to your computer Desktop.
Step 2. Open Thunderbird, then Select Tools > Add-ons as follows:
http://security.ngoinabox.org/thunderbird_usingenigmail
Page 1 of 14
How to Use Enigmail with Thunderbird | Security in-a-Box
29/05/09 12:36 PM
Figure 39: Activating the add-ons screen
This will activate the Add-ons screen as follows:
Figure 40: Thunderbird Add-ons screen
Step 3. Click:
to activate the Select an extension to install screen:
Figure 41: The Select an extension to install screen
Step 4. Select the 'enigmail-0.95.7-tb+sm.xpi' file on your Desktop and then click:
the Software Installation screen as follows:
http://security.ngoinabox.org/thunderbird_usingenigmail
to activate
Page 2 of 14
How to Use Enigmail with Thunderbird | Security in-a-Box
29/05/09 12:36 PM
Figure 42: The Software Installation screen
Step 5. Click:
.
The add-on will be installed, after which you will be asked to restart Thunderbird in order for the changes
to take effect.
Figure 43. The Add-ons screen
Step 6. Click:
to restart Thunderbird and complete the Enigmail installation.
If the installation was successful, you will notice the OpenPGP menu item appear in Thunderbird after it
restarts, as follows:
Figure 44: The OpenPGP menu item
4.1.2 How to Install GnuPG
To install GnuPG, you should perform the following steps:
Step 1. Run the GNU Privacy Guard installer and follow the instructions.
Step 2. In the Choose Components screen, you may leave all items checked, as follows:
http://security.ngoinabox.org/thunderbird_usingenigmail
Page 3 of 14
How to Use Enigmail with Thunderbird | Security in-a-Box
29/05/09 12:36 PM
Figure 45: The Choose Components screen of the GNU Privacy Guard installer
Step 3. Continue following the instructions until the installation process is complete.
You have now successfully installed the GnuPG encryption software used by Enigmail.
4.1.3 How to Confirm that Enigmail and GnuPG are Working
Step 1. Select OpenPGP > Preferences to display the OpenPGP Preferences screen as follows:
Figure 46: The OpenPGP Preferences screen
You should notice the statement: GnuPG was found in... If the GnuGP program was not installed properly or
is located in a different directory from the one expected by Enigmail, the following error message will
appear:
http://security.ngoinabox.org/thunderbird_usingenigmail
Page 4 of 14
How to Use Enigmail with Thunderbird | Security in-a-Box
29/05/09 12:36 PM
Figure 47: OpenPGP Alert error message
Note: In this instance, you may need to check the Override with option and manually select the location of
the gpg.exe file on your computer.
Step 2. Click:
to return to the Thunderbird main console.
4.2 How to configure Enigmail
Once you have confirmed that Enigmail and GnuPG are working properly, you can configure one or more of
your email accounts to use Enigmail and generate one or more key pairs.
4.2.1 How to Enable Enigmail for Your Email account
To enable Enigmail for use with a specific email account, perform the following steps:
Step 1. Select Tools > Account Settings
Step 2. Select the OpenPGP Security menu item in the sidebar as follows:
Figure 48: The Account Settings - OpenPGP Security screen
Step 3. Check the Enable OpenPGP support option and select the Use email address of this identity to
identify OpenPGP key option as shown in Figure 48
Step 4. Click:
to return to the Thunderbird main console.
http://security.ngoinabox.org/thunderbird_usingenigmail
Page 5 of 14
How to Use Enigmail with Thunderbird | Security in-a-Box
29/05/09 12:36 PM
4.2.2 How to Create a Key Pair for Your Email account
Step 1. Select OpenPGP > Key Management to open the Enigmail Key Management screen. If you are using
this tool for the first time, it will activate a wizard that can help you create your Enigmail key pair. If the
wizard does not automatically start, you can simply follow the instructions in section 4.2.3 How to Create
Additional Key Pairs below.
Step 2. Select the Yes, I would like the wizard to get me started option, and click Next as follows:
Figure 49: The OpenPGP Setup Wizard - Welcome screen
Step 3. Select the Yes, I want to sign all of my emails option and click Next on the Signing screen.
Step 4. Select the No, I will create per-recipient rules for those who send me their public key option and
click Next in the Encryption screen.
Step 5. Select Yes and click Next in the Preferences screen.
Step 6. Create a strong password, type it into the Passphrase boxes and click Next on the Create Key
screen. You can learn more about choosing a strong password from Chapter 3: How to Create and Maintain
Good Passwords in the How-to Booklet. You can learn how to store your password securely, as well as how
to generate a random password from the KeePass Guide.
Step 7. Click Next in the Summary section to confirm your settings.
