If you do not have a key pair generated, Enigmail can even do this for you. So with this extension you can encrypt/decrypt email without having to touch the command line. Pretty sweet. Let’s take a walk through this system.

I am going to assume you know how to install an extension in Thunderbird (I am also going to assume gpg is installed). Knowing that, install the Enigmail extension. Once this extension is installed (and you have restarted Thunderbird), you will notice a new menu entry called OpenPGP. This is where you take care of the setup of Enigmail.

Generate your key pair

Keymanager

The first step is to generate your key pair. This can be done either from command line or from Enigmail itself. From within Thunderbird click the OpenPGP menu and click the Key Management entry to open the key manager window (shown in the image to the left.)

Click on the Generate menu and select New Key Pair to open the key generation window (shown below to the right.)

Keygen Window

From within this new window you have a number of options to consider (which are all fairly self explanatory.)For most instances the defaults will work. The only change you might make is if you do not want the key to expire click the Key Does Not Expire checkbox.

As the window says, during the generation process you will want to go about the business of using your PC in order to help randomize the process of key generation. This even holds true when you are generating keys via the command line in Linux.

If you already have a key on your machine (generated from the command line or some other tool) you can import that key from the same key manager tool shown above. Just click on the File menu and select Import Key from File.

Once your key has been imported into (or generated by) Enigmail you are ready to use Enigmail to encrypt your messages.

Encrypt and Sign a Message

Start composing a new email and you will notice the OpenPGP menu entry has been added. Once you have completed composing your email click on the OpenPGP menu and select Encrypt Message and/or Sign Message to encrypt and/or sign your outgoing messages with your key.

Default Encryption Options

This brings up an issue. If you do not configure Enigmail to not encrypt/sign by default all of your outgoing messages are going to be encrypted and signed. This is a problem when the recipient doesn’t have your key. I highly recommend configuring Enigmail to not encrypt/sign by default. To set this click on the OpenPGP menu entry in the MESSAGE COMPOSITION WINDOW (not the main Thunderbird window). From there click on the Default Composition Options sub menu and then select Signing/Encryption Options. A new window will appear (shown to the left.) Make sure you de-select all of the options in the Message Composition section. Now you have to manually choose to sign and encrypt each message. It’s one extra step but your non-geek friends and family will thank you for it.

Decrypting

Like send mail, you have two options for receiving mail. You can have encrypted mail automatically encrypted or you can do it manually. Of course for either options you have to have the senders’ key imported into the system.

If you click on the OpenPGP menu (in the main Thunderbird menu) you will see an entry for Automatically Decrypt/Verify Messages. If this is checked all incoming encrypted/signed mail will be decrypted/verified. If it is not checked you will have to do this manually by selecting the encrypted/signed email and then clicking the Decrypt/Verifyentry in the OpenPGP menu.

Final Thoughts

And that’s it! Simple email encryption in Linux with Thunderbird and Enigmail. You can, of course, do this manually from the command line, but why make things difficult? If you have needs to encrypt/sign outgoing or incoming email, Enigmail is the perfect solution for every Linux and Thunderbird user. And for those BSD, Solaris, OS/2, Mac, or Windows users there is an Enigmail for you as well.

GnuPG, in technical terms, utilises a mixture of symmetric-key cryptography and public-key cryptography. This basically means a person generates a pair of keys; one of which is publicly shared and one is not. The publicly shared key is used to people can encrypt data for a specific person whilst the private key is used to decrypt, encrypt and sign data.

If you encrypt data to only be decrypted only by your private key and you carry your private key on another medium of storage, the data you encrypted will be effectively impossible to decipher.

To get started with GnuPG, you must download GnuPG which is free and open-source.

GnuPG is available for effectively all operating systems. After you have downloaded and installed GnuPG, it might be wise to download a graphical interface because it is command line based.

Some GUIs focus on the management of keys, such as the generation of them and storing other people’s public keys, whilst others focus on the encrypting/decrypting.

WinPT is a popular Windows option. As for encrypting and decrypting, there are many choices including Enigmail for Thunderbird, FireGPG for Firefox and WinPT also provides facilities to do this.

With a GUI, it is fairly easy to get to grips with GnuPG. Most key managers provide wizards for the generation of keys.

To obtain someone’s public key, so you can send data to them securely, you could either ask them or go onto a keyserver such as pgp.mit.edu, copy their key into Notepad and then import it into your key manager.

It is essential to send your keys to keyservers, I would suggest pgp.mit.edu, and this can be done either through the GUI or through exporting your public key and uploading it to these sites. Once you have someone’s public key, and you are sure it belongs to them and is not a hoax, you can sign the key inside your key manager and then submit it, so people know that key is authentic.

Key software to get started with GPG

1. GnuPG is absolutely necessary. There is a Windows binary available.
   
2. A GUI is also necessary. For Windows users, WinPT is a safe bet.
3. If you use Thunderbird, install Enigmail. If you use Firefox, install FireGPG.

If you have installed GPG and would like to try it out, feel free to send me an encrypted email. My email is computerjoe (at) gmail.com and my key is on this page.