You need to use a Master Password in Thunderbird if you use OpenPGP
Thunderbird email client users who use the program's built-in email encryption functionality need to set a master password in Thunderbird to properly protect their encryption keys.
Thunderbird introduced support for encrypting emails using OpenPGP in the major version 78. Previously, Thunderbird users relied on extensions such as Enigmail to use encryption when reading and sending emails in the client.
The introduction of native support made things a lot easier, as it meant that users could get started encrypting emails right away without having to install and configure third-party extensions, even once as good as Enigmail.
Thunderbird 78.x supports the importing of keys and also the generation of new keys. Users who used encryption before to protect emails may notice that Thunderbird does not ask for an unlocking password when they need to encrypt or decrypt email messages in the client.
Kai Engert provided a technical analysis of the inner workings on Mozilla's Bug tracking site three months ago. According to him, secret keys are stored encrypted on the disk. Thunderbird generates a password automatically for all keys and stores it encrypted on the disk as well.
Problem is: the unprotected key is stored in the key4.db file in the Thunderbird directory. In other words: anyone who gets access to the file may use the information to decrypt the data and gain access to encrypted emails in the end.
A support page confirms this:
At the time you import your personal key into Thunderbird, we unlock it, and protect it with a different password, that is automatically (randomly) created. The same automatic password will be used for all OpenPGP secret keys managed by Thunderbird. You should use the Thunderbird feature to set a Master Password. Without a master password, your OpenPGP keys in your profile directory are unprotected.
The only protection that Thunderbird offers against this kind of threat is the master password.
Only by setting a master password will the information in key4.db be protected, and the use of the OpenPGP secret keys will then require to unlock once by entering the master password (to unlock key4.db, which has the information that can then be used to unlock the automatic password and the keys.)
How to set up a master password in Thunderbird
You can set up a master password in Thunderbird in the following way:
- Select Tools > Options in Thunderbird.
- Select Privacy & Security if it is not selected already.
- Scroll down to the passwords section on the page that opens.
- Check "use a master password".
- You may be asked to enter the operating system password/pin to proceed.
- Type the password and repeat it to set it.
Note that it is essential that you remember the password as it unlocks access to your emails and other data stored in Thunderbird. You may want to consider using a password manager such as KeePass to save the master password.
Other options
There are other means of protection, e.g. by using full disk encryption to prevent local access to the key4.db file. An open source program like VeraCrypt can be used for that. It is easy to set up and can be used to encrypt the system disk and/or other drives or partitions.
Closing Words
The development team may introduce support for protecting OpenPGP keys using user defined passwords instead of the single randomly generated password. A bug is already available but it is unclear whether the change will be introduced or if it won't be implemented.
Thunderbird users who use the built-in OpenPGP functionality may want to enable master password functionality to protect Thunderbird data against unauthorized access. Mozilla should consider informing users about the fact during the initial setup or import.
Now You: Do you use Thunderbird and OpenPGP?
I’ve written a blog post about how to avoid setting a master password and use the builtin GnuPG keyring instead. Check it out here, happy for all feedback!
https://blog.nicohood.de/use-thunderbird-78-with-system-gnupg-keyring
the TB master password is flawed. If you cancel the password prompt it will still open the email windows for all to see all the emails for all accounts.
A proper login should of course NOT open anything unless you enter the correct password.
“Kai Engert provided a technical analysis of the inner workings on Mozilla’s Bug tracking site three months ago.”
I would appreciate a link to this analysis.
Security is very difficult to get right. PGP was carefully designed and is known to be secure. GnuPG maybe is, too. Enigmail was just a front end to GnuPG, all the encryption and the key management was still done by GnuPG, so you had all the security of GnuPG. I was very disturbed when my Linux installation auto-upgraded to Thunderbird 78 from 68 and OpenPGP wanted me to unlock my secret keys so it could “import” them: and then keep them stored insecurely. I was not aware of the “master password” option – but who knows if even this “master password” approach is secure? Thunderbird’s OpenPGP is also a complete rewrite of the encryption – and we all know how likely that is to be secure. PGP/GnuPG have decades of history of testing, validation, challenges and review by third parties. This is brand new. Personally, I downgraded to Thunderbird 68 and Enigmail manually, and am very disappointed and annoyed.
