Mozilla Thunderbird with TorBirdy


Users can either rely on webmail through Tor Browser or Encrypted Email with Mozilla Thunderbird, Enigmail and TorBirdy.

These and other solutions are imperfect, but this is not a Whonix-specific issue -- it is a general issue with email over the Tor network.

Safe Email Principles[edit]


Email attachments are often used as an exploit vector for infecting the recipient's machine(s), deanonymizing users, or tracking when attachments are viewed, forwarded and so on. To avoid being infected with malware, it is safest to open attachments in a separate VM that does not have an Internet connection. In Qubes-Whonix, DisposableVMs are ideal for opening potentially dangerous files.

Email Encryption[edit]

SSL/TLS encryption is inadequate to protect emails from prying eyes. Whonix supports the stock recommendation to use email encryption with Enigmail, which is a graphical front-end for using the GnuPG ("GPG") encryption program. This is a suitable solution for the majority of users, unless they have self-assessed as being a high-risk target. Similarly, the TorBirdy extension is also recommended to make Thunderbird connections take place over the Tor network.

Even if the email content is encrypted and subject lines are random, hidden, empty, use just a dash (-), or contain misleading content, the email provider can still log valuable data such as:

  • When and with whom the user is in contact.
  • When a user logged in and for how long.
  • How often a user fetches mail.
  • The Tor exit relay that was used for anonymous email.

Extensive metadata can potentially assist adversaries to make (false) assumptions about the user and their identity.

Email Provider[edit]

Avoid well-known, large, corporate email providers who purposefully invade user privacy. For instance, Yahoo and Gmail use automated software to scan emails for keywords to tailor advertising and sell products. Hotmail also has a history of reading private emails and messages.

Prefer email providers that:

  • Are free.
  • Do not require JavaScript or other credentials for registration.
  • Provide an onion service.
  • Support PGP encryption and key management.
  • Have encrypted inboxes by default.
  • Are outside Fourteen Eyes jurisdictions.
  • Have desktop email compatibility with Mozilla Thunderbird. [1]

The email provider will always represent a single point of failure. An email account may be quickly closed or suspended in response to external pressure by authorities. Similarly, the administrators may decide (or be forced) to terminate the service completely, or for specific individuals.

Users should create backup anonymous email addresses with different providers so that alternative communication channels remain open in response to potentially hostile third party actions.

JavaScript and Other Tracking Vectors[edit]

Many webmail services require JavaScript, which when enabled allows discovery of how fast a user types, how long it takes to read a message, common spelling mistakes, time taken to correct mistakes, destination email addresses, and when emails are received and from whom. For this reason, webmail with active JavaScript is strongly discouraged. In general, a browser is not a safe environment to directly write text; learn more on the Surfing, Posting, Blogging page.

Other potential tracking vectors include web beacons (webbugs) [2] which are embedded on various websites, allowing cookies to be implanted in the browser in order to track browsing habits. Email beacons use a similar tracking technique. In this case, tiny images are embedded in emails with unique identifiers in the URL. After the email is opened and the image is requested, the email sender learns when the message was read, along with the IP address (or proxy) that was used.


Basic precautions must be taken when registering an email address anonymously. For example, personal or identifying data must never be used, and the account must be exclusively paired with Tor. It is also safer to register an anonymous account with a provider that has never been used non-anonymously, and preferably without JavaScript.


The best balance of usability and security is realized by configuring Encrypted Email with Mozilla Thunderbird, Enigmail and TorBirdy. It is also preferable to use POP3 and SMTP, since IMAP leaks more metadata. [3]

Email Provider Comparison[edit]


It has been asked whether I2Pmail is safer than tormail, [4] [5] riseup, gmail and so on. The Threats chapter above states "email is always a single point of failure". It doesn't really matter, apart from privacy by policy, no email provider can significantly improve privacy by design. The most important thing about email providers you should ask about email providers is: Will they tolerate me signing up by Tor and exclusively using the email service over Tor? Will they suspend my email account because I speak against someone and they get forced to suspend my account? The latter question applies more, if you run a project, movement or something like that and less for accounts, which barely anyone knows.

