Actions

Encrypted Email with Thunderbird and Enigmail

From Whonix


About this Encrypted Email with Thunderbird and Enigmail Page
Support Status stable
Difficulty medium
Maintainer tempest [archive] / torjunkie [archive]
Support Support
Mozilla Thunderbird Icon

Warning[edit]

Ambox warning pn.svg.png The page is currently a work in progress due to TorBirdy incompatibility with the latest Thunderbird release, see: TorBirdy does not support Thunderbird 68 [archive]. The eventual solution will require a host of manual Thunderbird preference changes to use encrypted email safely.

Credits[edit]

Gratitude is expressed to tempest for permission to use this material for the Whonix ™ wiki documentation. [1] This material forms chapter 4.6 of A Beginner Friendly Comprehensive Guide to Installing and Using a Safer Anonymous Operating System, which can be found here [archive]. Minor editorial changes have been made to the source material, along with additional Qubes-Whonix ™ steps and wiki / external references where appropriate.

Introduction[edit]

Due to the complexity of software in the past, one of the most underutilized forms of protection for users is email encryption. However, it is now easier to take advantage of encrypted email via the use of Thunderbird (Mozilla's email client) and Enigmail, which is a graphical front-end for using the GnuPG ("GPG") encryption program. Unfortunately, the TorBirdy extension is no longer available to make Thunderbird connections take place over the Tor network. [2] This necessitates a number of manual preference changes in Thunderbird to use email safely.

Ambox warning pn.svg.png It is estimated that within 10 to 15 years, Quantum Computers will break today's common asymmetric public-key cryptography algorithms used for web encryption (https), e-mail encryption (GnuPG...), SSH and other purposes. See Post-Quantum Cryptography (PQCrypto).

Encrypted subject and references headers are also now possible in Enigmail, reducing the leakage of metadata. [3] [4] However, MIME is not used in these instructions to reduce the risk of Enigmail bugs exposing unencrypted messages, meaning the subject line will not be encrypted. On the upside, this configuration change allows the user to confirm their message is actually encrypted before it is sent.

The following guide provides a higher security and privacy standard than relying upon online services such as ProtonMail or Lavabit, that promise "encrypted email" in transit or storage. Online systems can still be broken by an attacker capable of exploiting JavaScript flaws or undermining certificate authorities that provide encryption certificates for websites; see Webmail. Further, online providers can be hacked or coerced by adversaries to provide access for extended periods.

To minimize these risks and improve security, the following guide uses a suitable Desktop Email Client instead of webmail, paired with strong, end-to-end encryption that protects the contents so it can only be read by the intended recipient. Further, a strong encryption key-pair is created so the user has strict control over the private key, which is stored securely. Keep in mind this method does not make email infallible -- advanced adversaries can easily penetrate Internet-facing endpoints of targets with today's cutting-edge surveillance and offensive systems. Also, mistakes or poor security practices on behalf of the email recipient can inadvertently lead to disclosures of plaintext.

Info Tip: If possible, critical information that is of high value should not traverse computer networks at all, or even risk exposure to Internet-facing computers. [5] High-risk users might also consider combining the use of One Time Pads with email encryption for even greater security, and creating an airgapped OpenPGP key pair rather than relying on Enigmail as per these instructions.

Overview[edit]

The following guide provides steps to:

  1. Install the Thunderbird email client.
  2. Install the Enigmail add-on for Thunderbird.
  3. Due to the unavailability of the TorBirdy plugin, configure Thunderbird preferences for safe use of email.
  4. Create an email account anonymously with a suitable provider via Tor Browser.
  5. Store the login credentials in KeePassXC [archive] (optional). [6]
  6. Setup the new email account: Thunderbird account settings, install necessary extensions (add-ons), and enforce connections to the email provider's Onion Service.
  7. Create an OpenPGP encryption key pair and revocation certificate using the Enigmail Setup Wizard.
  8. Encrypt and store the revocation certificate securely.
  9. Configure Thunderbird preferences for greater security and anonymity.
  10. Configure additional OpenPGP preferences via Enigmail.
  11. Key management: import GPG public keys.
  12. Export the public key to a GPG key server (optional).
  13. Prepare an email signature with the public GPG key ID and fingerprint (optional).
  14. Compose and send a test encrypted email to danwin1210.me
  15. Open an encrypted email received in Thunderbird.

Warnings[edit]

Ambox warning pn.svg.png Due to email's design, it is a very insecure system where privacy and anonymity are concerned. Use it sparingly, and only with great discipline and caution.

Operational security is imperative to maintain the integrity of properly encrypted email. Consider the following scenarios which would allow an adversary access to the plaintext or other metadata that might help deanonymize a user:

  • Even if all email sent to a recipient is encrypted, if the recipient fails to encrypt the email response, then adversaries will be able to read the message and likely a quote of the original one sent.
  • The names of email recipients cannot be encrypted and are therefore visible to adversaries. The subject line and references email header will also be visible in the following configuration.
  • There are several different types of metadata [archive] that can be harvested from email, depending on how it is used. Therefore, users must be careful when relying on email for sensitive communications.

Glossary[edit]

Terms that are commonly used in reference to email encryption are outlined below.

