Configure PGP for Email

From Organic Design
Jump to: navigation, search
Procedure.svg Configure PGP for Email
Organic Design procedure

For email privacy we use PGP with the Enigmail add-on. On recent versions of Ubuntu this can all be installed easily with no fuss from the Software Center.

To initially configure PGP on Thunderbird, start with the Setup Wizard from the "OpenPGP" menu which appears after Enigmail has been successfully installed. We use the following options:

  • sign all outgoing mail (you can turn off signing before sending an email if you wish)
  • use per-recipient rules for whether to encrypt outgoing mail
  • Allow it to apply the optimal settings for you when it asks
  • Use your email account password for your private key's access pass-phrase
  • Allow it to create a revocation certificate so you can cancel your key-pair if you need to

At the end of the wizard it spends a few minutes generating a 2048 private/public key pair. To send a signed or encrypted message, the recipient must have your public key installed. You can save keys to file or send them over email to selected recipients from the "Key Management" option in the "OpenPGP" menu. You can also import a key from the clipboard.

Common actions for sending messages

Here's some screenshots of the main operations you'll use when sending a message...

Check/set the signing and encryption status when composing a message      Attach your public key when composing a message to a new recipient

Common actions for incoming messages

Here's some screenshots of the main operations you'll use when receiving an encrypted message...

ThunderbirdImportPGPKey.jpg      ThunderbirdPGPSignAndTrustKey.jpg
Import a public key attached to an incoming message by right-clicking on it      Click on "details" of an incoming encrypted message to sign or set trust for senders key

Per-recipient rules

Our best practice for privacy is to encrypt all email by default when sending to recipients that you have a public key for. To apply the defaults for a recipient, right-click on them from the address book and select "Create OpenPGP rule", then select the key to use and select "Always" for signing and encryption.

ThunderbirdPGPRecipientRule.jpg      ThunderbirdPGPRecipientRuleDialog.jpg

Setting up after an OS reinstall

The easiest way to reimport everything after reinstallation of the OS is to install Thunderbird and then Enigmail as usual (if there's no published plugin compatible with your version of Thunderbird, then go direct to, download the .xpi and drop it into the addons window in Thundirbird.

Next go through the initial setup wizard for Enigmail and generate a key if you need to (use the same passphrase as your old private key had), then import your keys from your safely backed up export. If you didn't have such an export it is possible to use the ~/.gnupg directory from your old OS if you have access to it. To do that, shutdown Thunderbird after going through the setup wizard, then replace the gnupg directory with your backed up one (ensure that you're the owner of the directory), then reboot the system so that all the GPG components are reset with the new directory.

After importing you may encounter an error when trying to send encrypted mails, this is likely due to the account using the newly created key instead of the one associated with your email address in the imported keys. Set the following setting in accounts.

Enigmail send key setting.jpg

Thunderbird on Windows

You will need to download GPG4Win and install it before setting up PGP:

See also