Sign & Encrypt your Emails with Thunderbird/Enigmail
Thunderbird is a great and well know open source email client brought to you by the same group that puts out Firefox. But like Firefox, there’s extensions we can add to it to make an already secure application more secure. Welcome to the world of signing and encrypting your emails. This tutorial will already assume you have thunderbird installed, be it your distro’s package or the Mozilla Builds. We will also assume you have installed the Enigmail extension, luckily for me openSuse provides this with their default Thunderbird install from their repo’s. Other’s may have to download and install it from here. And for the last of our assumptions, we will assume you have GnuPG installed as well. Most Linux distributions today include GnuPG by default. To find out if this is the case, get to a command prompt and type gpg –version. If it tells you that you’ve got GnuPG 1.4.9 (or some later version), then you don’t need to do anything: it’s already there. To familiarize yourself with the basics of GPG, look at the man page for it, and also check out a previous entry Tuxtraining has written on the subject.
Public Key Cryptography
Enigmail uses public key cryptography to ensure privacy between you and your correspondents. In public key cryptography we use two different kinds of keys to give us confidentiality and assurance.
By “confidentiality” we mean that only the people you want to read a message will be able to read a message. By “assurance” we mean that people who read messages from you can be sure that it really came from you.
We’re not going to explain all the mathematics that’s involved. You don’t need to have a Ph.D. in computer science to use Enigmail. All you need to understand is that you will be creating a public key and a private key. The public key can be shared with the whole world–friends, neighbors, relatives, enemies, even intelligence agencies. But you need to guard the private key very, very carefully.
Using the Enigmail Key Wizard
By this time, you should have Thunderbird, Enigmail and GnuPG all installed. If you don’t, go back and do those sections now.
You will need a piece of paper and something to write with.
- Start Thunderbird. Due to the incredible number of different operating systems Thunderbird runs on, we’re not going to try to tell you how to do this. If you need help finding Thunderbird, the Thunderbird site has excellent documentation.
- Check your accounts. If you don’t have any email accounts set up yet, do that now. Again, see the Thunderbird site if you need help.
- Start the Enigmail Key Manager. Click on “OpenPGP” in the menu bar of the Thunderbird main window. Select “Key Management”.
- Start the New Key Wizard. When the Enigmail Key Manager opens, click on “Generate” in the menu bar and select “New key pair”.A new window will pop up. Take a deep breath: you are not expected to understand everything here. In fact, there are only a couple of things you need to worry about!
- Tell Enigmail which account to use. At the very top of the window you will see a combobox showing all of your email addresses. GnuPG will associate your new key with an email address. Enigmail is just asking you which address you want to use for this key. Select whichever account will be receiving encrypted mail.(If you decide later that you want to use the same key for multiple accounts, that can be done, too, but it’s beyond the scope of this Quick Start Document.)
- Choose a passphrase. Private keys are so important that GnuPG will not use them unless you know the secret phrase. You’re being asked here what the secret phrase should be for your new keypair. If at all possible, choose something that is easy to remember but very hard for someone to guess.Enter your passphrase in the “Passphrase” box. Then repeat it again in the “Passphrase (repeat)” box. By entering it twice, Enigmail is protecting you from accidentally mis-entering your passphrase.As a security feature, Enigmail will not display your passphrase as you type it.
If you forget your passphrase, there is absolutely nothing anyone can do to help you. This is a security feature of GnuPG. There is no way around the passphrase.
- Click “Generate Key”. That’s it! That’s all you have to do. Everything else is handled for you automatically.
- Generate a revocation certificate. Hard drive failures happen to us all. So do house fires and theft and other things that might separate us from our keys. When this happens, it’s a good idea to send out a revocation notice. You can think of this as a message from your key saying “please don’t use me any more”.Using the magic of assurance, people who see your revocation certificate can be confident that your key really is no more. Having a revocation certificate tucked away in a safe place is a very good idea.When you finish creating your new key, Enigmail will give you the chance to create a revocation certificate. If you want one, click “Yes”. You will be asked to enter your passphrase. Enter it, and you’ll be finished.
