How to Use Enigmail with Thunderbird

Enigmail is a Thunderbird add-on that allows you to increase the privacy of your email communication through the use of public key encryption. This method of encryption lets you send confidential emails to any correspondent who has sent you their public key. Only the owner of the private key that corresponds to that public key will be able to read the contents of your messages. Similarly, if you give a copy of your own public key to your email contacts and keep the corresponding private key secret, only you will be able to read encrypted messages from those contacts.

Enigmail also allows you to attach digital signatures to your messages. Digital signatures help to prevent other people from sending emails that appear to have come from you. Public key encryption lets you use your own private key to digitally sign messages to anyone who has a copy of your public key. Similarly, if you have a correspondent's public key, you can verify the signatures that she has created using her private key.

The following sections will explain how to:

1. Install Enigmail and GnuPG;
2. Create a key pair, which includes your public and private keys;
3. Exchange and validate public keys;
4. Send and receive encrypted email; and
5. Create and verify digital signatures.

4.1 How to Install Enigmail and GnuPG

In order to use Enigmail, you must install both the Thunderbird add-on itself and the GNU Privacy Guard (GnuPG) encryption software.

4.1.1 How to Install Enigmail

To download and install the Enigmail add-on for Thunderbird, perform the following steps:

Step 1. Right-click this link to Enigmail and then choose the Save Link As... option to download the Enigmail add-on to your computer Desktop.

Step 2. Open Thunderbird, then Select Tools > Add-ons as follows:

Figure 39: Activating the add-ons screen

This will activate the Add-ons screen as follows:

Figure 40: Thunderbird Add-ons screen

Step 3. Click: to activate the Select an extension to install screen:

Figure 41: The Select an extension to install screen

Step 4. Select the 'enigmail-0.95.7-tb+sm.xpi' file on your Desktop and then click: to activate the Software Installation screen as follows:

Figure 42: The Software Installation screen

Step 5. Click: .

The add-on will be installed, after which you will be asked to restart Thunderbird in order for the changes to take effect.

Figure 43. The Add-ons screen

Step 6. Click: to restart Thunderbird and complete the Enigmail installation.

If the installation was successful, you will notice the OpenPGP menu item appear in Thunderbird after it restarts, as follows:

Figure 44: The OpenPGP menu item

4.1.2 How to Install GnuPG

To install GnuPG, you should perform the following steps:

Step 1. Run the GNU Privacy Guard installer and follow the instructions.

Step 2. In the Choose Components screen, you may leave all items checked, as follows:

Figure 45: The Choose Components screen of the GNU Privacy Guard installer

Step 3. Continue following the instructions until the installation process is complete.

You have now successfully installed the GnuPG encryption software used by Enigmail.

4.1.3 How to Confirm that Enigmail and GnuPG are Working

Step 1. Select OpenPGP > Preferences to display the OpenPGP Preferences screen as follows:

Figure 46: The OpenPGP Preferences screen

You should notice the statement: GnuPG was found in... If the GnuGP program was not installed properly or is located in a different directory from the one expected by Enigmail, the following error message will appear:

Figure 47: OpenPGP Alert error message

Note: In this instance, you may need to check the Override with option and manually select the location of the gpg.exe file on your computer.

Step 2. Click: to return to the Thunderbird main console.

4.2 How to configure Enigmail

Once you have confirmed that Enigmail and GnuPG are working properly, you can configure one or more of your email accounts to use Enigmail and generate one or more key pairs.

4.2.1 How to Enable Enigmail for Your Email account

To enable Enigmail for use with a specific email account, perform the following steps:

Step 1. Select Tools > Account Settings

Step 2. Select the OpenPGP Security menu item in the sidebar as follows:

Figure 48: The Account Settings - OpenPGP Security screen

Step 3. Check the Enable OpenPGP support option and select the Use email address of this identity to identify OpenPGP key option as shown in Figure 48

Step 4. Click: to return to the Thunderbird main console.

4.2.2 How to Create a Key Pair for Your Email account

Step 1. Select OpenPGP > Key Management to open the Enigmail Key Management screen. If you are using this tool for the first time, it will activate a wizard that can help you create your Enigmail key pair. If the wizard does not automatically start, you can simply follow the instructions in section 4.2.3 How to Create Additional Key Pairs below.

Step 2. Select the Yes, I would like the wizard to get me started option, and click Next as follows:

Figure 49: The OpenPGP Setup Wizard - Welcome screen

Step 3. Select the Yes, I want to sign all of my emails option and click Next on the Signing screen.

