Jump to: navigation, search


Mozilla Thunderbird with TorBirdy

Introduction and Threats[edit]

You can either use webmail through Tor Browser or Mozilla Thunderbird with TorBirdy.

None of the solutions is perfect. This is not a Whonix related issue. It is a general issue with e-mail over Tor.

Registering the e-mail address anonymously, i.e. not entering personal data and always accessing it over Tor is a must. To avoid messing up, ideally consider using an e-mail provider that you did not previously use non-anonymously.

The e-mail provider is always a single point of failure. If the provider gets pressured, forced or decides not to like your opinion anymore or feels like terminating the service for everyone, the e-mail account can be easily terminated in seconds. This can significantly slow down correspondence. Therefore it is always good to have a few backup e-mail address and alternative communication channels.

You must be careful when receiving attachments. To avoid being infected with malware, open attachments in a virtual machine that has no internet connection.

It is often recommended to use mail encryption (enigmail). Yes, that's good. Use it. Remember, as stated on the Warning page, subjects are always unencrypted. That's not everything however.

Even if subjects are random, hidden, just a dash (-), empty or misleading and the content is encrypted, the e-mail provider can still log valuable data. When and with whom you are in contact, when you logged in, how long, how often you fetch mail. That's quite a lot metadata, which may lead into (false) assumptions by an adversary.

Many webmail services require JavaScript, display web bugs[1] and JavaScript allows them to learn how fast you type, how long you read a message, which spelling mistakes you make and correct as you type, to which address mails are sent, when you receive mails, from which addresses and when. Therefore webmail especially when it requires JavaScript is discouraged. A browser is no safe environment to write stuff. Read more on the Surfing, Posting, Blogging page. The best compromise of usability and security is using Mozilla Thunderbird with TorBirdy with POP3 and SMTP. IMAP is to be avoided, because it leaks more metadata. [2]


E-mail encryption is recommended. Mastering e-mail encryption is not hard, but involves a learning curve. It is outside the scope of this guide, see external documentation.


KGpg [3] and GnuPG are pre-installed.

Mozilla Thunderbird with Enigmail + TorBirdy[edit]


Mozilla Thunderbird together with the add-ons Enigmail and TorBirdy[4] [5] are installed by default in Whonix and can be used for easy GPG encryption and anonymous (or pseudonymous) e-mail messaging.

Start Thunderbird

If you are using Qubes-Whonix, complete the following steps.

Qubes App Launcher (blue/grey "Q") -> Whonix-Workstation AppVM (commonly named anon-whonix) -> Thunderbird

If you are using a graphical Whonix-Workstation, complete the following steps.

Start menu -> Applications -> Internet -> Thunderbird

Enigmail Recommended Setting

Go to Thunderbird -> Enigmail (from menu bar) -> Preferences -> Sending. The following settings are strongly recommended but not mandatory.



To interact with keyservers, you have various options.

  • a) KGpg: To fetch contacts' GPG keys from the key server open KGpg and go to Key Server Dialog. Search for email addresses you want to communicate with and import the keys.
  • b) gpg command line: You can use it as usual.
  • c) Enigmail's keyserver interaction features.
    • Will not work out of the box. [6] [7]
    • You need to apply the following setting every time you restart Thunderbird when you wish to interact with keyservers. [8] [9] [10] This may not be required anymore in Whonix 14.

Thunderbird -> Enigmail (from menu bar) -> Preferences -> Display Expert Settings and Menus -> Advanced -> Additional Parameters -> remove the following part --keyserver-options http-proxy= -> OK

High-Security Precautions

There have been bugs in email clients and Enigmail that lead to auto-saving of drafts as plaintext. [11][12] If you are in a life critical situation you may want to encrypt your emails in such a way as to not risk leaks.

Also it is always recommended to import private keys using Kgpg instead of directly with Enigmail to avoid unexpected behavior with message encryption.