Table: Email Encryption Terms [7]

Term Description
Key Pair A pair of of asymmetric keys, commonly known as public and private keys.
Public Key The half of a key pair that is distributed publicly and used for encrypting.
Private Key The half of a key pair that is kept secret, and is used for decryption.
Key Server A server or website used for the distribution and verification of public keys.
Integrity A verification that the enclosed contents have not been tampered with in transit.
Confidentiality A verification that the enclosed contents are unreadable, except for the intended recipient.
Authentication A verification that the person who is sending / signing is who they say they are.
Non-repudiation Assurance that nobody, including the author, can dispute the origin of the message itself.
Asymmetric Keys Commonly referred to as a 'keypair'. It is two seperate keys: one public, one private.
Symmetric Keys Symmetric encryption depends on using a password to encrypt the single key used for both encryption and decryption.

Ambox warning pn.svg.png Warning: Unless otherwise instructed to do so, manual installation of packages should be avoided, even trusted ones.[8] To install software users should prefer the APT secure package manager. For more information on this, See: Installing Software Best Practices.

Install the Thunderbird Email Client[edit]

For users that would like to learn more about Thunderbird refer to the official support page [archive]. However, modifications should not be made to Thunderbird unless you know what you are doing.

The Thunderbird email client can be installed from the konsole using APT secure package manager.

In Whonix-Workstation ™ (whonix-ws-15 TemplateVM Qubes-Whonix ™) konsole, run.

sudo apt-get install thunderbird

Note: If the following output appears Thunderbird is already installed and no further action is needed.

Reading package lists... Done
Building dependency tree       
Reading state information... Done
thunderbird is already the newest version.

Install Enigmail Add-on for Thunderbird[edit]

Enigmail provides Thunderbird users with access to the authentication and encryption features provided by GnuPG [archive]. For a full listing of features and and configuration options see the official Enigmail Documentation [archive].

Enigmail add-on can be installed from the konsole using APT secure package manager.

In Whonix-Workstation ™ (whonix-ws-15 TemplateVM Qubes-Whonix ™) konsole, run.

sudo apt-get install enigmail

Note: If the following output appears Enigmail is already installed and no further action is needed.

Reading package lists... Done
Building dependency tree       
Reading state information... Done
enigmail is already the newest version.

Change Thunderbird Preferences[edit]

TODO: Insert manual Thunderbird preference changes for equivalent TorBirdy effect (see Tails changes).

Create a New Email Account with Tor Browser[edit]

Choose an Appropriate Email Provider[edit]

First and foremost, there are multiple email providers that users can choose from. For the purpose of this tutorial, danwin1210.me is used as an example. This is not an endorsement for danwin1210.me, nor are they necessarily the most secure or private email provider available. Refer to the list of Onion Service Providers for possible alternatives.

At the time of writing, danwin1210.me is one of the few free and reliable email providers offering POP3 email access through an .onion address, which does not require additional verification details to register an account. You will have 25MB of disk space available for your emails. For more details regarding the features and offerings of danwin1210.me, visit http://danielas3rtn54uwmofdo3x2bsdifr47huasnmbgqzfrec5ubupvtpid.onion/mail/index.php [archive]. If used properly with GPG encryption, this onion email service will provide the user with strong anonymity and privacy.

If problems are experienced with danwin1210.me, refer to the list of providers [archive] recommended by The Tor Project, Whonix ™ and JonDonym [archive].

Ambox warning pn.svg.png Never forget this is an Onion Service which means there is no way of determining who is running it. If GPG is not used to encrypt email and/or the recipient of email does not encrypt it either, it can be easily read by the email service provider, random computers on the internet that relay a sent email message, or anyone else who manages to gain access to the account!

Anonymous Registration[edit]

It is critical to create a new email account anonymously with Tor Browser. In Whonix-Workstation ™ (Qubes-Whonix ™: anon-whonix), launch Tor Browser via the icon on the toolbar (Non-Qubes-Whonix ™) or via the Qube Manager (or widget).

When Tor Browser opens, type.

http://danielas3rtn54uwmofdo3x2bsdifr47huasnmbgqzfrec5ubupvtpid.onion/mail/
postfixadmin/register.php

Into the URL bar to nagivate to the danwin1210.me Onion Service web page.

Figure: danwin1210.me Onion Service

Tempestupdate2.png

Info If using another email provider, navigate to the respective registration page, create the new account, use KeePassXC to generate a password for it, [9] and continue from the Setup the New Email Account section.

Finalize Registration[edit]

1. Create an email account name and password for the mail provider.

Ambox warning pn.svg.png When creating an account and password do not use identifying or familiar data in either! Also consider the principles for stronger passwords and the option of lengthy Diceware passphrases.

  • When the page opens, open up KeePassXC and create an account and password entry for your new email account. Alternatively, write it down at home and store it in a safe place.
  • When finished creating your password in KeePassXC, type the email name you wish to use in the field under "Username."
  • Copy the password you created in KeePassXC and paste it into the fields under "Password" and "Password (again)."
  • Check the box next to "I have read and agreed to the Privacy Policy."
  • Finally, click on the "Add Mailbox" button.

Figure: Email Registration

Tempestupdate3.png

After the page reloads, a new email account name and password can be created.

2. Confirm successful creation of the anonymous account.

If the account was created, the page will reload and you will see a message informing you that "the mail box [YourEmail]@tt3j2x4k5ycaa5zt.onion has been added to the mailbox table" at the top of the page.

Figure: Account Confirmation

Tempestupdate4.png

3. Close Tor Browser

Once the email account is created, Tor Browser can be closed.