Step 4. Select the No, I will create per-recipient rules for those who send me their public key option and click Next in the Encryption screen.

Step 5. Select Yes and click Next in the Preferences screen.

Step 6. Create a strong password, type it into the Passphrase boxes and click Next on the Create Key screen. You can learn more about choosing a strong password from Chapter 3: How to Create and Maintain Good Passwords in the How-to Booklet. You can learn how to store your password securely, as well as how to generate a random password from the KeePass Guide.

Step 7. Click Next in the Summary section to confirm your settings.

Step 8. Wait until Enigmail has created your key pair as follows:

Figure 50: The OpenPGP Setup Wizard - Key Creation screen

Step 9. Click Yes to create the revocation certificate as follows:

Figure 51: The OpenPGP Revocation Certificate confirmation screen

Step 10. Choose a secure location for the certificate and provide a passphrase for your newly created key pair as follows:

Figure 52: OpenPGP passphrase screen

Step 11. Click OK to finish creating the revocation certificate.

Note: You will only need to use your revocation certificate if you feel that someone has gained access to your private key. If that happens, you simply send the certificate to anyone that has been given a copy of your public key. Keep in mind that you might need to do this if your computer is lost, stolen or confiscated. Its advisable to keep a copy of your revocation certificate in several places (for example, on a removable media drive), as well as on the computer itself.

Step 12. Click Finish on the last Thank you screen of the wizard.

Now you should be able to view your newly created key displayed in the Key Management screen as follows:

Figure 53: Enigmail's OpenPGP Key Management screen

Important: It is very important that you make a secure backup of your key and revocation certificate. See Chapter 5: How to Recover from Information Loss in the How-to Booklet for more details on how to make a secure backup.

4.2.3 How to Create Additional Key Pairs

Follow the steps below if you want to create an additional key pair for one of your other email accounts. It is good practice to have a separate key pair for each email account.

Step 1. Select OpenPGP > Key Management

Step 2. Select Generate > New Key Pair from the Key Management screen as follows:

Figure 54: Generating a new key pair using Enigmail

Step 3. Select the Account / User ID you want to use, create a strong password to protect your private key and then type it into the Passphrase text fields in the Generate OpenPGP Key screen as follows:

Step 4. Click the Generate key button to activate the following screen:

Figure 55: The Generate OpenPGP Key screen

Step 5. Your key will be created, after which you will be prompted to generate a revocation certificate by following the same procedure as before.

4.3 How to Exchange Public Keys

Before you can begin sending encrypted email messages to one another, you and your email contacts must exchange public keys. You must also confirm the validity of any key you accept by confirming that it really belongs to its purported sender.

4.3.1 How to Send a Public Key using Enigmail

To send a public key using Enigmail, perform the following steps:

Step 1. Open Thunderbird and click: to compose a new message.

Step 2. Select OpenPGP > Attach My Public Key to attach your public key to the current email message as follows:

Figure 56: Attaching your public key to a message

You will notice that a file called pgpkeys.asc appears in the Attachments: window

Step 3. Compose and then send your message.

You have now successfully sent your public key to your correspondent. To complete the exchange, she will need to import it and reply with an email containing her own public key.

4.3.2 How to Receive a Public key using Enigmail

You and your correspondent will perform the same steps when importing each other's public keys.

Step 1. Select and open the email containing your correspondent's public key.

Step 2. Click:

Enigmail will automatically scan the content of the received message for any encrypted data. When it detects that the message contains a public key, it will notify you and ask if you wish to import the key as follows:

Figure 57: Importing a public key from an email message

Step 3. Click: to import the key.

If the public key importation is successful, you will be notified that the key has been added to your collection as follows:

Figure 58: Public key successfully imported

To confirm that you have received your correspondent's public key, you can performing the following steps at any time:

Step 1. Select OpenPGP > Key Management to display the OpenPGP Key Management screen as follows:

Figure 59: The OpenPGP Key Management screen

Step 2. Confirm that any recently-imported keys are present in this list.

4.3.3 How to Validate Imported Keys

Finally, you must verify that the imported key truly belongs to the person who purportedly sent it, then confirm its 'validity.' This is an important step that both you and your email contacts should follow for each public key that you receive.

