Image of the glider from the Game of Life by John Conway
Skip to content

Using GPG With Mozilla Thunderbird

It's a morning of security. What can I say? I just updated my GPG keypair, and after hitting "publish", I thought to myself "Why not write a quick tutorial on using GPG with Thunderbird?". So, here it is.

Before I get into it, however, I want to talk about my motivations for creating such a post. I firmly believe that enough people aren't aware of digital security, and the measure they can take to secure their personal data. This includes creating and using a PGP/OpenPGP/GPG keypair (herein referred to as GPG). The number one complaint that I hear about GPG is the time and effort it takes to use it. Well, hopefully, through this post, I can show you how easy it is to setup and maintain. I'll be using Ubuntu as the distribution for this howto.

First, we obviously need to generate a GPG keypair. I won't go into the steps of generating one, as suffice it to say, there are plenty of tutorials out there on setting up your GPG keys. It can be in a tutorial all by itself. Rather, I'm going to assume that you have already generated your keypair, and you would like to know how to better integrate it with your existing lifestyle. No problem.

Ok. So, we need Mozilla Thunderbird. Obtaining the latest copy is easy. You use the apt repositories to install it (recommended), or you can grab the latest copy at the Mozilla site. Alone, Thunderbird doesn't have the ability to handle GPG keyrings. As such, we'll need an extension for Thunderbird that does. Enigmail is the extension we want. Luckily, enigmail is in the Ubuntu repositories. So, using apt, pull up a terminal and type:

sudo aptitude install mozilla-thunderbird mozilla-thunderbird-enigmail

Once installed, pull up Thunderbird. At this point, the purpose of Thunderbird is to replace your already existing mail client. So, I probably should've mentioned that earlier. If you're not going to replace you current client with Thunderbird, then this tutorial won't be of much use to you. But, if you're looking to better integrate secure communication in your email, or you are curious on how to better streamline it, then keep reading.


Okay, now that we have Thunderbird pulled up, you'll notice the menu item "OpenPGP". Everything that you do with your GPG key will be done through this menu. So, the first thing to do, is to configure Thunderbird to know how and when to use your GPG key. So, let's go to "Preferences" in the "OpenPGP" menu. We first need to set the GnuPG executable path. This is /usr/bin/gpg. We can also set additional parameters, but we won't worry about that here. Suffice it to say, that any argument you pass on the command line with 'gpg' you can put here.


Notice the "PGP/MIME" tab in the preferences dialog. Here, you have the ability to select the hash that you would like to use when digitally signing your email text. If you have an RSA subkey, then you can take advantage of stronger hashing algorithms. I WOULD HIGHLY SUGGEST THAT YOU GENERATE AN RSA SUBKEY! Reason being, that if you only have a DSA subkey, as is the default with GnuPG, then you can only take advantage of 160-bit signing algorithms. This means that you are limited to SHA-1 and RIPEMD160. SHA-1 has now been officially broken, and several meaningful attacks have been successful. If you don't generate an RSA subkey, then PLEASE use the RIPEMD160 hashing algorithm. If you have an RSA subkey, then PLEASE use SHA-256 or stronger to sign your email. I use SHA-512 when signing mine. Follow this tutorial in generating an RSA subkey.


Ok. So, you have enigmail properly configured with Thunderbird. The only thing left to do, is to integrate your key in with your email address. This will automatically happen, if you try to send an emali. A dialog will pop up asking if you would like to configure Enigmail with your email address. At that point, or now, you can set it up. Go to 'Edit -> Account Settings...'. Crap! I should've mentioned at this point that you should have your email account settings setup at this point. Thunderbird works just fine with any POP or IMAP email account. Refer to your email providers documentation for setting up Thunderbird to work with your account.


Select the "OpenPGP Security" on the left. There is a little check box "Enable OpenPGP support (Enigmail) for this identity". Check it. From here, you can use the email address to identify your key, or you can select it manually. If your email address is not found in your key, then you will need to select it manually. I recommend manual over automatic anyway. Once selected, you have some message composition options. I would recommend signing non-encrypted and encrypted messages by default. Then you don't need to worry about it. Just write your email, and hit send. It will ask you for your passphrase, then automatically sign the email, and send it off. It's up to you if you want to encrypt messages by default. If this option is selected, then if you send an email to an email address that exists in your public keyring, then the message will automatically be encrypted using that person's public key.

So, that brings us to the end of the tutorial, but the beginning of a couple cool features of Enigmail that I have already mentioned. When sending email, you can have it automatically encrypt and decrypt based solely on the email address. This is a nice automation tool. Also, you can have Enigmail automatically digitally sign and verify your email. All you need to do is set these options up, and remember your passphrase.

Ultimately, I give Thunderbird and Enigmail 5 stars for the quality of the software, and the attention to detail. There is much more that you can do with these two pieces of software that is not covered in the scope of this tutorial. Feel free to poke around and see what it is capable of. But as you can see, using GPG with your email is easy, and takes little effort to get it working properly. GPG can be easy, if you do it right. Luckily, these two tools are the right tools.

{ 2 } Comments