Setup the New Email Account[edit]

1. Open Thunderbird.

  • Non-Qubes-Whonix: Click the blue "K" start buttonSelect "Mail Client"
  • Qubes-Whonix ™: Click the blue "Q" buttonClick on anon-whonixSelect "Thunderbird"

Figure: Thunderbird Email Client (Non-Qubes-Whonix)

Tempestupdate5.png

2. Set up the Email Account.

Ambox warning pn.svg.png IMPORTANT NOTE: Never use Thunderbird to save the email account password! Thunderbird does not store passwords in an encrypted format. Therefore, if Whonix-Workstation ™ (anon-whonix) is compromised in the future, an attacker may be able to gain access to the email account if they view Thunderbird's unencrypted password storage file.

The first window that will appear upon running Thunderbird for the first time will prompt you to "Set Up an Existing Email Account." Follow these steps:

  • Type the alias that you wish to use in the field next to "Your name." This will appear next to your email address in emails you send to others.
  • Type the danwin1210.me email address you just created into the field next to "Email address." In the example below, it is "youranonemail@danwin1210.me"
  • Finally, uncheck "remember password" and click the "Continue" button.

Figure: Email Account Set Up

Tempestupdate6.png

3. Configure the danwin1210.me Hidden Server (Onion Service)

In the next window, you need to configure Thunderbird to connect to the hidden server of danwin1210.me. The fields you need to change are highlighted in red.

  • Type tt3j2x4k5ycaa5zt.onion in the field next to "Server Name."
  • Type the user name you chose earlier into the field next to "User Name."
  • Click the pull down window next to "Connect security" and choose "None."
  • Uncheck the box next to "Leave messages on server."
  • Check the box next to "Empty Trash on Exit" and continue to the next step.

Info Note: The lack of "connection security" simply means that Thunderbird will not use SSL or STARTTLS to encrypt your password when it is sent to the mail server. This does not matter in this instance because the mail server is a Tor Onion hidden service. All communications to Tor's ".onion" domains are encrypted. Therefore, your password is not transmitted insecurely.

Figure: Server Configuration

Tempestupdate8.png

4. Configure Thunderbird folders.

Click on "Copies and Folders" in the left column. Each option to change is highlighted in red in the figure below:

  • In the pull down menu next to "Sent Folder on", select "Local Folders."
  • In the pull down menu next to "Archives Folder on", select "Local Folders."
  • In the pull down menu next to "Drafts Folder on", select "Local Folders."
  • In the pull down menu next to "Templates Folder on", select "Local Folders."
  • Check the box next to "Show confirmation dialog when messages are saved."

Figure: Folder Configuration

Tempestupdate9.png

5. Empty Thunderbird trash on exit.

Click on "Local Folders" in the left column. Then, check the box next to "Empty trash on exit."

Figure: Empty Local Folders

Tempestupdate10.png

6. Configure the outgoing server.

Click on "Outgoing Server (SMTP)" in the left column. Then, click on the "Edit" button.

Figure: Outgoing Server Configuration

Tempestupdate11.png

In the next window that appears:

  • Type tt3j2x4k5ycaa5zt.onion (or alternative .onion) in the field next to "Server Name."
  • Click on the pulldown menu next to "Connection security" and select "None." [10]
  • Type the complete email address into the field next to "User Name."
  • Set the number in the field next to "Port" to "25."
  • Click the "OK" button.

Info Note: The lack of "connection security" simply means that Thunderbird will not use SSL or STARTTLS to encrypt your password when it is sent to the mail server. This does not matter in this instance because the mail server is a Tor Onion hidden service. All commonunications to Tor's ".onion" domains are encrypted. Therefore, your password is not transmitted insecurely.

Figure: Onionized Server Configuration

Tempestupdate12.png

7. Confirm settings and exit.

After returning to the "Account Settings" window, click the "OK" button.

Figure: Confirm Settings

Tempestupdate13.png

Create an OpenPGP Key Pair and Revocation Certificate[edit]

There are two methods for creating an OpenPGP key pair and revocation certificate -- using either the Enigmail Setup Wizard, or manually creating them from the command line. The easier Enigmail method is outlined below, but the manual creation of stronger keys from the command line is recommended for advanced users or those at high risk.

Launch Enigmail Setup Wizard[edit]

To start the Enigmail Setup Wizard, after returning to the main Thunderbird window, click the "hamburger" icon that has the 3 horizontal bars towards the upper right corner.

Then, hover the mouse over "Preferences" and click "Menu Bar" when the next menu appears.

Figure: Menu Bar

Tempest screenshot 41.png

A menu bar will now appear towards the top of the Thunderbird window. In the menu bar, click "Enigmail" and then click "Setup Wizard."

Figure: Enigmail Setup Wizard

Tempest screenshot 42.png

You will now be brought to the Enigmail Setup Wizard. Select "Start setup now" and then click on the "Next" button.

Figure: Start Enigmail Set Up

Tempestupdate14.png

Create an OpenPGP Key Pair[edit]

1. Access Enigmail's extended configuration options.

After the Enigmail Setup Wizard starts, on the next screen click the circle next to "I prefer an extended configuration" and then click the "Next" button.

Figure: Extended Enigmail Configuration

Tempestupdate15.png

2. Create a new key pair.

Next, a prompt will appear to either create a GPG keypair or use an existing one.

Click the circle next to "I want to create a new key pair for signing and encrypting my email" and then click the "Next" button.

Figure: Create a New Key Pair

Tempestupdate16.png

3. Create a strong passphrase for the key pair.

In the next window that appears, a prompt will appear to create a passphrase for the GPG private key.

Ambox warning pn.svg.png This passphrase should be long and random! You will need this passphrase to sign messages with GPG or to decrypt messages sent to you.

