How to encrypt your emails in Thunderbird

Emails are by default just like postcards. That's good on the one hand, as it ensures that sender and recipient can read the email messages without issues.
It means however as well that anyone or anything that is in the delivery chain may read those emails as well.
This is done by some email providers to serve targeted advertisement to its users for instance. Email encryption is not a new concept, but it never really made the jump in the mass market. Users who wanted to could encrypt email messages ten years ago and even earlier than that.
The majority of users on the other hand don't. One reason for that is that it is not super-easy to use encryption; first because it is not really supported by the majority of email providers out of the box, and second because it requires that recipients need to do something to read these emails, and reply with encrypted messages of their own.
The following guide is a basic tutorial that explains in simple terms how to set up email encryption in Thunderbird.
Here is what you need:
- A copy of the Thunderbird email client.
- The Thunderbird add-on Enigmail.
- A copy of Gpg4win if you are using Windows.
Setting up email encryption in Thunderbird
First thing you need to do is download the programs from the linked resources mentioned in the last paragraph. Install Thunderbird if you have not done so already, and Gpg4win. You need to have at least one account in Thunderbird to complete the configuration. If you have none, start by adding an email account or creating a new one.
The Gpg4win installer displays installation modules when you run it. I suggest you keep the defaults, but remove the Outlook plugin component as you may not require it.
Once you are done with that, fire up Thunderbird and go to Tools > Addons. Switch to Extensions if another menu is selected by default, and click on the cogwheel icon next to search.
Select install add-on from file, and pick the Enigmail add-on that you downloaded previously. Follow the installation dialog to complete the installation.
You should see Enigmail listed as a new extension afterwards. Click on the options link first that is displayed next to the extension, and make sure the GnuPGP installation was found. Enigmail should pick up the installation courtesy of Gpg4win. Close the window afterwards again.
Select Enigmail > Setup Wizard afterwards. Keep the default choice "I prefer a standard configuration (recommended for beginners)" and click on next. If you already know your way around, select the advanced or manual configuration options instead.
These list additional options and use fewer screens to create key pairs. Additional options include setting a key expiration date, as well as the key size and type.
You may import existing settings as well if you have access to a previous installation already.
Enigmail displays all available accounts on the next page. If you have not used Gpg4win before, you should only see a test account listed there.
Since you have not created a key pair yet, select "I want to create a new key pair for signing and encrypting my email".
A key pair consists of a public and a private key. The public key needs to be sent or made available to others so that they may use it to encrypt emails. The private key is personal, and should not be shared or made available. It is used to decrypt any email that was encrypted using the linked public key.
Enigmail explains the key concept of key pairs on the next page. You are asked to pick a user account from the available Thunderbird accounts
Select one of the accounts, and pick a -- very -- secure passphrase. The passphrase protects the private key and it is essential that it is secure as someone might be able to brute force or guess it otherwise.
Select next once you have added the passphrase and selected one of the available accounts.
Enigmail generates the key on the next page. The extension states that this may take a couple of minutes, and that "actively browsing or performing disk-intensive operations" will speed up the key generation process.
You cannot process after the key generation, as you are required to create a revocation certificate as well. This is used in cases where you need to revoke the public key, for instance after you have lost it, cannot remember the passphrase of the private key, or if a system has been compromised.
Select "create revocation certificate" to start the process. You are asked to enter the passphrase at this point and cannot proceed without it.
Thunderbird opens a save file dialog afterwards. Save the revocation certificate to a secure location, for instance encrypted storage on a connected drive, or even better, a Flash drive or CD that you put elsewhere so that it is not physically near the device you are using.
Select the next button afterwards, and then finish to complete the process.
Verification
To verify that everything has been set up correctly, select Tools > Account Settings. Locate the account you created a key pair for, and open "OpenPGP Security" that is listed as an option underneath it.
The option "Enable OpenPGP support (Enigmail) for this identity) should be checked, and you should see that a specific OpenPGP key is selected as well.
Spreading your public key
Other users need to use the public key to send encrypted emails to you that you can decrypt using your private key. Similarly, these other users need to create a key pair of their own, and inform you about their public key so that you can send them encrypted emails using their public key as well.
You have a couple of options when it comes to sending others your public key.
The main options that you have are the following ones:
- Use the "Attach my Public Key" option when you are writing emails. Enigmail adds a button to the compose window that you can click on so that the public key is attached automatically to emails that you compose.