1. Open KGpg and select the recipient key (if more than one then hold CTRL while clicking).

2. Go to: File -> Open Editor and write your message.

3. Encrypt message to ciphertext by clicking on the Encrypt lock icon and choose your private key in the prompt that comes up and OK.

4. Copy the ciphertext into the email client and send it as you would normally (don't include subject lines - those are not encrypted).


[13] [14] [15]

Remailer - Sending e-mails without registration[edit]

See Remailer.

E-Mail Provider Comparison[edit]


It has been asked whether I2Pmail is safer than tormail, riseup, gmail and so on. The Threats chapter above states "e-mail is always a single point of failure". It doesn't really matter, apart from privacy by policy, no e-mail provider can significantly improve privacy by design. The most important thing about e-mail providers you should ask about e-mail providers is: Will they tolerate me signing up by Tor and exclusively using the e-mail service over Tor? Will they suspend my e-mail account because I speak against someone and they get forced to suspend my account? The latter question applies more, if you run a project, movement or something like that and less for accounts, which barely anyone knows.

Other than privacy by design, privacy by policy is always a weak protection. An exception might be services, which are not classical e-mail and therefore incompatible, but e-mail alike services such as Usenet (see below), I2P-Bote (see below), RetroShare or Ricochet IM (See Chat).

A few frequently discussed mail providers are described above with some facts. There is no recommendation for or against any mail providers.


  • Not affiliated with The Tor Project.
  • Rumors about being hosted by a secret service. It doesn't really matter, you shouldn't trust mail providers anyway. Assume, anything they can log, they will log forever.
  • They technically can not even store Tor exit IP addresses (perhaps mail clients without TorBirdy, put aside) because it is an onion service.
  • Does not work reliable for mailing lists. After a while the user gets unsubscribed because tormail bounces too many mails.
  • We haven't heard about any e-mail accounts which got suspended. (Well, we don't know about spam abuse, but that's another story.)
  • They are obviously Tor-friendly.
  • Things said in the Threats chapter still apply.

The Tor Mail service is now offline[16], as it was hosted on Freedom Hosting and was taken down by the FBI.[17]


  • Quoted from wikipedia I2P[18]: "I2P has a free pseudonymous e-mail service run by an individual called Postman. Susimail is a web-based e-mail client intended primarily for use with Postman's mail servers, and is designed with security and anonymity in mind. Susimail was created to address privacy concerns in using these servers directly using traditional email clients, such as leaking the user's hostname while communicating with the SMTP server. It is currently included in the default I2P distribution, and can be accessed through the I2P router console web interface. Mail.I2P can contact both I2P email users, via user@mail.I2P and public internet email users from a user@I2Pmail.org address."
  • Cleaning the mail header is nice, but TorBirdy can do the same.
  • It is technically impossible to encrypt mails to clearnet addresses [19], unless the sender and recipient are using end-to-end encryption such as OpenPGP.
  • Therefore it is no more/less secure than using riseup, tormail, etc.
  • Even though based on I2P, you can still use it in Whonix over Tor, see I2P for information how to tunnel I2P over Tor.
  • We haven't heard about any e-mail accounts which got suspended. (Well, we don't know about spam abuse, but that's another story.)
  • Things said in the Threats chapter still apply.


  • Works reliable on mailing lists.
  • Privacy by policy.
  • Tor friendly.
  • Servers hosted in the US.
  • We haven't heard about any e-mail accounts which got suspended. (Well, we don't know about spam abuse, but that's another story.)
  • Things said in the Threats chapter still apply.
  • Doesn't update warrant canary on a fixed, regular basis.
  • "Forgot" to update canary on multiple occasions.
  • riseup.net likely compromised


  • Mike Hearn from Google addressed this issue on tor-talk[20]:

Access to Google accounts via Tor (or any anonymizing proxy service) is not allowed unless you have established a track record of using those services beforehand. You have several ways to do that:

1) With Tor active, log in via the web and answer a security question, if any is presented. You may need to receive a code on your phone. If you don't have a phone number on the account the access may be denied.