With a strong passphrase, if the machine is ever compromised and someone steals the GPG secret key, this provides an extra layer of protection to prevent the attacker from being able to easily decrypt emails sent to you, or to impersonate you by signing emails with the GPG key.

  • Type an appropriately secure and random passphrase into the fields under "Passphrase" and "Please confirm your passphrase by typing it again."
  • Then, click on the "Next" button.
  • Optionally create a new entry in KeePassXC to store the GPG passphrase and manually enter the passphrase into the new entry. Then, save the KeePassXC database. This will be useful if the GPG passphrase is forgotten. [11]

Figure: New Key Pair Dialog

Tempestupdate17.png

4. Wait for the key pair creation process to finish.

A window will appear that shows the progress of your key creation. Move your mouse or browse the web in order to speed up the process if needed.

Figure: New Key Pair Creation

Tempestupdate18.png

5. Finalize the procedure.

A notice will appear once the process has finished.

Figure: Successful Key Pair Creation

Tempestupdate19.png

Click the "Close" button and you will see that the progress bar for your key pair generation has reached it's end point. Click the "Next" button.

Figure: Complete the Procedure

Tempestupdate20.png

Create and Store a Revocation Certificate[edit]

1. Create a revocation certificate.

After Enigmail has finished creating the new GPG key pair, click the "Create Revocation Certificate" button.

Figure: Create a Revocation Certificate

Tempestupdate21.png

2. Enter the passphrase.

A prompt will now appear to enter the passphrase created in the last step. Paste the GPG passphrase from KeePassXC (or enter it manually) into the "Passphrase" field and click the "OK" button.

Figure: Enter the GPG Passphrase

Tempestupdate22.png

3. Choose the location for the revocation certificate.

The next window will ask where the GPG revocation certificate should be stored.

Click on "Home" in the left column. Next, replace the spaces and parentheses signs with periods in the default filename for the GPG revocation certificate. The spaces and parentheses signs in the default name can make a step later in this guide trickier. Finally, click the "Save" button.

Figure: Store the Revocation Certificate

Tempestupdate23.png

4. Confirm the certificate was created.

Next, a message will inform that the GPG revocation certificate was successfully created. Click the "OK" button.

Figure: Certificate Creation Confirmation

Tempestupdate24.png

Go back to the Enigmail Setup Wizard window and click the "Next" button.

Figure: Continue to Enigmail Final Steps

Tempestupdate25.png

6. Upload the public key to a keyserver.

The next window will prompt to upload the public key to a keyserver. Click the box next to "Upload to the global OpenPGP keyservers" and then click the "Next" button.

Figure: Upload Public Key

Tempestupdate26.png

7. Finalize the Enigmail procedure.

The next window will inform you that Enigmail is now ready to use. Click the "Finish" button.

Figure: Finalize Enigmail Procedure

Tempestupdate27.png

Encrypt the Revocation Certificate[edit]

The revocation certificate will now be encrypted and stored in the persistent storage directory. The GPG revocation certificate can be used to revoke the public encryption key that is added to key servers, even if access to the GPG secret key is lost or the password is forgotten.

If an attacker accesses the GPG revocation certificate, they can revoke the keys. Encrypting the GPG revocation certificate with a passphrase that is easily remembered will protect against this action.

1. Open up a Konsole / Terminal session to get a command prompt.

  • Non-Qubes-Whonix: Click the "K" start buttonClick "Terminal"
  • Qubes-Whonix ™: Click the "Q" taskbar buttonanon-whonixKonsole

Figure: Open a Terminal (Non-Qubes-Whonix)

Tempestupdate28.png

2. Create a storage location.

When the terminal window opens, create a directory in the persistent storage folder to store the encrypted GPG revocation key. Run the following commands.

mkdir storage
mkdir storage/gpg-revoke

3. Encrypt the revocation certificate.

In the command below, replace "RevocationCertificateFileName" with the actual name of the revocation certificate. Type.

gpg --cipher-algo AES256 --symmetric RevocationCertificateFileName

A prompt will appear to "Enter passphrase." Choose a strong passphrase and enter it into the passphrase field, then click the "OK" button. Also consider creating a new entry in KeePassXC to store the GPG revocation certificate passphrase (manually enter the passphrase into the new entry, then save the KeePassXC database). [12]

Figure: Passphrase Prompt

Tempestupdate29.png

A prompt will appear, asking for the passphrase to be re-entered. Type it again into the passphrase field and click the "OK" button.

Figure: Passphrase Confirmation

Tempestupdate30.png

Ambox warning pn.svg.png This passphrase should be strong and unique! Do not re-use passphrases for multiple functions, activities or accounts. If the revocation certificate ever needs to be used, then this passphrase is first used to decrypt it.

Note: If an error appears that states.

gpg: error creating passphrase: invalid passphrase

Then a typo was made somewhere in the last two steps - start over from the beginning of this section.

4. Move the revocation certificate.

If no error messages appear and the user is returned to the command prompt, type.

mv *.gpg storage/gpg-revoke

And press Enter.

5. Test decryption of the revocation key.

In the future, if the revocation key is ever needed, decrypt it by typing.

gpg -o RevocationCertificateFilename.asc -d \~/storage/gpg-revoke/RevocationCertificateFilename.gpg

6. Shred the unencrypted revocation certificate that is sitting in the home folder.

sudo shred --remove RevocationCertificateFileName

Type exit to close the terminal and return to Thunderbird.

