Encrypted Email with Thunderbird

From Whonix

Mozilla Thunderbird Icon

Introduction[edit]

Due to the complexity of software in the past, one of the most underutilized forms of protection for users is email encryption. However, it is now easier to take advantage of encrypted email via the use of Thunderbird (Mozilla's email client), which includes a built-in OpenPGP encryption program.

Thunderbird in Whonix ™ comes with anonymity, privacy and security settings pre-configuration through the pre-installed anon-apps-config package. [1]

The following guide provides a higher security and privacy standard than relying upon online services such as ProtonMail or Tutanota, that promise "encrypted email" in transit or storage. Online systems can still be broken by an attacker capable of exploiting JavaScript flaws or undermining certificate authorities that provide encryption certificates for websites; see Webmail. Further, online providers can be hacked or coerced by adversaries to provide access for extended periods.

To minimize these risks and improve security, the following guide uses a suitable Desktop Email Client instead of webmail, paired with strong, end-to-end encryption that protects the contents so it can only be read by the intended recipient. Further, a strong encryption key-pair is created so the user has strict control over the private key, which is stored securely. Keep in mind this method does not make email infallible -- advanced adversaries can easily penetrate Internet-facing endpoints of targets with today's cutting-edge surveillance and offensive systems. Also, mistakes or poor security practices on behalf of the email recipient can inadvertently lead to disclosures of plaintext.

Info Tip: If possible, critical information that is of high value should not traverse computer networks at all, or even risk exposure to Internet-facing computers. [2] High-risk users might also consider creating an airgapped OpenPGP key pair rather than relying on Thunderbird as per these instructions.

Overview[edit]

The following guide provides steps to:

  1. Install the Thunderbird email client.
  2. Visit your suitable email provider website anonymously via Tor Browser (Preferable if it support onion hidden services).
  3. Create your login password and store the credentials in KeePassXC (optional). [3]
  4. Setup the new email account: Thunderbird account settings, and enforce connections to the email provider's Onion Service.
  5. Create an OpenPGP encryption key pair and revocation certificate using the Thunderbird Setup Wizard.
  6. Encrypt and store the revocation certificate securely.
  7. Configure Thunderbird preferences for greater security and anonymity.
  8. Configure additional OpenPGP preferences.
  9. Key management: import GPG public keys.
  10. Export the public key to a GPG key server (optional).
  11. Prepare an email signature with the public GPG key ID and fingerprint (optional).
  12. Compose and send a test encrypted email
  13. Open an encrypted email received in Thunderbird.

Warnings[edit]

Ambox warning pn.svg.png Due to email's design, it is a very insecure system where privacy and anonymity are concerned. Use it sparingly, and only with great discipline and caution.

Operational security is imperative to maintain the integrity of properly encrypted email. Consider the following scenarios which would allow an adversary access to the plaintext or other metadata that might help deanonymize a user:

  • Even if all email sent to a recipient is encrypted, if the recipient fails to encrypt the email response, then adversaries will be able to read the message and likely a quote of the original one sent.
  • The names of email recipients cannot be encrypted and are therefore visible to adversaries. The subject line and references email header will also be visible in the following configuration.
  • There are several different types of metadata that can be harvested from email, depending on how it is used. Therefore, users must be careful when relying on email for sensitive communications.

Glossary[edit]

Terms that are commonly used in reference to email encryption are outlined below.

Table: Email Encryption Terms [4]

Term Description
Key Pair A pair of asymmetric keys, commonly known as public and private keys.
Public Key The half of a key pair that is distributed publicly and used for encrypting.
Private Key The half of a key pair that is kept secret, and is used for decryption.
Key Server A server or website used for the distribution and verification of public keys.
Integrity A verification that the enclosed contents have not been tampered with in transit.
Confidentiality A verification that the enclosed contents are unreadable, except for the intended recipient.
Authentication A verification that the person who is sending / signing is who they say they are.
Non-repudiation Assurance that nobody, including the author, can dispute the origin of the message itself.
Asymmetric Keys Commonly referred to as a 'keypair'. It is two separate keys: one public, one private.
Symmetric Keys Symmetric encryption depends on using a password to encrypt the single key used for both encryption and decryption.