Step 8. Wait until Enigmail has created your key pair as follows:
http://security.ngoinabox.org/thunderbird_usingenigmail
Page 6 of 14
How to Use Enigmail with Thunderbird | Security in-a-Box
29/05/09 12:36 PM
Figure 50: The OpenPGP Setup Wizard - Key Creation screen
Step 9. Click Yes to create the revocation certificate as follows:
Figure 51: The OpenPGP Revocation Certificate confirmation screen
Step 10. Choose a secure location for the certificate and provide a passphrase for your newly created key
pair as follows:
Figure 52: OpenPGP passphrase screen
Step 11. Click OK to finish creating the revocation certificate.
Note: You will only need to use your revocation certificate if you feel that someone has gained access to
your private key. If that happens, you simply send the certificate to anyone that has been given a copy of
your public key. Keep in mind that you might need to do this if your computer is lost, stolen or confiscated.
Its advisable to keep a copy of your revocation certificate in several places (for example, on a removable
media drive), as well as on the computer itself.
http://security.ngoinabox.org/thunderbird_usingenigmail
Page 7 of 14
How to Use Enigmail with Thunderbird | Security in-a-Box
29/05/09 12:36 PM
Step 12. Click Finish on the last Thank you screen of the wizard.
Now you should be able to view your newly created key displayed in the Key Management screen as follows:
Figure 53: Enigmail's OpenPGP Key Management screen
Important: It is very important that you make a secure backup of your key and revocation certificate. See
Chapter 5: How to Recover from Information Loss in the How-to Booklet for more details on how to make a
secure backup.
4.2.3 How to Create Additional Key Pairs
Follow the steps below if you want to create an additional key pair for one of your other email accounts. It
is good practice to have a separate key pair for each email account.
Step 1. Select OpenPGP > Key Management
Step 2. Select Generate > New Key Pair from the Key Management screen as follows:
Figure 54: Generating a new key pair using Enigmail
Step 3. Select the Account / User ID you want to use, create a strong password to protect your private key
and then type it into the Passphrase text fields in the Generate OpenPGP Key screen as follows:
Step 4. Click the Generate key button to activate the following screen:
http://security.ngoinabox.org/thunderbird_usingenigmail
Page 8 of 14
How to Use Enigmail with Thunderbird | Security in-a-Box
29/05/09 12:36 PM
Figure 55: The Generate OpenPGP Key screen
Step 5. Your key will be created, after which you will be prompted to generate a revocation certificate by
following the same procedure as before.
4.3 How to Exchange Public Keys
Before you can begin sending encrypted email messages to one another, you and your email contacts must
exchange public keys. You must also confirm the validity of any key you accept by confirming that it really
belongs to its purported sender.
4.3.1 How to Send a Public Key using Enigmail
To send a public key using Enigmail, perform the following steps:
Step 1. Open Thunderbird and click:
to compose a new message.
Step 2. Select OpenPGP > Attach My Public Key to attach your public key to the current email message as
follows:
Figure 56: Attaching your public key to a message
You will notice that a file called pgpkeys.asc appears in the Attachments: window
Step 3. Compose and then send your message.
You have now successfully sent your public key to your correspondent. To complete the exchange, she will
need to import it and reply with an email containing her own public key.
4.3.2 How to Receive a Public key using Enigmail
You and your correspondent will perform the same steps when importing each other's public keys.
Step 1. Select and open the email containing your correspondent's public key.
Step 2. Click:
Enigmail will automatically scan the content of the received message for any encrypted data. When it
detects that the message contains a public key, it will notify you and ask if you wish to import the key as
follows:
http://security.ngoinabox.org/thunderbird_usingenigmail
Page 9 of 14
How to Use Enigmail with Thunderbird | Security in-a-Box
29/05/09 12:36 PM
Figure 57: Importing a public key from an email message
Step 3. Click:
to import the key.
If the public key importation is successful, you will be notified that the key has been added to your
collection as follows:
Figure 58: Public key successfully imported
To confirm that you have received your correspondent's public key, you can performing the following steps
at any time:
Step 1. Select OpenPGP > Key Management to display the OpenPGP Key Management screen as follows:
Figure 59: The OpenPGP Key Management screen
Step 2. Confirm that any recently-imported keys are present in this list.
4.3.3 How to Validate Imported Keys
Finally, you must verify that the imported key truly belongs to the person who purportedly sent it, then
confirm its 'validity.' This is an important step that both you and your email contacts should follow for each
public key that you receive.
Step 1. Contact your correspondent through some means of communication other than email. You can use a
telephone, text messages, Voice over Internet Protocol (VOIP) or any other method, but you must be
absolutely certain that you are really talking to the right person. As a result, telephone conversations and
face-to-face meetings work well if they are convenient and if they can be arranged safely.
Step 2. Both you and your correspondent should determine the 'fingerprints' of the public keys that you have
exchanged. A fingerprint is a unique series of numbers and letters that identifies each key. You can use
Enigmail's Key Management screen to view the fingerprint of key pairs you have created and public keys you
have imported. To do this, right-click on a particular key and select the Key Properties option as follows:
http://security.ngoinabox.org/thunderbird_usingenigmail
Page 10 of 14
How to Use Enigmail with Thunderbird | Security in-a-Box
29/05/09 12:36 PM
Figure 60: Viewing the public key properties, including its fingerprint.