- Utilize a public key server. You may upload your public key to a public keyserver for easier distribution. These key repositories can be accessed by anyone. To do so, select Enigmail > Key Management. Select the key you want to upload to a keyserver, and select Keyserver > Upload Public Keys afterwards.
Importing public keys
You need to import public keys before you can use them. If you use Enigmail, this can be done in several ways:
- Double-clicking on the .asc key file to import the key.
- Searching for keys using Enigmail > Key Management > Keyserver > Search for keys.
Validate keys
Signing keys is a form of verification. Since you don't really know if a key has been tampered with, you may validate it through other forms of communication.
Maybe over a (secure) phone call, or in person. To validate a key, select Enigmail > Key Management. Double-click on the key name that you want to validate to open the key properties.
You find a "certify" button next to validity on the page that opens. Click on it, and select the "I have done very careful checking" and type the passphrase afterwards.
Encrypting and decrypting emails
Now that you are done setting up Enigmail, it is time to encrypt emails, and decrypt them. To encrypt a message, simply click on the encrypt button in the compose window to do so. You may sign the message as well, and attach the public key to it.
You need the recipients public key to encrypt email messages. If you don't have them, you cannot use the encrypt option to protect it from prying eyes.
If you add attachments to encrypted emails, you are queried on how you want to handle those. You can send attachments not encrypted as part of the message, or encrypted in multiple ways (inline PGP, PGP/Mime separately or as a whole).
Thunderbird will ask for your passphrase to decrypt messages that are encrypted. These are then displayed just like any other email.
Closing Words
Setup is not difficult and it takes a couple of minutes to create your first key pair and configure the extension and Thunderbird accordingly.
The biggest issue is to get others to use PGP. If you are the tech savvy one in your family, at work or your circle of friends, you may need to assist others in setting this up.
Now You: Do you encrypt your email messages?


You said that Outlook isn’t your main email client, so which is your main one?
I think its thunderbird
It is Mozilla Thunderbird.
Awesome! This actually solved my problem… what a stupid bug.
If this is the same bug that I’ve encountered, there may be another fix: (1) hover over open Outlook item in Taskbar, cursor up to hover over Outlook window item, and right-click; (2) this should give you Restore / Move / Size / Minimize / Maximize — choose Move or Size; (3) use your cursor keys, going arbitrarily N/S/E/W, to try to move or size the Outlook window back into view. Basically, the app behaves as though it were open in a 0x0 window, or at a location that’s offscreen, and this will frequently work to resize and/or move the window. Don’t forget to close while resized/moved, so that Outlook remembers the size/position for next time.
THANK YOU Claude!!! I could get the main window to launch but could not get any other message window to show on the desktop. You are my hero!!!!
Solved my issue! 6 years later and this is still problem…
Fantastic. Thank you. Size did the trick.
This solved my Outlook problem, too. Thank you. :)
Thank you so much, this started happening to me today and was causing big problems. You are a life saver, I hope I can help you in some way some day.
You are a god – thank you!
thanks a lot…. work like charm.. :-)
Yah…thanks Claude. I’ve been having the same problem and tried all the suggestions…your solution was the answer. It had resized itself to a 0/0 box. Cheers
Excellent post. This had me baffled even trying to accurately describe the problem. This fixed it for me.
Thank you
Thanks a lot for the article. Don’t know why it happenend, don’t know how it got fixed, but it was really annoying and now it works :-)
Thanks a lot. I was facing this issue from past 3 week. I tried everything but no resolution. The issue was happening intermittently and mainly when I was changing the display of screen ( as i use 2 monitors). The only option i had was to do system restore. But thanks to you.
I’ve been tried to sole this problem for 12hours. Your comment about changing the display of screen helped me a lot!! Thanks!!
Thank you…don’t know why this happened but your instructions helped me fix it. Running Windows 10 and office pro 2007
Great tip! Thanks!
Worked for me, too – thank you!!!
It’s Worked for me, too
thank you very much!
I had a similar issue with Outlook 2013 on Windows 10 and this helped me to fix it. Thank you very much!
Thank you so much. Solved!
Considering you published this in 2012, incredible not been debugged by Microsoft.
Thank you again. M
This problem was faced by only one user logging to TS 2008 r2 using outlook 2010.The issue was resolved.
Thanks.
Great tip. Thank you!!!! If it helps, I had to use the Control Key and the arrow keys at the same time to bring my window back into view. Worked like a charm.
Thank you, this worked !!!!
Man, you are a fucking god. Thanks a lot, what an annoying bug!!
Awesome, this post solved the issue. Many thanks!