Ambox warning pn.svg.png Warning: Unless otherwise instructed to do so, manual installation of packages should be avoided, even trusted ones. [5] To install software users should prefer the APT secure package manager. For more information on this, See: Installing Software Best Practices.

Install the Thunderbird Email Client[edit]

For users that would like to learn more about Thunderbird refer to the official support page. However, modifications should not be made to Thunderbird unless you know what you are doing.

The Thunderbird email client can be installed from the terminal using APT secure package manager.

In Whonix-Workstation ™ (whonix-ws-16 Template Qubes-Whonix ™) konsole, run.

sudo apt install thunderbird

Note: If the following output appears Thunderbird is already installed and no further action is needed.

Reading package lists... Done
Building dependency tree
Reading state information... Done
thunderbird is already the newest version.

Create a New Email Account with Tor Browser[edit]

Choose an Appropriate Email Provider[edit]

First and foremost, there are multiple email providers that users can choose from. For the purpose of this tutorial, danwin1210.de is used as an example. This is not an endorsement (terms of service non-endorsement) for danwin1210.de. No e-mail providers are explicitly recommended by the Whonix ™ team. The Whonix ™ project is not an e-mail provider review project that recommend specific e-mail providers. Refer to the list of Anonymity Friendly Email Provider List for possible alternatives. If problems are experienced with danwin1210.de, refer to the list of providers by The Tor Project, Whonix ™ or JonDonym.

At the time of writing, danwin1210.de is one of the few free and reliable email providers offering POP3 email access through an .onion address, which does not require additional verification details to register an account. You will have 25MB of disk space available for your emails. For more details regarding the features and offerings of danwin1210.de, visit http://danielas3rtn54uwmofdo3x2bsdifr47huasnmbgqzfrec5ubupvtpid.onion/.

Ambox warning pn.svg.png Never forget this is an Onion Service which means there is no way of determining who is running it. If GPG is not used to encrypt email and/or the recipient of email does not encrypt it either, it can be easily read by the email service provider, random computers on the internet that relay a sent email message, or anyone else who manages to gain access to the account!

Registration Steps[edit]

1. Create an email account name and password for the mail provider.

Ambox warning pn.svg.png When creating an account and password do not use identifying or familiar data in either! Also consider the principles for stronger passwords and the option of lengthy Diceware passphrases.

  • When the page opens, open up KeePassXC and create an account and password entry for your new email account. Alternatively, write it down at home and store it in a safe place.
  • When finished creating your Email Name/Username and password in KeePassXC, Follow these steps:

Figure: Email Registration

Thunderbird1.png

2. Confirm successful creation of the anonymous account.

Figure: Account Confirmation

Thunderbird2.png

3. Close Tor Browser

Since the email account is created, Tor Browser can be closed.

Setup the New Email Account in Thunderbird[edit]

1. Open Thunderbird.

  • Non-Qubes-Whonix: Click the start menu buttonSearch and select Thunderbird
  • Qubes-Whonix ™: Click the blue "Q" buttonClick on anon-whonixSelect "Thunderbird"

Figure: Thunderbird Email Client (Non-Qubes-Whonix)

Tempestupdate5.png

2. Set up the Email Account.

Ambox warning pn.svg.png IMPORTANT NOTE: Thunderbird does not store passwords in an encrypted format. Therefore, if Whonix-Workstation ™ (anon-whonix) is compromised, an attacker may be able to gain access to the email account if they view Thunderbird's unencrypted password storage file.

The first window that will appear upon running Thunderbird for the first time will prompt you to "Set Up an Existing Email Account." Follow these steps:

  • Type the alias/username that you created in the field "Your name." This will appear next to your email address in emails you send to others.
  • Type the danwin1210.de onion email address you just created into the field "Email address." example youremailusername@danielas3rtn54uwmofdo3x2bsdifr47huasnmbgqzfrec5ubupvtpid.onion
    • In case you will use the clearnet version then your email going to be youremailusername@danwin1210.de
  • Paste your newly created password.
  • Finally, Tick "remember password" (Better user friendly method) and click the "Configure Manually" button.