Step 3. This will activate the Key Properties screen, which displays the public key fingerprint as follows:
Figure 61: Enigmail's Key Properties screen
Your correspondent should repeat these steps. Confirm with each other that the fingerprint of the key each
of you has received matches the sender's original. If they don't match, exchange your public keys again and
repeat the validation process. If they do match, use Enigmail to sign your correspondent's public key. This
will confirm that you have checked and consider the key 'valid'.
The fingerprint itself is not a secret and can be recorded for later verification at your convenience.
To sign a properly validated public key, you can perform the following steps:
Step 1. Click OK to return to the Key Management screen.
Step 2. Right-click your correspondent's public key and select Sign Key from the menu to activate the Sign
Key screen as follows:
http://security.ngoinabox.org/thunderbird_usingenigmail
Page 11 of 14
How to Use Enigmail with Thunderbird | Security in-a-Box
29/05/09 12:36 PM
Figure 62: The Sign Key screen
Step 3. Click OK and enter your encryption passphrase when prompted.
Step 4. Locate your correspondent's public key in the Key Management screen, to confirm that the Key
Validity column displays trusted as follows:
Figure 63: A validated public key marked as trusted
You have now successfully validated your correspondent's public key. He or she should follow the same steps
for your public key.
4.3.4 How to Manage Your Key Pairs
You can perform additional tasks by right-clicking your key pair in the Key Management screen as shown in
Figure 60 above. In addition to the Key Properties option, other important key-management tasks include:
Change Passphrase - allows you to change the passphrase protecting your key pair.
Manage User IDs - allows you to associate more than one email address with a single key pair.
Generate & Save Revocation Certificate - allows you to generate a new revocation certificate if you have
lost the one you created earlier.
4.4 How to Encrypt and Decrypt a Message
Once both you and your correspondent have successfully imported and validated one another's public keys,
you are ready to begin sending encrypted messages and decrypting received ones.
4.4.1 How to Encrypt a Message
To encrypt an email to your correspondent, perform the following steps:
Step 1. Open your Thunderbird e-mail account and click the Write button to write your message.
Step 2. Click:
to display the OpenPGP Encryption window as follows:
http://security.ngoinabox.org/thunderbird_usingenigmail
Page 12 of 14
How to Use Enigmail with Thunderbird | Security in-a-Box
29/05/09 12:36 PM
Figure 64: The OpenPGP Encryption Window
Step 3. Check the Sign Message and Encrypt Message options as shown in Figure 64: The OpenPGP
Preferences screen.
Step 4. Click:
You may receive a warning that Enigmail can not encrypt or sign HTML messages. You can fix this by
configuring Thunderbird to create all new messages using only 'plain text' formatting. To do so, select Tools
> Account Settings from the Thunderbird menu and find the account for which you have enabled Enigmail.
Click on the Composition & Addressing option, deselect the Compose messages in HTML format checkbox
and click OK.
Step 5. Click:
If your message includes any attachments, Enigmail lets you select how those attachments should be
processed from the following settings screen:
Figure 65: The Enigmail attachment options screen
Step 6. Check: Encrypt each attachment separately and send the message using inline PGP as shown in
Figure 65.
Prior to sending your message, Enigmail will encrypt it. If you have chosen to sign the message as well, as
described above, Enigmail will ask you to enter your private key passphrase as follows:
Figure 66: The Enigmail private key passphrase screen
Step 7: Enter your passphrase and click OK.
http://security.ngoinabox.org/thunderbird_usingenigmail
Page 13 of 14
How to Use Enigmail with Thunderbird | Security in-a-Box
29/05/09 12:36 PM
Your message is now encrypted, signed and sent to the recipient. You may be prompted to enter your email
account password as well.
Important: Enigmail does not encrypt the message heading or subject title bar. Do not include sensitive
information in the subject line, as it will not be confidential.
4.4.2 How to Decrypt a Message
When you receive and open an encrypted message, Enigmail will automatically attempt to decrypt it. You
will be prompted to enter your passphrase as follows:
Figure 67: The GnuPG private key passphrase screen
After you have entered your private key passphrase, the message is decrypted and displayed as follows:
Figure 68: Viewing a decrypted message
You have now successfully decrypted this message. By repeating the steps described in section 4.4 How to
Encrypt and Decrypt a Message each time you and your correspondent exchange messages, you can
maintain a private, authenticated channel of communication, regardless of who might be attempting to
monitor your email exchanges.
‹ Security Settings
up
FAQ and Review ›
» Printer-friendly version
ABOUT THIS WEBSITE
CREDITS
DISCLAIMER
http://security.ngoinabox.org/thunderbird_usingenigmail
FEEDBACK
SEARCH
DOWNLOAD
Page 14 of 14