Interlink at https://binaryoutcast.com/projects/interlink/ is a Thunderbird XUL based work-alike. It supports Enigmail and Lightning plugins. You can even drop your current Thunderbird profile (Pre-78) into Interlink and be instantly converted over. It runs on Linux and Windows.
Now You: Do you use Thunderbird and OpenPGP?
The purpose of using Thunderbird is to centrally manage a wide variety of email accounts and aliases, and also because it used the Thunderbird-specific extension “Enigmail”.
Introduction to End-to-end encryption in Thunderbird
https://support.mozilla.org/en-US/kb/introduction-to-e2e-encryption
Thunderbird:OpenPGP
https://wiki.mozilla.org/Thunderbird:OpenPGP
From “Thunderbird 78.x” with redesigned specifications, OpenPGP (Enigmail) has been natively implemented to improve convenience.
Other features that users have longed for, such as the nativeization of the extension “Minimize on Close”, have been realized.
Thunderbird feels that the program stability and security measures are progressing without delay, and that the Thunderbird project is proceeding smoothly.
[Maildev] Thunderbird 78 +++ Roadmap
https://lists.thunderbird.net/pipermail/maildev_lists.thunderbird.net/2019-November/002024.html
The Maildev Archives
https://lists.thunderbird.net/pipermail/maildev_lists.thunderbird.net/
Thunderbird:Home
https://wiki.mozilla.org/Thunderbird:Home#Releases
The Thunderbird Official Blog
https://blog.thunderbird.net/
About Us | Thunderbird
https://www.thunderbird.net/en-US/about/
Thunderbird/Core Team | MozillaWiki
https://wiki.mozilla.org/Thunderbird/Core_Team
Modules/Thunderbird | MozillaWiki
https://wiki.mozilla.org/Modules/Thunderbird#Thunderbird_Council
By the way, regarding “Enigmail”, the end user’s lack of recognition and understanding was serious, and I was often made to experience cases where the communication partner could not operate the “decryption key” and could not open the encrypted mail(Decryption is troublesome, so please keep your email clear text!).
In particular, if the other party is a smartphone user, Enigmail is not supported on mobile, so communication was not established.
E-mail is convenient for global scale, but in the actual situation of end users (privacy management is sloppy), I feel that “post-mail” is a reliable means of communication.
Sentence correction:
Wrong: I feel that “post-mail†is a reliable means of communication.
Correct: I feel that “Postal†is a reliable means of communication.
Postscript:
I’m skeptical of the “password managers” in browsers (not just Firefox) and email clients (not just Thunderbird) and avoid using them.
In the case of Thunderbird, only email accounts are registered (since I manage many email accounts, I prioritize improved connectivity).
All account information (resident’s card, passport, credit, login information, etc.) including the master password is centrally managed by “KeePass Password Safe” that can be managed locally.
The KeePass Password Safe is guarded by “VeraCrypt”.
Hello,
I set up a master password, however when starting TB it asks me for the password 3 or 4 times and I have to enter it 3 or 4 times…
Why?
Thank you.
@Olivier,
I had a “Master Password” set in Thunderbird, and use Thunderbird 78.5.1 every day (login / logout).
But I have never experienced a case like you.
Perhaps something is wrong.
Just in case, check out the official documentation below:
https://support.mozilla.org/en-US/kb/protect-your-thunderbird-passwords-master-password
Thanks for the article, did not upgrade yet as I prefer extensions for that, will upgrade in the future. I love how the most vocal posters never comment on encryption or PGP/GPG. Guess they are just normies that don’t encrypt their mails after all.