Final Thunderbird Preferences and Settings[edit]

General Thunderbird Preferences[edit]

1. Set the Menu Bar.

  • Return to the main Thunderbird window.
  • Click on the button with the 3 horizontal lines ("hamburger icon") toward the upper-right corner of the Thunderbird window.
  • Hover the mouse pointer over "Preferences."
  • When the next context menu appears, check the box next to "Menu Bar."

Figure: Thunderbird Menu Bar

Tempestupdate31.png

2. Access Thunderbird preferences.

In the menu bar, click on "Edit" and then click "Preferences."

Figure: Thunderbird Preferences

Tempestupdate32.png

3. Disable search and indexing functions.

  • In the window that appears, click the "Advanced" tab.
  • Uncheck the box next to "Enable Global Search and Indexer" (this will save disk space).
  • Click on the "Return Receipts" button.

Figure: Disable Global Search and Indexer

Tempestupdate33.png

4. Disable the return receipt function.

In the next window that appears, mark the circle next to "Never send a return receipt." Then, click the "OK" button.

Figure: Disable Return Receipts

Tempestupdate34.png

5. Disable the crash reporter.

After returning to the "Thunderbird Preferences" window, click the "Data Choices" tab. Then, uncheck the box next to "Enable Crash Reporter."

Figure: Disable Crash Reporter

Tempestupdate35.png

6. Disable website history.

Next, click the "Privacy" button. Then, uncheck the box next to "Remember websites and links I've visited" and click the "close" button.

Figure: Modify Privacy Settings

Tempestupdate36.png

Additional Settings[edit]

Some further changes are required that were unaddressed by Enigmail Setup Wizard.

1. Modify OpenPGP settings.

On the main Thunderbird window, click on EditAccount Settings

Figure: Thunderbird Account Settings

Tempestupdate37.png

In the window that appears:

  • Click on "OpenPGP Security" in the left column.
  • Check the boxes next to "Encrypt messages by default" and "Sign encrypted messages."
  • Uncheck the box next to "Use PGP/MIME by default."
  • Click the "Enigmail Preferences" button.

Figure: OpenPGP Options

Tempestupdate38.png

2. Enforce manual encryption.

In the "Sending" tab of the "Enigmail Preferences" window, click the circle next to "Manual encryption settings." Then click the circle next to "Always" under "Confirm before sending" and click the "OK" button.

Figure: Set Manual Encryption Settings

Tempestupdate39.png

After returning to the "OpenPGP Options" window, click the "OK" button.

Figure: Settings Confirmation

Tempestupdate40.png

Enigmail Key Management[edit]

Search for and Import GPG Keys[edit]

1. Navigate to the key management section of Enigmail.

In the menu bar, Click on EnigmailKey management

Figure: Enigmail Key Management

Tempestupdate41.png

2. Search for keys with a keyserver.

In the Key Management window that opens, your key is in bold. Click on KeyserverSearch for Keys

Figure: Key Search

Tempestupdate42.png

The next window that appears enables a search for GPG keys hosted on public GPG key servers. It is possible to search for GPG keys by email address, a short key ID or an individual's public GPG fingerprint.

This step starts a search for the key belong to anonguide@danwin1210.me based on its public GPG fingerprint. Paste.

81934E7B83E89CFD8C25F3D67FBD040886EC5FE0

In the field next to "Search for key" and click the "OK" button.

Figure: Fingerprint Key Search

Tempestupdate43.png

Info Always search with the long fingerprint of a GPG key in the key manager -- short or even long key IDs can be forged. [13]. The results are more secure and work more often. Everyone who shares a public GPG key should share a long fingerprint.

3. Import the desired key(s).

In the next window that appears, an entry for "anonguide@vfemail.net" with a Key ID starting with "81934E7B" should be displayed with a check mark next to it. Click the "OK" button to import the key.

Figure: Key Importation

Tempestupdate44.png

A window should appear stating that the key for "anonguide@danwin1210.me" was successfully imported.

When importing the key, it is not a problem that the email address is different from the "anonguide@vfemail.net" one listed above. Multiple email addresses can be used with a GPG public key.

"Anonguide@vfemail.net" is simply an older email address associated with the key. The important aspect to note is the fingerprint, which should appear as:

8193 4E7B 83E8 9CFD 8C25
F3D6 7FBD 0408 86EC 5FE0

Click the "OK" button to continue.

Info If the fingerprint is different than what is shown above, delete the key for the "anonguide" email address in the key manager and start over from the beginning of this section.

Figure: Key Importation Confirmation

Tempestupdate45.png

Ambox warning pn.svg.png Important: It is critical to verify any GPG public key that is added to the keyring with a fingerprint provided by the person you intend to communicate with.

Always remember that anyone can add a GPG public key to a key server and claim to belong to a certain email account. Consider the following attack vector:

  1. An attacker is monitoring an email account through surveillance.
  2. An encryption key is mistakenly used that was created to falsely correspond to the intended recipient of communications.
  3. The attacker is now able to read the user's email.

Add User ID to Key Properties[edit]

In this section an additional account is added to your GPG key. This is necessary due to the fact that the "danwin1210.me" email service also allows emails to be sent to and from its .onion domain, which is a good feature. Therefore, these steps add your email address with the .onion domain to the same GPG key. This makes it easier for software used by others to automatically select your GPG public key when sending an email to one of your addresses.

1. Open the "Key Properties" window.

Double-click on the key entry for the danwin1210.me email address to open the "Key Properties" window.

