Thunderbird 78.2.1 is out with OpenPGP enabled
The team that works on the Thunderbird email client has released Thunderbird 78.2.1 to the client's stable channel on August 29, 2020. Existing Thunderbird installations will be upgraded automatically to the new version provided that automatic updating functionality has not been turned off and that Thunderbird 78.x is installed.
As has been the case with previous Thunderbird 78 releases, installations that are still on Thunderbird 68.x won't be upgraded automatically. A manual update is required at this point in time to upgrade earlier versions of Thunderbird to the latest.
One of the reasons for blocking the update is that add-ons support changed significantly in Thunderbird 78. The email client supports MailExtensions only and that means that some extensions won't work anymore in the new version.
One of the big new features of Thunderbird 78 was support for PGP encryption baked into the client directly. Thunderbird users had to install extensions such as Enigmail to integrate PGP support. The release of Thunderbird 78 integrated OpenPGP support in the email client, but it was not enabled by default because of issues that still needed to be resolved.
The release of Thunderbird 78.2.1 enables OpenPGP support by default in Thunderbird. Thunderbird users may select Tools > OpenPGP Key Manager to get started. The window that opens displays available keys that have been generated previously or imported, and options to generate new keys that can then be used to encrypt email conversations.
A click on Generate > New Key Pair starts the process that is as simple as it gets. All it takes is to select one of the available email accounts and actiate "generate key" to start the generation. Options to change the three year expiration date and key type / size are provided as well.
Key generation may take a few minutes according to the dialog that is presented to you after you activate the generate option. It took just two seconds on a test system though, mileage will vary depending on the computer's hardware and capabilities.
You may encrypt emails from that moment on when you use the email address. Just open the compose window in Thunderbird and select Options > Require Encryption. You need the public key of each recipient for that, and Thunderbird informs you if a key has not been provided yet.
Closing Words
The integration is straightforward and as simple as possible. Most users should not have any issues setting up keys to encrypt important emails. It is still necessary to exchange keys somehow, as it is not possible otherwise to encrypt emails.
Now You: Do you encrypt emails?
Is it possible to let Thunderbird encrypt automatically in case a valid key was found?
When I go into Tool > Open PGP Key Manager > Generate – I cannot click on new key pair. I also have no other keys to import yet. Can anyone advise as to why I cannot simply create a new keypair?
You can use ProtonMail, which is better solution….
Hi, I don’t understand why it did not ask me for a passphrase when I generated a new key…?
Unlike Enigmail There is no key timeout function, no passphrase to protect your key. If anyone has access to your computer they can view emails and export your key without a password. This is terrible.
So true. And there is apparently no solution to that. This really is terrible.
Using older versions of Thunderbird with Enigmail, the system automatically encrypted sent messages if I had a key for the recipient(s). This seems logical to me (why would I have a key if I did not want to encrypt messages to this recipient?). If I did not have a key, it displayed a message telling me that the message would not be encrypted for that recipient (I had to click “ok” before the message was sent). Again, this seems logical to me.
Thunderbird 78 does things differently. I have to remember to select “force encryption” EVERY time I send a message. This is painful, as sometimes I am in a hurry and do not remember to tell it specifically to encrypt the message, and Thunderbird does nothing to inform me that encryption is possible for some set of recipients before the message is sent.
It seems it would be handy to have one of the following capabilities in Thunderbird:
1) Pop up a box telling me I have keys for the recipients, and did not force encryption (before the message is sent)
or
2) Automatically force encryption if I have a key, and (like Enigmail did) inform me that the message will not be encrypted for some recipients if I do not have a key for them.
When replying to a received encrypted message, Thunderbird 78 encrypts the reply. This seems logical, and like it is the correct thing to do.
After testing and inspecting Thunderbird v78… I’ve come to the realization, that even though this new Thunderbird says “OpenPGP”, as in its dialog titled, “OpenPGP Key Manager”, that it’s not actually OpenPGP as expected!
In fact on my Linux machine there are now two things that call themselves OpenPGP.
This is badly confusing, and Thunderbird didn’t need to implement the new built in support for OpenPGP this way.
There is the original, and I’ll call it the ‘authentic’ OpenPGP from here: https://www.openpgp.org/ And then there is this clone of OpenPGP in Thunderbird v78.
Why does this matter? Three reasons:
First, the sets of keys that each of these implementations use are separate and distinct. Thunderbird has it’s own initial *COPY* of OpenPGP’s keys, and does not use OpenPGP’s actual set of keys.
If I add a new key or signature to OpenPGP, Thunderbird doesn’t know anything about it. Likewise if I sign a key in Thunderbird, my original Linux OpenPGP doesn’t know about this new signature. So this creates a new unnecessary key management headache on my system.
Second, I now have to ask, who’s protecting my private key, and how? This is a very serious question I think.
Third and probably even worse, is that at it’s core ‘security’ is about ‘trust’ more than mechanisms.
It’s not OpenPGP’s code that is so trustworthy, it’s OpenPGP’s track record that creates this trust.
The reason we trust OpenPGP is because of a long history of reliability due to the carefulness of the coders in their work so many years ago. The evidence that OpenPGP is trustworthy comes more from the lack of reports of breaches, than anything else.
Why should we now extend that same level of trustworthiness to Thunderbird?
I don’t think we should, or not so fast.
I would hope for as good a long term track record, but at this point we don’t have that. If some or all of the OpenPGP code is now within the Thunderbird code-base, then it’s no longer authentic OpenPGP I don’t think. So TB should not use the term OpenPGP I don’t think. They can use ThunderbirdOpenPGP or something like that.
So this all makes me very sad. Because I’ve used and trusted Thunderbird for decades. Now I’m looking for a replacement, and it didn’t have to be this way.
Hi, Thanks for Thunderbird work. I love it. But I’m confused by the request for a ‘personal’ key:
In Thunderbird 78.3.1 (64 bit), when I right click an email account | select Settings | End-To-End Encryption | Add Key… | Import an existing OpenPGP Key | Continue
It asks me to, “Import an existing personal OpenPGP Key”.
What exactly is a ‘personal’ key in the context of OpenPGP?
Did you instead mean to ask to import my ‘private’ key? If so please change this wording on this dialog.
Ref1: https://duckduckgo.com/?q=OpenPGP+%22personel+key%22&t=ffab&ia=web
Ref2: https://duckduckgo.com/?t=ffsb&q=OpenPGP+%22private+key%22&ia=web
Import an existing personal OpenPGP Key gives me the following error when attempting to import a secret key that had been previously saved under Enigmail on Win 10:
“Error! Failed to import file.”
I’m also seeing this in Linux: “Error! Failed to import file.†There are some hints here, but I’m not seeing exactly how (or for that matter ‘if’) to import a private key. [BTW, They now call it a ‘Secret’ key, just to further confuse things.]
It uses its own keyring and can’t read from system so GPG does not work on my side.
It wants to import the primary private key which is stripped from the keyring and should not be imported at all.
It is not ready yet.
Use the Profile Manager like you do in Firefox to use multiple profiles. Plus make a backup for the just in case factor. That way you can use multiple profiles without issue. However I would setup the second profile before installing and set Thunderbird to allow you to select the profile on startup until you are happy.
Do you know how I can use the private keys made in TB 78 on another machine running TB78? I didn’t figure out howto export the private key to import on the second machine!?
Tools->OpenPGP Key Manager->Export Public Key and: Backup Private Key
On the receiving computer: Import Private Key + Import Public Key.
You can also access the PGP keys under Options->Account Settings->[Account name]->End-to-End Encryption->Key->more…
Yes, I encrypt e-mails. Is it possible to run both Thunderbird versions 68 & 78 on the same computer without messing everything? Just to see if my addons are compatible with the new version of Thunderbird, 78.
Thank you.
@Damien
Sure it’s possible. I make a profile copy before checking new versions. I have a stable version installed normally, and new one/beta/nightly always as a portable, extracted from zip release.
Portable, if you’re on Windows. Or just copy the profile folder and update; see what’s broken and if you don’t like it remove everything, place your original profile back and install whatever version you’re running now. This should work on any decent OS such as Windows or GNU/Linux.