Contact Sysadmins |  IT Service Catalogue |  A to Z

Encrypt and Sign Thunderbird Email with Enigmail Add-on

Sometimes email contains sensitive data which must be encrypted. You can handle this two ways, manually encrypte the data or use a Thunderbird Add-on called Enigmail. This extension uses GnuPG and makes the encryption/decryption as user-friendly as it gets. With keys installed in Enigmail (either manually or from a keyserver) encrypted email is automatically decrypted and signatures are checked for validity. 

Here are the steps to configure Enigmail in Thunderbird:

Install GnuPGP.

For Windows users, we recommend to use Gnu4Win.

Install Enigmail Add-on in Thunderbird

Open Tools -> Add-ons, search for Enigmail in top right search bar, then click on Install button.

Note** If you are using an older version of Thunderbird, you will need to manually download Enigmail add-on from Enigmail page, and then use install add-ons from file function to install it.

Restart Thunderbird, you should be able to see a new menu entry called OpenPGP.

Generate your key pair

  • Go to menu OpenPGP >> Key Management to open the Key Managment Window
  • Click on the Generate menu and select New Key Pair to pen the key generation window
  • From within this new window you have a number of options to consider (which are all fairly self explanatory). For most instances the defaults will work. The only change you might make is if you do not want the key to expire click the Key Does Not Expire checkbox.
  • If you already have a key on your computer, you can import that key from the same key manager tool shown above. Just click on the File menu and select Import Key from File.
  • Once your key has been imported into (or generated by) Enigmail you are ready to use Enigmail to encrypt your messages.

Encrypt and Sign a Message

Start composing a new email and you will notice the OpenPGP menu entry has been added. Once you have completed composing your email click on the OpenPGP menu and select Encrypt Message and/or Sign Message to encrypt and/or sign your outgoing messages with your key.

This brings up an issue. If you do not configure Enigmail to not encrypt/sign by default, all of your outgoing messages are going to be encrypted and signed. This is a problem when the recipient doesn't have your key. We highly recommend coniguring Enigmail to not encrypt/sign by default. To set this click on the OpenPGP menu entry in the MESSAGE COMPOSITION WINDOW (not the main Thunderbird window). From there click on the Default Composition Options sub menu and then select Signing/Encryption Options. A new window will appear. Make sure you de-select all of the options in the Message Composition selection. Now you have to manually choose to sign and encrypt each message. 

If you don't see Default Composition Options sub menu, go to Thunderbird window, click on OpenPGP >> Preferences, click on Display Expert Settings, and then click OK button. Then you will be albe to see the Default Composition Options menu in Message Composition Window.

Decrypting

Like send mail, you have two options for receiving mail. You can have encrypted mail automatically encrypted or you can do it manually. Of course for either options you have to have the senders' key imported into the system.

If you click on the OpenPGP menu (in the main Thunderbird window) you will see an entry for Automatically Decrypt/Verify Messages. If this is checked, all incoming encrypted/signed mail will be decrypted/verified. If it is not checked you will have to do this manually by selecting the encrypted/signed email and then clicking the Decrypt/Verify entry in the OpenPGP menu.