2) Log in via the web without Tor, then activate Tor and log in again WITHOUT clearing cookies. The GAPS cookie on your browser is a large random number that acts as a second factor and will whitelist your access.

Once we see that your account has a track record of being successfully accessed via Tor the security checks are relaxed and you should be able to use TorBirdy.

  • Recommended against. Not Tor friendly. It would be very difficult to sign up using Tor and to exclusively use it over Tor. They most likely ask for phone verification and this is almost impossible to do without jeopardizing anonymity. [21]

Anonymity Friendly E-Mail Provider List[edit]

Another anonymity network provider (JonDos), maintains a list of their recommended e-mail providers. Whonix developer Patrick Schleizer does NOT check this list. Might still be useful. See list (w), look for "Recommended Mail Provider".

pretty Easy privacy[edit]

pretty Easy privacy (p≡p) is a pluggable data encryption and verification system, which provides automatic key management and a KeySync protocol (yet being tested, not activated already) to sync private key material across the devices you want to read the same messages on.[22] It is cross-platform, message protocol agnostic and p2p. It exists as plugin for mail clients (Thunderbird and Outlook) on all major desktop systems and also as a mobile app for Android and iOS. Its cryptographic functionality is handled by open source p≡p engine relying on already existing cryptographic implementations in software like GnuPG, a modified version of netpgp (used only in iOS) and (as of p≡p v2.0) GNUnet. A non-transferable copyright cross-licensing agreement has just been concluded to allow distributing of the GNUnet binary as part of pEp under non-GPL licenses on restrictive platforms like the Apple store.[23]

In its default configuration, pEp does not rely on a web of trust or any form of centralized trust infrastructure, but instead lets users verify each others' authenticity by comparing cryptographic fingerprints in the form of natural language strings, which the pEp developers have chosen to call "trustwords". If both sides are using pEp, it automatically uses the anonymous transport provided by GNUnet. With that technology, meta data is no longer readable for an attacker. pEp is fully peer to peer itself. And only you have the keys. However it can inter-operate with legacy mail to secure that whenever applicable (if the intended recipient has a GPG key).[24] The pEp project is guided by a foundation that supports libre software.[25] Enigmail announced its intention to integrate the pEp encryption scheme by October 2016.[26] pEp's code has been audited.[27]

For further information on the project's check their milestones pages.



BitMessage is a P2P asynchronous communications protocol used to send encrypted messages to another person or to many subscribers. The PyBitmessage client is in Python with a Qt GUI. It is decentralized and trustless, meaning that you need-not inherently trust any entities like root certificate authorities. It uses strong self-authenticating Bitcoin style addresses which means that the sender of a message cannot be spoofed. Messages for offline recipients are stored for up to 28 days before being deleted. It relies on Proof-of-Work to prevent spamming. Development of Android clients has stalled. Connecting with a mobile client needs a full node running on a user's PC.

BitMessage hides sender/recipient metadata by broadcasting everybody's messages to everybody, acting as a simple private information retrieval (PIR) system. For the best possible anonymity run it in Whonix.

Some features include subscription support and Chans (Decentralized Mailing Lists) [28] For other use-cases see the Arch wiki on BitMessage.

Bridging services between the BitMessage network and legacy/regular E-mail exist. The most popular is bitmessage.ch, also available as an onion service. See setup instructions to setup an account then register. Note that GPG needs to be used for confidentiality when communicating with e-mail users. Thunderbird with Enigmail could be configured to use this service (optionally over Tor) for seamless GPG support.

For comparison between it and other open source communications software see the FAQ.

No professional audit has been done for BitMessage to date. While we never condone criminal abuse of technology, its past use by miscreants running a ransomware operation (over Tor) without getting caught, shows that it is somewhat "battle-tested".[29] We hope that dissidents in rogue nations could profit from that experiment.