Figure: Select your Key

Tempestupdate46.png

2. Select the "Manage User IDs" option.

When the "Key Properties" window opens, click on the pull down menu entitled "Select action" and then click on "Manage User IDs."

Figure: User ID Management

Tempestupdate47.png

3. Add a User ID.

In the next window that appears, click the "Add" button.

Figure: Add User ID

Tempestupdate48.png

4. Complete the User ID fields.

  • In the field next to "Name," use the same name you chose when setting up the email account.
  • Next to the "email" field, add the username you chose followed by "@tt3j2x4k5ycaa5zt.onion"
  • In the example below, replace "youranonemail" with your user name.
  • Type youranonemail@tt3j2x4k5ycaa5zt.onion in the field next to "Email." Then, click the "OK" button.

Figure: User ID Fields

Tempestupdate49.png

5. Enter the GPG passphrase.

A prompt will appear to enter the GPG passphrase. Either copy and paste the GPG passphrase from KeePassXC, or manually enter it then click the "OK" button.

Figure: GPG Passphrase Prompt

Tempestupdate50.png

The next window should inform that the User ID was added successfully. Click the "Close" button.

Figure: GPG Passphrase Success

Tempestupdate51.png

6. Change the Primary User ID.

After returning to the "Change Primary User ID" window, click on the entry with the "danwin1210.me" domain. Then, click the "Set primary" button.

Figure: Primary User ID Setting

Tempestupdate52.png

The next window should inform that the Primary User ID was changed successfully. Click the "Close" button.

Figure: Primary User ID Successful Change

Tempestupdate53.png

7. Finalize the procedure.

After returning to the "Change Primary User ID" window, click the "Close Window" button.

Figure: Procedure Finalization

Tempestupdate54.png

Import Public Keys from Websites[edit]

On occasion, the GPG public key of an intended email recipient is not located on a key server, but a public key block is hosted on a website.

To import these keys into Thunderbird:

  1. Copy the public key from the website to the clipboard.
  2. Navigate to the Enigmail key management program: EnigmailKey Management
  3. Import the keys: EditImport Keys from Clipboard

Alternative Key Server Methods[edit]

There are two alternatives for interacting with key servers:

  • KGpg: To fetch contacts' GPG keys from the key server, open KGpg and navigate to Key Server Dialog. Search for relevant email addresses and import the keys.
  • GPG command line: Searching, fetching and importing keys from key servers from the command line [archive] is relatively simple.

Note: Previously, Enigmail's keyserver interaction features did not work out of the box. [14] [15] With these instructions, it should no longer be necessary to apply manual settings following a restart of Thunderbird in order to interact with key servers. [16] [17] [18] [19]

Export the Public Key to a GPG Server[edit]

1. Copy the GPG key fingerprint.

This is necessary to check the key is successfully exported at a later step and to set up a GPG key signature block. Use the mouse to highlight the text next to "Fingerprint." Then, right-click the highlighted text and click "copy."

Figure: GPG Key Fingerprint

Tempestupdate55.png

After copying the GPG fingerprint, click the "Close" button.

Figure: Key Properties Window Closure

Tempestupdate56.png

2. Select the key to be uploaded.

Right-click on the entry for the email address and click "Upload Public Keys to Keyserver."

Figure: Upload Public Keys

Tempestupdate57.png

A progress meter will then appear. If the upload is successful, no confirmation message will be received.

Figure: Upload Progress Meter

Tempestupdate58.png

3. Confirm the key was successfully uploaded.

To check that the GPG public key was successfully exported to the keyserver, do a search for your own key the same way you searched for the key belonging to "anonguide@danwin1210.me" in an earlier step.

Simply paste the public GPG fingerprint into the search field and remove the spaces between the letters and numbers.

4. Close the Enigmail Key Management window.

Click the "X" in the upper right corner of the window.

Public GPG Key Signature Block[edit]

The following steps configure Thunderbird to inform people about the public GPG key by embedding it in the email signature.

1. Navigate to account settings.

After returning to the main Thunderbird window, click on EditAccount Settings

Figure: Further Account Settings

Tempestupdate59.png

2. Create an email PGP signature block.

A signature is now created that will be included in all outgoing mail, which contains both the GPG public key ID and the GPG public key fingerprint. In the next window that appears:

  • Click in the text field located underneath "Signature text."
  • Paste the contents of the clipboard on to two separate lines in the text field.
  • On the first line:
    • Type "GPG Public Key:" before the fingerprint that was just pasted.
    • Delete all but the last 16 characters of the fingerprint from this line. [20]
    • Type "0x" (that is the numeral zero) directly in front of the remaining characters. [21]
  • On the second line, type "Fingerprint:" in front of the characters pasted there. This will help enable people who download the GPG public key to verify that it is they key you wish them to use. When finished, click the "OK" button.

Figure: PGP Email Signature Block

Tempestupdate60.png

Compose and Send Encrypted Email[edit]

The first section will test the correct sending of the first encrypted email to anonguide@danwin1210.me with Enigmail.

The second section outlines using KGpg instead of Enigmail. This is for users who require a higher level of security for importing private keys and creating ciphertext which can be sent via Thunderbird. [22] [23] [24] [25]

Using Enigmail[edit]

1. Compose a new email message.

Click the "Write" button located in the upper left region of the window.

Figure: Compose a New Email

Tempestupdate61.png

A new window will open for you to compose an email message.

