Enigmail adds OpenPGP message encryption and authentication to Thunderbird.These notes are my addenda to the Electronic Frontier Foundation (EFF)’s excellent tutorials on using Enigmail and Thunderbird on Linux, Mac, and Windows. Read them first
I use Linux, so I obtained Enigmail from my distribution’s repository.
On first use, Thunderbird will prompt you for your private key’s passphrase. You will be given the option to have Thunderbird remember it forever.
Once set up per the EFF’s relevant tutorial, I like to enable the following nondefault setting: Thunderbird Menu – Preferences – Account Settings – $ACCOUNT_NAME – OpenPGP Security – Message Composition Default Options – Use PGP/MIME by default. This causes your digital signature to be sent as an attachment rather than in the body of each outgoing message, which my correspondents find less annoying.
In Key Management (Thunderbird Menu – Enigmail – Key Management), right click on your own key and choose Export Keys to File. You will be asked if you want to include the secret key. Do this twice, once including the secret key and once not including it. Again right click on your own key and choose Generate and Save Revocation Certificate. Once you’ve done these things you will have three files:
- *pub.asc is the public key. It can be freely and publicly shared.
- *pub-sec.asc contains both the public and the private keys, called your key pair. Share this with no one. If you want to set up a another mail client, this is the file to import into it.
- *rev.asc is the revocation certificate. Share this with no one.
Save these files somewhere off your computer and secure, for example burnt to CD and stored with your other important documents.
What if you already have a key pair and just want to import it? Enigmail’s setup wizard will prompt you for it, or you can import it manually in Thunderbird Menu – Enigmail – Key Management – File – Import Keys From File.
The EFF tutorial suggests that you consider making your public key available on your website. Fine idea, but the otherwise great people here at wordpress.com don’t allow .asc files. No, I don’t know why. As a kludgy workaround I changed the extension to .key and uploaded it here. Before you try to use it, change the file extension back to .asc.
Check your work by exchanging messages with someone else using encryption. Notice the different colors of the OpenPGP status bar; see the Verifying a signature section of the Enigmail Handbook for details.
TODO: Document elsewhere how to import my key pair into the other mail clients I use.
TIPS AND TRICKS
If you’re having problems, open Thunderbird Menu – Enigmail – Preferences – Basic, select “Display expert settings and menus”, then close and reopen Thunderbird. Open the debugging console at Thunderbird Menu – Enigmail – Debugging Options – View Console. The console output often provides clues to the problem.
On one installation on Linux, upon the first selection of an encrypted message, pinentry-curses would run and consume an entire CPU core. Killing the pinentry-curses process would make Thuderbird usable for unencrypted messages, but any subsequent selection of an encrypted message would repeat the problem. What’s interesting here is that Enigmail cannot use pinentry-curses; it uses any graphical version of pinentry. Per that discussion I added
pinentry-program /usr/bin/pinentry-gtk-2 to my ~/.gnupg/gpg-agent.conf. After a reboot (logout/login surely would have been preferable), all was well. Why this was needed on one of my computers but not on another apparently identical box I do not know.
These notes refer to Thunderbird 31.2 and Enigmail 1.7 on openSUSE 13.1 and were last updated 27 November 2014.