The following instructions are for compiling/starting BitMessage and upgrading.[30] Bitmessage developers sign their their source code TO-DO: Add instructions to verfy git tags.

sudo apt-get install git python openssl libssl-dev git python-msgpack python-qt4
git clone https://github.com/Bitmessage/PyBitmessage $HOME/PyBitmessage


To upgrade Bitmessage run the following commands:

cd $HOME/PyBitmessage
git pull

Send Attachments[edit]

While explicitly attaching files is not supported, technically any file can be sent within the message body.[31]

First convert your file with base64 and then copy and paste the contents of the text file.

base64 < binary.file > text.file

Don't forget to include instructions to the receiver how to decode it. In order to decode the file, the recipient can copy and paste the code into file and convert it with this command:

base64 -d < text.file > binary.file

It is not very practical to send large files with BitMessage. Alternatively you can encrypt a file or archive containing a collection with GPG and upload it to un-trusted cloud storage and send recipients the link. Encryption can be done using a contact's public key or with symmetric encryption requiring a password which you send in BitMessage. For GPG symmetric encryption follow this example:

gpg -vv -c --cipher-algo AES256 your-file.tar.gz

Note that you can use the extended output of pwgen (pre-installed in Whonix 14+) for secure passwords.

User Data Back-Up[edit]

To backup the BitMessage profile and all user-generated program data, copy the folder under this path to your shared folder: /home/user/.config/PyBitmessage. Private keys are stored in keys.dat[32] and other data such as inbox contents, contacts and black/white-list info is stored in the messages.dat[33] database file. Copy the folder to this location to restore BitMessage data for new installs.

To maintain separate BitMessage identities, the safest way is to run each with its own BitMessage instance in separate Whonix-Workstations.


Freemail[34] is an email system implemented upon the anonymous data distribution network Freenet. It is most similar to I2P-Bote, another anonymous and distributed email solution.

Like most Freenet plugins, it makes use of an anti-spam mechanism called the Web of Trust[35] to block abusers. Attachment sizes are virtually unlimited. Users would upload files on Freenet and link to them in Freemail messages.

See recommended tips for Freemail.


I2P-Bote is a serverless, encrypted email plugin that uses I2P for anonymity. Messages are stored in the distributed hash table (DHT) for 100 days, during which the recipient is able to download them.

To back up I2P-Bote data, copy the i2pbote folder inside the I2P config directory (~/.i2p/i2pbote on Unix systems or /var/lib/i2p/i2p-config when running as a daemon).

Compartmentalize activities and only use the I2P-Bote/Susimail VM snapshot for this purpose. Generally, applications that run with a browser interface are vulnerable to a whole class of bugs, including cross-site request forgery (CSRF).[36][37]


  • A webmail interface.
  • A user interface translated into 15 languages.
  • One-click creation of email accounts (called email identities).
  • Emails can be sent either under a sender identity or anonymously.
  • 2048-bit ElGamal, 256/521-bit Elliptic Curve and NTRU-1087 encryption.
  • Transparent, automatic encryption and signing without relying on third-party software such as PGP/GnuPG.
  • Sending and receiving via relays with delay periods set by the user, similar to Mixmaster.
  • Theme support.
  • POP3 / IMAP / SMTP.
  • Cc and Bcc support.
  • Delivery confirmation.
  • Attachments.
  • Basic support for short recipient names.
  • Android support (via I2P's Android client).

Planned Features:

  • An outproxy to interoperate with clearnet mail servers.
  • Custom folders.
  • Multi-device identity syncing.
  • Support for short email addresses like myname@bote.i2p
  • HashCash as an anti-spam solution should it become a problem.
  • Lots of other small improvements.

Anonymous Remailers[edit]

Anonymous Remailers are a generation of privacy networks that precede Tor. These are single purpose networks (only support sending e-mail) that use high-latency designs to defeat surveillance. The latest on-going project is the Mixmaster network. While sending one-way messages is relatively straight forward, receiving replies requires registration with a Nymserver and setting up a program to fetch messages from the decentralized Usenet boards.