Step 1. Contact your correspondent through some means of communication other than email. You can use a telephone, text messages, Voice over Internet Protocol (VOIP) or any other method, but you must be absolutely certain that you are really talking to the right person. As a result, telephone conversations and face-to-face meetings work well if they are convenient and if they can be arranged safely.

Step 2. Both you and your correspondent should determine the 'fingerprints' of the public keys that you have exchanged. A fingerprint is a unique series of numbers and letters that identifies each key. You can use Enigmail's Key Management screen to view the fingerprint of key pairs you have created and public keys you have imported. To do this, right-click on a particular key and select the Key Properties option as follows:

Figure 60: Viewing the public key properties, including its fingerprint.

Step 3. This will activate the Key Properties screen, which displays the public key fingerprint as follows:

Figure 61: Enigmail's Key Properties screen

Your correspondent should repeat these steps. Confirm with each other that the fingerprint of the key each of you has received matches the sender's original. If they don't match, exchange your public keys again and repeat the validation process. If they do match, use Enigmail to sign your correspondent's public key. This will confirm that you have checked and consider the key 'valid'.

The fingerprint itself is not a secret and can be recorded for later verification at your convenience.

To sign a properly validated public key, you can perform the following steps:

Step 1. Click OK to return to the Key Management screen.

Step 2. Right-click your correspondent's public key and select Sign Key from the menu to activate the Sign Key screen as follows:

Figure 62: The Sign Key screen

Step 3. Click OK and enter your encryption passphrase when prompted.

Step 4. Locate your correspondent's public key in the Key Management screen, to confirm that the Key Validity column displays trusted as follows:

Figure 63: A validated public key marked as trusted

You have now successfully validated your correspondent's public key. He or she should follow the same steps for your public key.

4.3.4 How to Manage Your Key Pairs

You can perform additional tasks by right-clicking your key pair in the Key Management screen as shown in Figure 60 above. In addition to the Key Properties option, other important key-management tasks include:

• Change Passphrase - allows you to change the passphrase protecting your key pair.

• Manage User IDs - allows you to associate more than one email address with a single key pair.

• Generate & Save Revocation Certificate - allows you to generate a new revocation certificate if you have lost the one you created earlier.

4.4 How to Encrypt and Decrypt a Message

Once both you and your correspondent have successfully imported and validated one another's public keys, you are ready to begin sending encrypted messages and decrypting received ones.

4.4.1 How to Encrypt a Message

To encrypt an email to your correspondent, perform the following steps:

Step 1. Open your Thunderbird e-mail account and click the Write button to write your message.

Step 2. Click: to display the OpenPGP Encryption window as follows:

Figure 64: The OpenPGP Encryption Window

Step 3. Check the Sign Message and Encrypt Message options as shown in Figure 64: The OpenPGP Preferences screen.

Step 4. Click:

You may receive a warning that Enigmail can not encrypt or sign HTML messages. You can fix this by configuring Thunderbird to create all new messages using only 'plain text' formatting. To do so, select Tools > Account Settings from the Thunderbird menu and find the account for which you have enabled Enigmail. Click on the Composition & Addressing option, deselect the Compose messages in HTML format checkbox and click OK.

Step 5. Click:

If your message includes any attachments, Enigmail lets you select how those attachments should be processed from the following settings screen:

Figure 65: The Enigmail attachment options screen

Step 6. Check: Encrypt each attachment separately and send the message using inline PGP as shown in Figure 65.

Prior to sending your message, Enigmail will encrypt it. If you have chosen to sign the message as well, as described above, Enigmail will ask you to enter your private key passphrase as follows:

Figure 66: The Enigmail private key passphrase screen

Step 7: Enter your passphrase and click OK.

Your message is now encrypted, signed and sent to the recipient. You may be prompted to enter your email account password as well.

Important: Enigmail does not encrypt the message heading or subject title bar. Do not include sensitive information in the subject line, as it will not be confidential.

4.4.2 How to Decrypt a Message

When you receive and open an encrypted message, Enigmail will automatically attempt to decrypt it. You will be prompted to enter your passphrase as follows:

Figure 67: The GnuPG private key passphrase screen

After you have entered your private key passphrase, the message is decrypted and displayed as follows:

Figure 68: Viewing a decrypted message

You have now successfully decrypted this message. By repeating the steps described in section 4.4 How to Encrypt and Decrypt a Message each time you and your correspondent exchange messages, you can maintain a private, authenticated channel of communication, regardless of who might be attempting to monitor your email exchanges.