Other than privacy by design, privacy by policy is always a weak protection. An exception might be services, which are not classical email and therefore incompatible, but email alike services such as Usenet (see below), I2P-Bote (see below), RetroShare or Ricochet IM (See Chat).

A few frequently discussed mail providers are described above with some facts. There is no recommendation for or against any mail providers.[edit]

  • Quoted from wikipedia I2P[6]: "I2P has a free pseudonymous email service run by an individual called Postman. Susimail is a web-based email client intended primarily for use with Postman's mail servers, and is designed with security and anonymity in mind. Susimail was created to address privacy concerns in using these servers directly using traditional email clients, such as leaking the user's hostname while communicating with the SMTP server. It is currently included in the default I2P distribution, and can be accessed through the I2P router console web interface. Mail.I2P can contact both I2P email users, via user@mail.I2P and public internet email users from a address."
  • Cleaning the mail header is nice, but TorBirdy can do the same.
  • It is technically impossible to encrypt mails to clearnet addresses [7], unless the sender and recipient are using end-to-end encryption such as OpenPGP.
  • Therefore it is no more/less secure than using riseup, tormail, etc.
  • Even though based on I2P, you can still use it in Whonix over Tor, see I2P for information how to tunnel I2P over Tor.
  • We haven't heard about any email accounts which got suspended. (Well, we don't know about spam abuse, but that's another story.)
  • Things said in the Threats chapter still apply.[edit]

  • Works reliable on mailing lists.
  • Privacy by policy.
  • Tor friendly.
  • Servers hosted in the US.
  • We haven't heard about any email accounts which got suspended. (Well, we don't know about spam abuse, but that's another story.)
  • Things said in the Threats chapter still apply.
  • Doesn't update warrant canary on a fixed, regular basis.
  • "Forgot" to update canary on multiple occasions.
  • likely compromised


  • Mike Hearn from Google addressed this issue on tor-talk[8]:

Access to Google accounts via Tor (or any anonymizing proxy service) is not allowed unless you have established a track record of using those services beforehand. You have several ways to do that:

1) With Tor active, log in via the web and answer a security question, if any is presented. You may need to receive a code on your phone. If you don't have a phone number on the account the access may be denied.

2) Log in via the web without Tor, then activate Tor and log in again WITHOUT clearing cookies. The GAPS cookie on your browser is a large random number that acts as a second factor and will whitelist your access.

Once we see that your account has a track record of being successfully accessed via Tor the security checks are relaxed and you should be able to use TorBirdy.

  • Recommended against. Not Tor friendly. It would be very difficult to sign up using Tor and to exclusively use it over Tor. They most likely ask for phone verification and this is almost impossible to do without jeopardizing anonymity. [9]

Anonymity Friendly Email Provider List[edit]

Another anonymity network provider (JonDos), maintains a list of their recommended email providers. Whonix developer Patrick Schleizer does NOT check this list. Might still be useful. See list (w), look for "Recommended Mail Provider".

Encrypted Email[edit]

The Mozilla Thunderbird email client, together with the add-ons Enigmail and TorBirdy [10] [11] are installed by default in Whonix. If used correctly, they can be used for easy GPG encryption and anonymous (or pseudonymous) email messaging.

A complete set of instructions is now available to:

  • Install the latest TorBirdy plugin for the Thunderbird email desktop client.
  • Create an email account anonymously with a suitable provider via Tor Browser.
  • Setup the new email account: Thunderbird account settings, install necessary extensions (add-ons), and enforce connections to the email provider's Onion Service.
  • Create an OpenPGP encryption key pair and revocation certificate using the Enigmail Setup Wizard.
  • Encrypt and store the revocation certificate securely.
  • Configure Thunderbird preferences for greater security and anonymity.
  • Configure additional OpenPGP preferences via Enigmail.
  • Key management: import GPG public keys.
  • Export the public key to a GPG key server (optional).
  • Prepare an email signature with the public GPG key ID and fingerprint (optional).
  • Compose and send a test encrypted email.
  • Open an encrypted email received in Thunderbird.

Email Alternatives[edit]

Pretty Easy Privacy[edit]

pretty Easy privacy (p≡p) is a pluggable data encryption and verification system, which provides automatic key management and a KeySync protocol (yet being tested, not activated already) to sync private key material across the devices you want to read the same messages on.[12] It is cross-platform, message protocol agnostic and p2p. It exists as plugin for mail clients (Thunderbird and Outlook) on all major desktop systems and also as a mobile app for Android and iOS. Its cryptographic functionality is handled by open source p≡p engine relying on already existing cryptographic implementations in software like GnuPG, a modified version of netpgp (used only in iOS) and (as of p≡p v2.0) GNUnet. A non-transferable copyright cross-licensing agreement has just been concluded to allow distributing of the GNUnet binary as part of pEp under non-GPL licenses on restrictive platforms like the Apple store.[13]

In its default configuration, pEp does not rely on a web of trust or any form of centralized trust infrastructure, but instead lets users verify each others' authenticity by comparing cryptographic fingerprints in the form of natural language strings, which the pEp developers have chosen to call "trustwords". If both sides are using pEp, it automatically uses the anonymous transport provided by GNUnet. With that technology, meta data is no longer readable for an attacker. pEp is fully peer to peer itself. And only you have the keys. However it can inter-operate with legacy mail to secure that whenever applicable (if the intended recipient has a GPG key).[14] The pEp project is guided by a foundation that supports libre software.[15] Enigmail announced its intention to integrate the pEp encryption scheme by October 2016.[16] pEp's code has been audited.[17]

For further information on the project's check their milestones pages.



BitMessage is a P2P asynchronous communications protocol used to send encrypted messages to another person or to many subscribers. The PyBitmessage client is in Python with a Qt GUI. It is decentralized and trustless, meaning that you need-not inherently trust any entities like root certificate authorities. It uses strong self-authenticating Bitcoin style addresses which means that the sender of a message cannot be spoofed. Messages for offline recipients are stored for up to 28 days before being deleted. It relies on Proof-of-Work to prevent spamming. Development of Android clients has stalled. Connecting with a mobile client needs a full node running on a user's PC.

BitMessage hides sender/recipient metadata by broadcasting everybody's messages to everybody, acting as a simple private information retrieval (PIR) system. For the best possible anonymity run it in Whonix.

Some features include subscription support and Chans (Decentralized Mailing Lists) [18] For other use-cases see the Arch wiki on BitMessage.

Bridging services between the BitMessage network and legacy/regular email exist. The most popular is, also available as an onion service. See setup instructions to setup an account then register. Note that GPG needs to be used for confidentiality when communicating with email users. Thunderbird with Enigmail could be configured to use this service (optionally over Tor) for seamless GPG support.

For comparison between it and other open source communications software see the FAQ.

No professional audit has been done for BitMessage to date. While we never condone criminal abuse of technology, its past use by miscreants running a ransomware operation (over Tor) without getting caught, shows that it is somewhat "battle-tested".[19] We hope that dissidents in rogue nations could profit from that experiment.


The following instructions are for compiling/starting BitMessage and upgrading.[20] Bitmessage developers sign their their source code TO-DO: Add instructions to verfy git tags.

sudo apt-get install git python openssl libssl-dev git python-msgpack python-qt4
git clone $HOME/PyBitmessage


To upgrade Bitmessage run the following commands:

cd $HOME/PyBitmessage
git pull

Send Attachments[edit]

While explicitly attaching files is not supported, technically any file can be sent within the message body.[21]

First convert your file with base64 and then copy and paste the contents of the text file.

base64 < binary.file > text.file

Don't forget to include instructions to the receiver how to decode it. In order to decode the file, the recipient can copy and paste the code into file and convert it with this command:

base64 -d < text.file > binary.file

It is not very practical to send large files with BitMessage. Alternatively you can encrypt a file or archive containing a collection with GPG and upload it to un-trusted cloud storage and send recipients the link. Encryption can be done using a contact's public key or with symmetric encryption requiring a password which you send in BitMessage. For GPG symmetric encryption follow this example:

gpg -vv -c --cipher-algo AES256 your-file.tar.gz

Note that you can use the extended output of pwgen (pre-installed in Whonix 14+) for secure passwords.

User Data Back-Up[edit]

To backup the BitMessage profile and all user-generated program data, copy the folder under this path to your shared folder: /home/user/.config/PyBitmessage. Private keys are stored in keys.dat[22] and other data such as inbox contents, contacts and black/white-list info is stored in the messages.dat[23] database file. Copy the folder to this location to restore BitMessage data for new installs.

To maintain separate BitMessage identities, the safest way is to run each with its own BitMessage instance in separate Whonix-Workstations.


Freemail[24] is an email system implemented upon the anonymous data distribution network Freenet. It is most similar to I2P-Bote, another anonymous and distributed email solution.

Like most Freenet plugins, it makes use of an anti-spam mechanism called the Web of Trust[25] to block abusers. Attachment sizes are virtually unlimited. Users would upload files on Freenet and link to them in Freemail messages.

See recommended tips for Freemail.


I2P-Bote is a serverless, encrypted email plugin that uses I2P for anonymity. Messages are stored in the distributed hash table (DHT) for 100 days, during which the recipient is able to download them.

To back up I2P-Bote data, copy the i2pbote folder inside the I2P config directory (~/.i2p/i2pbote on Unix systems or /var/lib/i2p/i2p-config when running as a daemon).

Compartmentalize activities and only use the I2P-Bote/Susimail VM snapshot for this purpose. Generally, applications that run with a browser interface are vulnerable to a whole class of bugs, including cross-site request forgery (CSRF).[26][27]


  • A webmail interface.
  • A user interface translated into 15 languages.
  • One-click creation of email accounts (called email identities).
  • Emails can be sent either under a sender identity or anonymously.
  • 2048-bit ElGamal, 256/521-bit Elliptic Curve and NTRU-1087 encryption.
  • Transparent, automatic encryption and signing without relying on third-party software such as PGP/GnuPG.
  • Sending and receiving via relays with delay periods set by the user, similar to Mixmaster.
  • Theme support.
  • POP3 / IMAP / SMTP.
  • Cc and Bcc support.
  • Delivery confirmation.
  • Attachments.
  • Basic support for short recipient names.
  • Android support (via I2P's Android client).

Planned Features:

  • An outproxy to interoperate with clearnet mail servers.
  • Custom folders.
  • Multi-device identity syncing.
  • Support for short email addresses like myname@bote.i2p
  • HashCash as an anti-spam solution should it become a problem.
  • Lots of other small improvements.

Anonymous Remailers[edit]

Anonymous Remailers are a generation of privacy networks that precede Tor. These are single purpose networks (only support sending email) that use high-latency designs to defeat surveillance. The latest on-going project is the Mixmaster network. While sending one-way messages is relatively straight forward, receiving replies requires registration with a Nymserver and setting up a program to fetch messages from the decentralized Usenet boards.

Footnotes / References[edit]

  1. Formerly "Icedove", but now re-branded in Debian following resolution of trademark issues.
  3. For example, how long a user has been running the mail client. IMAP comes with other risks, like saving drafts on the server as the user is typing.
  4. The Tor Mail service is now offline, as it was hosted on Freedom Hosting which was taken down by the FBI.
  7. Such as gmail, riseup etc.
  9. Because they are also aware of online phone and messaging services and blacklisting the for verification upon knowledge.
  10. TorBirdy Homepage
  11. TorBirdy Source Code


Liberte Linux Philosophy page Copyright (C) 2013 Maxim Kammerer <mk at dee dot su>
Whonix Anonymity wiki page Copyright (C) 2013 - 2018 ENCRYPTED SUPPORT LP <>

This program with ABSOLUTELY NO WARRANTY; for details see the wiki source code.
This is free software, and you are welcome to redistribute it
under certain conditions; see the wiki source code for details.

Random News:

We are looking for maintainers and developers.

https | (forcing) onion

Share: Twitter | Facebook

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation.

Whonix is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Libre Software license as Whonix itself. (Why?)