This article covers how to configure Enigmail for Thunderbird, and is part of a series in communications security.
This post requires GnuPG to be setup beforehand.
Installing and Basic Configuration of Enigmail
Start by installing Enigmail on Thunderbird. If you are using 32 bit Linux you can either search in the add ons dialog for Enigmail, or you can install it from http://enigmail.mozdev.org/download/download-static.php.html. If you are using 64 bit Linux, then you have to download from the site, and making sure that you get the 64 bit version.
Once you have installed Enigmail, and restarted Thunderbird, go to the OpenPGP menu and select the Setup Wizard.
Select the “Yes, I would like the wizard to get me started” option and click the next button.
Now you need to select the email addresses you are planning to use encryption with, or if you plan to use it with all your emails, simply select the option “Yes” and click on Next.
Now you have to decide if every outgoing message should be signed. Doing this means that so long as you keep your keys safe and get your key signed, any email that you send can be verified as coming from you.
The next page lets you choose to encrypt outgoing mail by default. This is only useful if most of the people you email also use encryption, so if you are a first adopter amongst your contacts, then you should probably deal with encryption on a person by person basis.
Next you can allow Enigmail to configure Thunderbird to use options that make dealing with the encryption easier. It is probably best to agree to this, although it turns off HTML mail, which means that you won’t be able to see things like embedded pictures or other special HTML formatting (many such emails provide a link that allows you to view the same content in a browser).
The next screen lets you select an OpenPGP key to use, or to create a new pair. It should have automatically detected the keys you created in the previous guide on Generating Keys.
The final page of the wizard gives you one last chance to change your mind before using the options you just configured. After this page, you will be able to send encrypted email, as well as signing emails and decrypting emails sent to you.
Sending Signed Emails
Any message that you send can be signed once you have set up OpenPGP. To sign a message, open the message “Write” window, and then go to the OpenPGP menu and select the “Sign Message” option. Now you can write whatever you choose, and when you select the send button it will sign the message before it sends it. The option can be used with encryption.
Sending Encrypted Emails
An encrypted message can be sent to anyone who’s public key you have access to.
To set up a message you are working on to be encrypted, go to the OpenPGP menu in the “Write” window, and select the “Encrypt Message” option.
When you click the “Send” button, a dialog box will open for you to choose which public keys to encrypt the message with.
Creating OpenPGP Rules for Contacts
If you selected the option to encrypt and sign emails on a per recipient basis, but have some contacts that you always want to send signed and/or encrypted email to, you can create an OpenPGP rule to do so.
To do this, you must first have the public key for the contact you are setting up a rule for.
In order to create a rule, you can either left click on a contact from an email they’ve sent you, or right click on their entry in the address book and select “Create OpenPGP Rule for Address…”
From within the dialog box that opens, click the “Select Key(s)…” button, and select the appropriate public key.
Then, below the listing of the keys you have selected, there are a number of options regarding when you want to have emails encrypted and signed. Select the options you desire, and then click the OK button.
Importing Public Keys Through Enigmail
There are a number of ways to import keys into GnuPG, and Enigmail has its own method for doing so. In order to import public keys through Enigmail, go to the OpenPGP menu on the main Thunderbird window, and select the “Key Management” option.
Importing Key Files
If you have a copy of the public key on your computer, you can go to the File menu, and select the “Import Keys from File” option to select the key to import.
Importing Key From Clipboard
Select this option by clicking on the Edit menu, and selecting “Import Keys from Clipboard”.
This option can be used if you have access to an ASCII-armored PGP file. Copy the text from it onto clipboard, and then use this to import it from the clipboard.
Downloading Public Key From Keyservers
Use this method by opening the Keyserver menu and selecting “Search for keys”.
From the dialog box that opens, you can search for the email address or name of the person, as well as set the key server to search and download from.
Once the search results have returned, you select the correct key from the keys returned. If the key is not found, try a different server or attempt to get the key through an alternate method.
Note on Imported Keys
All keys imported through OpenPG are stored in the GnuPG keyring. This means that if you transfer the Thunderbird profile to a new computer, the keys are not included. You will either have to re-import all of your keys, or alls transfer the GnuPG directory.
Decrypting email that is encrypted with your public key is simple. When you select the message in Thunderbird, it will attempt to decrypted the message. If you haven’t entered your passphrase for a set period of time (default is 5 minutes) then you will have to re-enter it. Once Enigmail has your password, it decrypts the email showing you only the plaintext version.
Verifying Signed Email
Verifying that a signed email is valid is even simpler than decrypting an email. All that is required is having the public key of the individual who sent the email. With that, Enigmail will show a message bar that informs you of the status of the message. A verified email will produce a message that says “Good signature from” followed by the name of the sender and a number of other details.
An email can be both signed and encrypted.