Next Steps
Your key ID
Now that you have your key, you should find your key ID. This is a sequence of letters and numbers eight long which is used to unambiguously identify your key.
Go back to the Enigmail Key Manager and enter your email address in the search box. The key you just created should appear, and over at the right you’ll see your key ID. Write this down; you’ll need it.
Publishing your key
By far, the easiest way to share your key with the world is to publish it on the keyserver network, a global database of keys. Click on your key in the Key Manager. Then click “Keyserver” and select “Upload public keys”.
Enigmail will ask where it should send your key. Generally speaking, pool.sks-keyservers.net is your best bet. That’s the one Enigmail uses by default, so just click “OK”.
Your key is now published on the internet for anyone to find!
Spam
Some people will tell you never to use a keyserver at all, because spammers search them for email addresses. While this is true, this kind of misses the point.
There is nothing you can do to prevent spam from littering your inbox. Trying to stop it is like King Canute marching into the sea, commanding the rising tide to turn back. It didn’t work for King Canute and it won’t work for you.
There are excellent ways to stop spam. Blacklists, whitelists, Bayesian filtering, ISP-level solutions and more. Some of those options work better than others. All of them work better than the naive “if I don’t publish my key on the keyservers, then I won’t get spammed” strategy.
Your first signature
Now that you have your key created, let’s try writing a signed piece of email.
- Find a friendly face. Not all people have Enigmail installed. In fact, very few people use email cryptography at all. It’s probably a good idea to send your first test email to a mailing list that has a lot of GnuPG folk around, and that offers support to newcomers who are just starting out.Two of the best options are PGP-Basics and Enigmail Users. Both places are friendly and welcoming. If you make a mistake, no one will scream at you or call you names.
- Write a plain-text email. Enigmail does not work very well with HTML email. While it can be made to work, it’s pretty far beyond the scope of this guide. If you normally compose your email in plain text, then you’re just fine. If you normally use HTML, then hold down the shift key as you click on “Write” in the Thunderbird window.While your email can say anything you like, really, it is probably a good idea to give a little bit of an introduction. Tell us about yourself, and ask for people who are willing to help you test Enigmail’s encryption features.
- Tell Enigmail to sign it. At the top of your Compose window you will see a button reading “OpenPGP”. Click on this. Make sure that the “Sign” option, and only that, is checked.
Hit “Send”. You will be asked for your passphrase. Once you enter it, Enigmail will sign your email and send it off to the list.
Your first encrypted email
Before encrypting email to someone, please make sure that you can sign messages. The old adage of learning to crawl before learning to walk applies here.
You will need someone to help you with this. Learning how to get people’s keys from a keyserver is an important skill to develop, and you won’t do yourself any favors by just encrypting messages to yourself. You already have your public key, so you’ll miss out on the entire process of finding keys.
Finding keys
Once you’ve found someone to help you, ask them for their key ID. This will be an eight-character sequence of letters and numbers. Write it down, and then open up the Enigmail Key Manager (“OpenPGP –> Key Management” from the main window).
From the Key Manager, click on “Keyserver –> Search for keys”. Enter the person’s key ID in the search box, prefixing it with “0x”, if necessary. For instance, if someone were to tell you their key ID was “DECAFBAD”, you’d enter it as “0xDECAFBAD”. But if someone were to tell you their key ID was “0xDEADBEEF”, you’d enter it exactly as-is, “0xDEADBEEF”.
Make sure your internet connection is active and click “OK”. Enigmail will begin searching through the keyserver looking for the key you want. If Enigmail finds it there, it will be added to your own local copy of keys.
Encrypting email
Once you’ve obtained a copy of your correspondent’s key, you’re set to send encrypted email. Write an email to them just as you normally would, but before sending, click on the OpenPGP button and select “Encrypt”. Once that’s done, click “Send”.
There are two options here. If the email address of your message matches an address on your keyring, there’s nothing more to do; your message will be encrypted and sent on to your correspondent. If there’s a problem with the matching, you will be asked to manually select a key from your keyring. If you see this menu, then simply select the proper keys and you’re done.
Related Posts