Footnotes / References[edit]

  1. https://en.wikipedia.org/wiki/Web_beacon
  2. For example, how long you run your mail client. And saving drafts on the server as you type is not great either.
  3. KGpg Homepage, KGpg wiki with screenshot
  4. TorBirdy Homepage
  5. TorBirdy Source Code
  6. It has been made fail closed by TorBirdy developers, otherwise there could be a DNS leak in setups not using Whonix.
  7. proposal on how to make keyservers in Enigmail in Whonix work out of the box: do not use keyserver-options in Whonix
  8. upstream bug report: Can't set custom http-proxy on GnuPG-settings, lost after restart
  9. Since enigmail just calls gpg, and since everything is torified in Whonix anyway, and since gpg is stream isolated (by uwt wrapper) anyhow, there is no need for this setting in Whonix.
  10. Forum discussion: https://forums.whonix.org/t/gpg-keyservers-from-within-whonix-workstation
  11. https://tails.boum.org/security/claws_mail_leaks_plaintext_to_imap/index.en.html
  12. http://sourceforge.net/p/enigmail/bugs/502
  13. TorBirdy is an equivalent of TorButton.
  14. There are no proxy settings required for Stream Isolation, because there is native Whonix support since TorBirdy 0.1.0.
  15. TorBirdy sets Socks Host to and Port to 9102, if the WHONIX variable is set, which is the default in /etc/environment since Whonix 0.5.5.
  16. http://www.democraticunderground.com/10023403890
  17. http://www.wired.com/threatlevel/2013/09/freedom-hosting-fbi/
  18. https://en.wikipedia.org/wiki/I2P
  19. Such as gmail, riseup etc.
  20. https://lists.torproject.org/pipermail/tor-talk/2012-October/025923.html
  21. Because they are also aware of online phone and messaging services and blacklisting the for verification upon knowledge.
  22. https://news.ycombinator.com/item?id=12827020
  23. https://lists.gnu.org/archive/html/gnunet-developers/2016-12/msg00046.html
  24. https://pep-project.org/2014-09/s1410740156
  25. http://pep-project.org/
  26. https://en.wikipedia.org/wiki/Pretty_Easy_privacy
  27. https://pep.foundation/blog/press-release--pep-releases-first-code-audit-of-the-pep-engine/index.html
  28. https://bitmessage.org/wiki/Decentralized_Mailing_List
  29. https://www.bleepingcomputer.com/news/security/chimera-ransomware-uses-a-peer-to-peer-decryption-service/
  30. https://bitmessage.org/wiki/Compiling_instructions
  31. https://tedjonesweb.blogspot.fr/2013/06/how-to-send-files-like-e-mail.html
  32. https://bitmessage.org/wiki/Keys.dat
  33. https://bitmessage.org/wiki/Messages.dat
  34. https://github.com/freenet/plugin-Freemail/blob/master/docs/spec/spec.tex
  35. https://wiki.freenetproject.org/Web_of_Trust
  36. https://chaoswebs.net/blog/2016/12/01/Exploiting-I2P-Bote/
  37. https://chaoswebs.net/blog/2016/10/15/Stealing-Your-I2P-Email/


Liberte Linux Philosophy page Copyright (C) 2013 Maxim Kammerer <mk at dee dot su>
Whonix Anonymity wiki page Copyright (C) 2013 - 2018 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>

This program with ABSOLUTELY NO WARRANTY; for details see the wiki source code.
This is free software, and you are welcome to redistribute it
under certain conditions; see the wiki source code for details.

Random News:

Did you know that Whonix could provide protection against backdoors? See Verifiable Builds. Help is wanted and welcomed.

https | (forcing) onion

Share: Twitter | Facebook

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation.

Whonix is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Libre Software license as Whonix itself. (Why?)