Figure: Email Account Set Up

Thunderbird3.png

3. Configure Email Incoming (POP3) and Outgoing (SMTP) Connection.

You need to configure Thunderbird to connect to the hidden server (onion service) of danwin1210.de. The fields you need to change are:

  • Protocol: Pick POP3, avoid the usage of IMAP as this makes you more exposed into the internet (as it require persistent connection to function properly), drain your account limited capacity storage (which way much less than your own operating system available storage).
  • Type danielas3rtn54uwmofdo3x2bsdifr47huasnmbgqzfrec5ubupvtpid.onion in the field next to "Hostname"
  • Type 995 into "Port" field.
  • Choose "SSL/TLS" for "Connect security".
    • Avoid the usage of STARTTLS
    • Some email (onion) providers doesnt add TLS/SSL for their onion domain, if so then its fine to choose "None" as an option because all communications to onion domains are encrypted. Therefore, your password is not transmitted insecurely (but in our case danwin1210.de is using self signed TLS/SSL certificate).
  • Choose "Normal Password" for "Authentication Method".
    • In case there was no TLS/SSL support for your email onion service its fine to choose "Password, transmitted insecurely" (but in our case danwin1210.de onion service support TLS/SSL).
  • Type the email user name you have chosen earlier into the field next to "UserName".

Figure: Thunderbird Server Configuration

Thunderbird4.png

  • Press on "Confirm Security Exception" its safe to confirm it because this is self-signed certificate

Figure: Confirm Self-Signed TLS/SSL inside Thunderbird

Thunderbird5.png

Your account is now successfully connected with thunderbird.

Create an OpenPGP Key Pair and Revocation Certificate[edit]

There are two methods for creating an OpenPGP key pair and revocation certificate -- using either the Thunderbird OpenPGP Setup Wizard, or manually creating them from the command line. The easier Thunderbird OpenPGP method is outlined below, but the manual creation of stronger keys from the command line is recommended for advanced users or those at high risk.

Create an OpenPGP Key Pair by Thunderbird[edit]

  • After successfully linked your account with thunderbird click on "End-to-end encryption".

Thunderbird6.png

  • If you missed that, you can press on your email then "End-to-end encryption" option will show up.

Thunderbird6-1.png

  • Press on "Add Key..." Option.

Thunderbird7.png

  • Since we are creating new fresh keys, choose "Create a new OpenPGP Key" then press "Continue".

Thunderbird8.png

  • For better usability we gonna choose "Key does not expire" option, though you can later change that to whatever suits you.
  • We are going to choose the most common key type and size options which are RSA with 4096 (Other option provided by thunderbird is ECC).

Thunderbird9.png

  • Make sure to read the info message then press on "Confirm".

Thunderbird10.png

  • After waiting for short time your keys are now successfully created for your account.

Thunderbird11.png

  • Scroll down in the same page then choose "Enable encryption for new messages" (This will require to have recipient OpenPGP key otherwise messages wont be encrypted).
  • "Sign unencrypted messages" and "Attach my public key when adding an OpenPGP digital signature" are for better authenticity and usability but they are left to the user to decide.
  • Make sure these options are ticked "Encrypt the subject of OpenPGP messages" and "Store draft messages in encrypted format"

Thunderbird12.png

Export and Store your Keys[edit]

1. Go to "End-to-end encryption".

Thunderbird6-1.png

2. Then press on "OpenPGP Key Manager".

Thunderbird13.png

3. Then press on your email (highlight it) if there is more than one email then "File".

Thunderbird14.png

4. Then Export your Public and Secret Keys for backup as your public key used by the recipients to encrypt messages and secret key used for decrypting messages (Make sure to save them in a secure place, otherwise anybody can decrypt and read your encrypted emails if your secret key lost).

Thunderbird15.png

5. At the moment thunderbird doesn't give UI way to export your revoke key [6] [7], But you can revoke your key from "OpenPGP Key Manager" (Read the warning message, don't proceed unless you really want to get rid/change of your current key).

Thunderbird16.png

Thunderbird17.png

Encrypt the Revocation Certificate[edit]

The revocation certificate can be encrypted and stored in the persistent storage directory. The GPG revocation certificate can be used to revoke the public encryption key that is added to key servers, even if access to the GPG secret key is lost or the password is forgotten.

If an attacker accesses the GPG revocation certificate, they can revoke the keys. Encrypting the GPG revocation certificate with a passphrase will protect against this action.

At the moment of writing there isn't a UI/graphical friendly way of doing this through thunderbird [8].

As encryption tool you can use zulucrypt as an example (installed by default in Whonix ™).

Final Thunderbird and Email Account Settings[edit]

Configure Thunderbird Folders from Account Settings[edit]

1. Go to your "Account Settings"

Thunderbird18.png

2. Click on "Copies & Folders" in the left column. Each option to change is highlighted in red in the figure below:

  • In the pull down menu next to "Sent Folder on", select "Local Folders."
  • In the pull down menu next to "Archives Folder on", select "Local Folders."
  • In the pull down menu next to "Drafts Folder on", select "Local Folders."
  • In the pull down menu next to "Templates Folder on", select "Local Folders."
  • Check the box next to "Show confirmation dialog when messages are saved."

Figure: Folder Configuration

Thunderbird19.png

Thunderbird20.png

3. (Optional) Empty Thunderbird trash on exit.

Click on "Local Folders" in the left column. Then, check the box next to "Empty trash on exit."

Figure: Empty Local Folders

Thunderbird21.png

General Thunderbird Settings[edit]

1. Set the Menu Bar.

  • Right-Click in the empty top bar of thunderbird.
  • Then tick "Menu Bar"

Figure: Thunderbird Menu Bar

Thunderbird22.png

2. Access Thunderbird Settings.

  • In the menu bar, click on "Edit" and then click "Settings".
  • Or press the cog icon which will lead you to "Settings" as well.

Figure: Thunderbird Preferences

Thunderbird23.png

3. Disable the return receipt function.

  • Scroll down then press on "Return Receipts..."
  • In the next window that appears, mark the circle next to "Never send a return receipt." Then, click the "OK" button.

Figure: Disable Return Receipts

Thunderbird24.png

Thunderbird25.png

4. (Optional) Receive confirmation mail when message sent to the recipient

  • From "General" scroll down to "Config Editor..."
  • Search for mail.dsn.always_request_on
  • Double click on it to turn it from false to true
  • You will receive "Successful Mail Delivery Report" after sending successful message.

Thunderbirddsn.png

Thunderbirddsn2.png

Thunderbirddsn3.png

5. Send and receive plain text messages.

  • One of Efail prevention is to avoid HTML messages all together
  • Click on "Composition" then choose "Only Plain Text".
  • From Menu Bar click on "View" then "Message Body As" then tick "Plain Text".

Figure: Plain Text Messages

Thunderbird25-1.png

Thunderbird25-2.png

6. Disable website history and Sites cookies.

  • Next, click the "Privacy & Security" button. Then, untick the box next to "Remember websites and links I've visited" and "Accept cookies from sites".

Figure: Modify Privacy Settings

Thunderbird26.png

Import Public Keys (From File)[edit]

Info Always search with the long fingerprint of a GPG key in the key manager -- short or even long key IDs can be forged. [9]. The results are more secure and work more often. Everyone who shares a public GPG key should share a long fingerprint.

Ambox warning pn.svg.png Important: It is critical to verify any GPG public key that is added to the keyring with a fingerprint provided by the person you intend to communicate with.

Import GPG public key of an intended email recipient keys into Thunderbird:

  • Go to "End-to-end encryption"

Thunderbird6-1.png

  • Then press on "OpenPGP Key Manager"

Thunderbird13.png

  • Go to "File" then choose "Import Public Key(s) From File"

Thunderbird27.png

  • Go to the path that where the public key is located and double-click it

Thunderbird28.png

  • It will show you key fingerprint, if you can verify/sure that the person with this fingerprint match what you have added then press on "Accepted (unverified)" otherwise use the default "Not Accepted (Undecided)"

Thunderbird29.png

  • Key is now imported successfully, if you want to change the acceptance level press on "View Details and and manage key acceptance"

Thunderbird30.png

  • See which option do you prefer to choose for the added keys

Thunderbird30-1.png

Compose and Send Encrypted Email[edit]

1. Compose a new email message.

  • Press on "Write"

Thunderbird31-1.png

Info Since the danwin1210.de email service is hosted on the .onion Tor server danielas3rtn54uwmofdo3x2bsdifr47huasnmbgqzfrec5ubupvtpid.onion you are going to send an email to the .onion domain. This keeps the transit of the email inside the Tor network, which is safer than transporting it in the clear. If an email provider of someone you want to send an email to uses a .onion domain, always use that domain in the To field if possible.

