Encrypting mail in Thunderbird
Encrypting Mail
Enigmail has three basic modes: sign, encrypt, and sign and encrypt simultaneously. When you sign an email, the add-on will use your private key to sign the text.
If the recipient uses Enigmail or a similar solution, they will be able to detect manipulation easily. At the same time, the signature lets you verify that an email really is from the person who claims to have sent it. However, this mode does not encrypt messages; they are sent in the clear.
In encrypt mode, Enigmail will not sign the message, but it will encrypt the message with the recipient's public key to make sure that only the intended recipient can read the message. Of course, encryption does not let the recipient verify the identity of the sender.
For the best of both worlds, you would want to let Enigmail encrypt the message with the recipient's public key while signing it with your own private key. This mode is a must for confidential messages.
To test your setup, try sending a message to yourself. In Thunderbird, compose a new message: Enter your own email address as the recipient, add a subject line, and add body text. To encrypt and sign the message at the same time, which hopefully is the configuration you have chosen, select OpenPGP | Encrypt message and send the message. At this time, you will be prompted to enter your passphrase.
In a few seconds, you should receive a message. If your password is still in memory (five-minute limit), Enigmail automatically will decrypt; if not, it will prompt you for your password. Thunderbird will tell you that the message was correctly signed and decrypted and that the signer's key has been correctly identified. An email that is not correctly encrypted is useless to the recipient.
Key Management
To encrypt a message for another recipient, the procedure is basically the same as in the previous example: Compose an email in the normal way and select the corresponding menu item to tell Enigmail to encrypt, or sign, or both. A correspondent might send you an encrypted message, too. But where does the key enter into this?
To sign the message, you do not need the recipient's key. In the worst case, the recipient might not use GnuPG-compatible encryption and will wonder what the signature in the message means, but this will not prevent them reading the message. However, this does not apply to encryption.
To read an encrypted message, the recipient needs GnuPG or a compatible solution, and you must know the recipient's public key.
To exchange encrypted messages with a contact, both of you need each other's public keys.
Previously, I looked at two critical identifying characteristics of a key: its ID (this is 90690901 for the 2,048-bit version in the example), and its fingerprint (AF84 9339 … in the example). Among the various approaches, you can exchange keys personally (i.e., by email or USB stick.)
To send a public key by email, create a message and click Attach my public key in the OpenPGP menu, which tells Thunderbird to add an attachment with your key to the mail. Then send the email with a text explaining the attachment to the recipient.
Key Servers
In addition to this, there are key servers that do nothing but keep public keys that anybody can retrieve. Publishing your own public key on a key server makes sense.
To do so, open the OpenPGP menu in the Thunderbird mail view and select Key Management…. This takes you to the Key Manager dialog, which shows you a list of keys (your key ring) – your own key and keys belonging to people with whom you exchange messages. Right click your own key and select Upload public keys to key server….
In the dialog that appears, press OK to confirm the default key server – most key servers replicate their data anyway – then OK again to tell Enigmail to upload the key to the key server.
Downloading third-party keys is just as easy. If you receive a signed message but do not have a local copy of the matching key, Enigmail will tell you that the key is missing. To retrieve the key from a key server, you can click the letter icon on the right of the window. Also, you can search for a key manually via OpenPGP | Key Management… | Key server | Find key… and store the key locally. Search for the user's name, the key ID, or the email address.
If you receive a key as an email attachment – that is, if somebody you correspond with sends you a key – right click the attachment and select Import OpenPGP key. After both of you have done this, you can exchange encrypted messages. But how do you make sure that the key is from the person the sender claims to be? The fingerprint I previously referred to gives you this ability. In the Key Manager (menu OpenPGP | Key Management…) you can double click a key to display its properties.
The fingerprint lets you verify a key's identity. If you want to be certain that the key really is from the person who claims to have sent it, you should use some other method to contact them. Phone the key owner, for example, and compare fingerprints on the phone. If the fingerprints match, you can safely assume that you have the right key and the right person. Now there really is nothing to stop you from exchanging encrypted messages.
« Previous 1 2 3 4 Next »
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Canonical Bumps LTS Support to 12 years
If you're worried that your Ubuntu LTS release won't be supported long enough to last, Canonical has a surprise for you in the form of 12 years of security coverage.
-
Fedora 40 Beta Released Soon
With the official release of Fedora 40 coming in April, it's almost time to download the beta and see what's new.
-
New Pentesting Distribution to Compete with Kali Linux
SnoopGod is now available for your testing needs
-
Juno Computers Launches Another Linux Laptop
If you're looking for a powerhouse laptop that runs Ubuntu, the Juno Computers Neptune 17 v6 should be on your radar.
-
ZorinOS 17.1 Released, Includes Improved Windows App Support
If you need or desire to run Windows applications on Linux, there's one distribution intent on making that easier for you and its new release further improves that feature.
-
Linux Market Share Surpasses 4% for the First Time
Look out Windows and macOS, Linux is on the rise and has even topped ChromeOS to become the fourth most widely used OS around the globe.
-
KDE’s Plasma 6 Officially Available
KDE’s Plasma 6.0 "Megarelease" has happened, and it's brimming with new features, polish, and performance.
-
Latest Version of Tails Unleashed
Tails 6.0 is based on Debian 12 and includes GNOME 43.
-
KDE Announces New Slimbook V with Plenty of Power and KDE’s Plasma 6
If you're a fan of KDE Plasma, you'll be thrilled to hear they've announced a new Slimbook with an AMD CPU and the latest version of KDE Plasma desktop.
-
Monthly Sponsorship Includes Early Access to elementary OS 8
If you want to get a glimpse of what's in the pipeline for elementary OS 8, just set up a monthly sponsorship to help fund its continued existence.