Info Since the "danwin1210.me" email service is hosted on the .onion Tor server "tt3j2x4k5ycaa5zt.onion," you are going to send an email to the .onion domain. This keeps the transit of the email inside the Tor network, which is safer than transporting it in the clear. If an email provider of someone you want to send an email to uses a .onion domain, always use that domain in the "To" field if possible.

In the "To" field, type.

anonguide@tt3j2x4k5ycaa5zt.onion

In the "Subject" field, type.

key test

Next, type an innocuous message into the message body. Do not go into great detail; a large amount of text is unnecessary.

The point of this email is to test the encryption key and to become familiar with a common encrypted email exchange. Take note of the padlock and pencil icons located towards the upper-left side of the window next to the "Spelling" button. These icons should be marked as active with a green check mark, a gray square around them with the padlock closed, which means your message will be signed and encrypted (if you have a corresponding public key). To the far right of these icons, a status message also informs that the message will be signed and encrypted.

Ambox warning pn.svg.png In this configuration, the subject field is never encrypted, even when the message and attachments are encrypted. Therefore, be wary of any information entered into in the subject field.

2. Send the email message.

When the message is ready, click the "Send" button.

Figure: Send an Encrypted Email

Tempestupdate62.png

You may next be prompted to enter the GPG passphrase (if this window does not appear, skip to the next step). This makes it possible for the message sent to be signed. When a message is signed, this provides a mechanism for the email recipient to be confident that the sender actually wrote the email, and not an impostor. Type the passphrase and click the "OK" button.

Figure: GPG Passphrase Prompt

Tempestupdate63.png

After typing in the passphrase, a confirmation window will appear asking if a signed and encrypted email should be sent to anonguide@tt3j2x4k5ycaa5zt.onion. Take note of the body of the email message under that window. This text should be clearly visible:

-----BEGIN PGP MESSAGE-----

Followed by a series of random characters. This proves the email has been encrypted and it is safe to click the "Send Message" button. However, if the original text of the message is visible, then it is not encrypted and the "Cancel" button should be clicked.

Figure: Email Encryption Confirmation

Tempestupdate64.png

3. Enter the password for your email account.

A prompt will appear to enter the password for the danwin1210.me account. This will happen each time Thunderbird is started and the first email is sent, since the password is not stored by the program. However, once the password is entered, Thunderbird will remember it for the session. The same process applies to receiving email.

When asked to enter the password, copy it from KeePassXC (or refer to your physical record), paste it into the password field and click the "OK" button.

Figure: Passphrase Prompt

Tempestupdate65.png

Ambox warning pn.svg.png Do not use Thunderbird's Password Manager to store the password! Thunderbird does not encrypt stored passwords by default. Thus, if an attacker compromises the machine and manages to access the Thunderbird folder, they will gain the password to the email account.

After returning to the main Thunderbird window, a new "Sent" folder should appear in the Local Folders on the left side of the window, indicating the email to anonguide@danwin1210.me was sent.

Figure: Thunderbird Sent Folder

Tempestupdate66.png

Using KGpg[edit]

  1. Open KGpg and select the recipient key. If selecting more than one key, press CTRL while clicking.
  2. Navigate to: FileOpen Editor and write the message.
  3. Encrypt the message to ciphertext by clicking on the Encrypt lock icon. Choose your private key in the prompt that appears and click OK.
  4. Copy the ciphertext into Thunderbird and send it as per normal procedures. Do not include subject lines since they are not encrypted.

Download and Read Encrypted Email[edit]

In the near future, you will want to check if anyone has sent email messages or if a response was received to the test email composed in the previous section.

1. Check for new email messages.

From the main Thunderbird window, click the "Get Messages" icon to check for any new email messages on the server and download them.

Figure: New Email Check

Tempestupdate67.png

2. Enter the password.

A prompt will appear to enter the password for the email account. After entering the password, Thunderbird will remember it for the session. When asked to enter the password, type it into the password field (or copy and paste it from KeePassXC) and click the "OK" button.

Figure: Passphrase Prompt

Tempestupdate68.png

3. Read new (encrypted) email messages.

When new emails are received, a counter will appear next to "Inbox" in the left column. Click on "Inbox" to go to the list of new emails, then click the email that you wish to read.

Figure: Thunderbird Inbox

Tempestupdate69.png

If the message received was encrypted with your public key, the GPG passphrase is needed to decrypt it. If a window like the one in the image below appears, type the GPG passphrase and click the "OK" button.

Figure: GPG Passphrase Prompt

Tempestupdate70.png

The email will now display in the lower portion of the Thunderbird window. From here, you have the option of replying, forwarding, deleting and so on. If a message is read that was sent from anonguide@tt3j2x4k5ycaa5zt.onion with an Enigmail message stating "Good signature from AnonGuide <anonguide@tt3j2x4k5ycaa5zt.onion>," the encryption configuration is working correctly.

Figure: Successful Email Decryption

Tempestupdate71.png

Final Warnings[edit]

If all steps have been successfully completed then you now have an anonymous email account paired with strong encryption.

It should be emphasized this wiki entry is not a substitute for an all-inclusive tutorial on the safest way to use GPG/PGP encryption, however it provides a solid foundation for fundamental practices. Numerous advanced resources and expert opinions exist on the Internet, and these can provide additional tips that might better address a user's perceived threat model and circumstances. [26] At a minimum, it is recommended to review the Safe Email Principles section, along with additional learning resources.