2. Send the email message.

  • Make sure padlock "Encrypt" is active.
  • Press on the down arrow near "OpenPGP" then make sure "Encrypt" and "Encrypt Subject" are ticked.
  • Optional For the authenticity and easiness:
    • Tick "Digitally Sign".
    • Tick "My OpenPGP Public Key" from "Attachment".
  • When the message is ready, click the "Send" button (preferable to just send small message without details for testing purposes as a beginner).

Thunderbird31.png

Thunderbird31-2.png

3. How the message will look like on recipient side.

  • To receive new messages click "Get Messages"
  • OpenPGP with green tick and padlock mean the message encrypted.
  • @danwin1210.de mean the message sent over clearnet.

Thunderbird32-1.png

Thunderbird32.png

4. Recipient importing key attached by email.

  • Right-Click on the attachment then choose "Import OpenPGP Key"
  • Then check steps explained in Import Public Keys.

Thunderbird33.png

Thunderbird34.png

Add User ID to Key Properties[edit]

Undocumented

Export the Public Key to a GPG Server[edit]

Undocumented

Using Thunderbird with the System GnuPG Keyring[edit]

Undocumented


Final Warnings[edit]

If all steps have been successfully completed then you now have an anonymous email account paired with strong encryption.

It should be emphasized this wiki entry is not a substitute for an all-inclusive tutorial on the safest way to use GPG/PGP encryption, however it provides a solid foundation for fundamental practices. Numerous advanced resources and expert opinions exist on the Internet, and these can provide additional tips that might better address a user's perceived threat model and circumstances. [10] At a minimum, it is recommended to review the Safe Email Principles section, along with additional learning resources.

Finally, always heed the following warnings regarding email:

  • Email is a very insecure means of communication where anonymity is concerned. A lot of metadata is leaked with email, so it should be used sparingly and only when strictly necessary.
  • Do not contact people you know in real life at non-anonymous email addresses with the email account that was created here. Always separate real world identities from online identities used with Whonix ™.
  • Be circumspect about sharing personal information in email! Encrypted email does not protect against the email recipient storing personal emails in an unencrypted format. Nor does encryption protect against an email recipient maliciously using personal information in order to exploit you.
  • If an email is sent to a recipient without encryption, assume it can be read by anyone!
  • Utilize the Tor Onion Service (.onion domain) whenever it is made available by the email provider. After first confirming the domain is controlled by the email provider, it will afford greater protection than a clearnet address.

Further Reading[edit]

Interested readers can refer to the following additional resources on GPG, GPA, and safe email practices:

Footnotes[edit]

  1. https://github.com/Whonix/anon-apps-config/tree/master/etc/thunderbird
  2. Similarly, that same information should not be stored on electronic media in the first place, if that is feasible in the circumstances.
  3. Installed by default in Whonix ™ 15.
  4. Source:
    torproject.org Gnu Privacy Guard / GnuPG
    license:
    Content on this site is Copyright The Tor Project, Inc.. Reproduction of content is permitted under a Creative Commons Attribution 3.0 United States License. All use under such license must be accompanied by a clear and prominent attribution that identifies The Tor Project, Inc. as the owner and originator of such content. The Tor Project Inc. reserves the right to change licenses and permissions at any time in its sole discretion.
  5. This is because packages are often unsigned, and users may forget to update the software in a timely fashion.
  6. https://bugzilla.mozilla.org/show_bug.cgi?id=1657901
  7. https://bugzilla.mozilla.org/show_bug.cgi?id=1722825
  8. https://thunderbird.topicbox.com/groups/e2ee/Tb249a2dc3984e8e3/getting-the-revoke-certificate
  9. Due to the threat of collisions, see: https://superuser.com/questions/769452/what-is-a-openpgp-gnupg-key-id
  10. For instance, users at high risk might generate a strong airgapped OpenPGP key pair on the command line for greater security, rather than rely on Thunderbird.