Finally, always heed the following warnings regarding email:

  • Email is a very insecure means of communication where anonymity is concerned. A lot of metadata is leaked with email, so it should be used sparingly and only when strictly necessary.
  • Do not contact people you know in real life at non-anonymous email addresses with the email account that was created here. Always separate real world identities from online identities used with Whonix ™.
  • Be circumspect about sharing personal information in email! Encrypted email does not protect against the email recipient storing personal emails in an unencrypted format. Nor does encryption protect against an email recipient maliciously using personal information in order to exploit you.
  • Never include sensitive information in an email subject line, even if the email is encrypted! Subject headers in email are not encrypted in this configuration, despite the fact the rest of the message is.
  • If an email is sent to a recipient without encryption, assume it can be read by anyone!
  • Utilize the Tor Onion Service (.onion domain) whenever it is made available by the email provider. After first confirming the domain is controlled by the email provider, it will afford greater protection than a clearnet address.

Further Reading[edit]

Interested readers can refer to the following additional resources on GPG, Enigmail, KGpg, and safe email practices:

License[edit]

This wiki entry is based on chapter 4.6 of A Beginner Friendly Comprehensive Guide to Installing and Using a Safer Anonymous Operating System, which can be found here [archive]. This material has been used with the author's permission. [1]

Footnotes[edit]

  1. 1.0 1.1 http://forums.whonix.org/t/tor-project-support-of-whonix/5030 [archive]
  2. https://trac.torproject.org/projects/tor/wiki/torbirdy [archive]
  3. https://blog.torproject.org/our-latest-release-torbirdy-thunderbird-includes-new-enigmail-features [archive]
  4. https://trac.torproject.org/projects/tor/ticket/21880 [archive]
  5. Similarly, that same information should not be stored on electronic media in the first place, if that is feasible in the circumstances.
  6. Installed by default in Whonix ™ 15.
  7. Source:
    torproject.org Gnu Privacy Guard / GnuPG [archive]
    license [archive]:
    Content on this site is Copyright The Tor Project, Inc.. Reproduction of content is permitted under a Creative Commons Attribution 3.0 United States License [archive]. All use under such license must be accompanied by a clear and prominent attribution that identifies The Tor Project, Inc. as the owner and originator of such content. The Tor Project Inc. reserves the right to change licenses and permissions at any time in its sole discretion.
  8. This is because packages are often unsigned, and users may forget to update the software in a timely fashion.
  9. Or create random Diceware passphrases of sufficient length.
  10. Depending on the service provider in use, they may or may not enable TLS/STARTTLS connection security for their Onion domain. The reason is because it is redundant, as end-to-end Tor encryption provides security properties for authenticating to the server.
  11. This is optional because some users may not place trust in the integrity of KeePassXC or other password managers, and they remain an attractive target for hackers.
  12. This will be useful in case the passphrase is ever forgotten.
  13. Due to the threat of collisions, see: https://superuser.com/questions/769452/what-is-a-openpgp-gnupg-key-id [archive]
  14. As it has been made fail closed by TorBirdy developers [archive], otherwise there could be a DNS leak in setups not using Whonix ™.
  15. A previous proposal on how to make keyservers in Enigmail in Whonix ™ work out of the box: do not use keyserver-options in Whonix ™ [archive]
  16. Upstream bug report: Can't set custom http-proxy on GnuPG-settings, lost after restart [archive].
  17. There is no need for this setting in Whonix ™ since Enigmail calls GPG, everything is already torified, and gpg is stream isolated by a uwt wrapper.
  18. Forum discussion: https://forums.whonix.org/t/gpg-keyservers-from-within-whonix-workstation [archive]
  19. Previous instructions: ThunderbirdEnigmail (from menu bar)PreferencesDisplay Expert Settings and MenusAdvancedAdditional Parameters → remove the following part --keyserver-options http-proxy=http://127.0.0.1:8118 [archive]OK
  20. In the example below, the fingerprint consists of 10 groups of 4 characters. Delete the first six groups, then delete the spaces in between the remaining groups of characters.
  21. In the example below, that results in 0x1C593D788F0E5176. The end result of what is created here is the GPG public key ID. People can enter that into various GPG key servers to find the public key and send you encrypted messages.
  22. Avoiding Enigmail bypasses any unexpected behavior with message encryption. For instance, in one case bugs in email clients and Enigmail lead to the auto-saving of drafts as plaintext.
  23. https://tails.boum.org/security/claws_mail_leaks_plaintext_to_imap/index.en.html [archive]
  24. http://sourceforge.net/p/enigmail/bugs/502 [archive]
  25. Persons in critical situations may prefer to encrypt emails in such a way to mitigate the risk of leaks.
  26. For instance, users at high risk might generate a strong airgapped OpenPGP key pair on the command line for greater security, rather than rely on Enigmail.
  27. KGpg Homepage [archive], KGpg wiki with screenshot [archive]


Follow: Twitter.png Facebook.png 1280px-Gab text logo.svg.png Rss.png Matrix logo.svg.png 1024px-Telegram 2019 Logo.svg.png Discourse logo.svg

Donate: Donate Bank Wire Paypal Bitcoin accepted here Monero accepted here Contriute

Whonix donate bitcoin.png Monero donate whonix.png

Share: Twitter | Facebook

We are looking for maintainers and developers.

https link onion link

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation.

Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee [archive] of the Open Invention Network [archive]. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)

Whonix ™ is a derivative of and not affiliated with Debian [archive]. Debian is a registered trademark [archive] owned by Software in the Public Interest, Inc [archive].

Whonix ™ is produced independently from the Tor® [archive] anonymity software and carries no guarantee from The Tor Project [archive] about quality, suitability or anything else.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint.