Actions

Encrypted Email with Thunderbird and Enigmail

About this Encrypted Email with Thunderbird and Enigmail Page
Support Status stable
Difficulty easy
Maintainer torjunkie, tempest
Support Support

Credits[edit]

Gratitude is expressed to tempest for permission to use this material for the Whonix wiki documentation. [1] This material forms chapter 4.5 of A Beginner Friendly Comprehensive Guide to Installing and Using a Safer Anonymous Operating System, which can be found here. Minor edits have been made to the source material: for phrasing, to incorporate Whonix wiki and external references where appropriate, and to accommodate Qubes-Whonix users.

Introduction[edit]

Due to the complexity of software in the past, one of the most underutilized forms of protection for users is email encryption. However, it is now easier to take advantage of encrypted email via the use of Thunderbird (Mozilla's email client) and Enigmail, which is a graphical front-end for using the GnuPG ("GPG") encryption program. The TorBirdy extension is also available to make Thunderbird connections take place over the Tor network. [2]


Encrypted subject and references headers are also now possible in Enigmail, reducing the leakage of metadata. [3] [4] However, MIME is not used in these instructions to reduce the risk of Enigmail bugs exposing unencrypted messages, meaning the subject line will not be encrypted. On the upside, this configuration change allows the user to confirm their message is actually encrypted before it is sent.

The following guide provides a higher security and privacy standard than relying upon online services such as ProtonMail or Lavabit, that promise "encrypted email" in transit or storage. Online systems can still be broken by an attacker capable of exploiting JavaScript flaws or undermining certificate authorities that provide encryption certificates for websites. Further, online providers can be compelled by National Security Letters to allow government access for extended periods. This is often coupled with a gag order that threatens severe legal sanctions, preventing the announcement of government backdooring. [5]

To minimize these risks, the following method of email encryption involves direct end-to-end encryption that can only be read by the intended recipient, making it much more secure. Further, a strong encryption key-pair is created so the user has strict control over the private key, which is stored securely.

Users should understand this method does not make email infallible - advanced adversaries can easily penetrate Internet-facing endpoints of targets with today's cutting-edge surveillance and offensive systems.


Always remember that mistakes or poor security practices on behalf of the email recipient can inadvertently lead to disclosures of plaintext.

The following guide provides steps to:

  1. Install the TorBirdy plugin for the Thunderbird email desktop client.
  2. Create an email account anonymously with a suitable provider via Tor Browser.
  3. Store the login credentials in KeePassX (optional).
  4. Setup the new email account: Thunderbird account settings, install necessary extensions (add-ons), and enforce connections to the email provider's Onion Service.
  5. Create an OpenPGP encryption key pair and revocation certificate using the Enigmail Setup Wizard.
  6. Encrypt and store the revocation certificate securely.
  7. Configure Thunderbird preferences for greater security and anonymity.
  8. Configure additional OpenPGP preferences via Enigmail.
  9. Key management: import GPG public keys.
  10. Export the public key to a GPG key server (optional).
  11. Prepare an email signature with the public GPG key ID and fingerprint (optional).
  12. Compose and send a test encrypted email to vfemail.net
  13. Open an encrypted email received in Thunderbird.

Warnings[edit]


Operational security is imperative to maintain the integrity of properly encrypted email. Consider the following scenarios which would allow an adversary access to the plaintext or other metadata that might help deanonymize a user:

  • Even if all email sent to a recipient is encrypted, if the recipient fails to encrypt the email response, then adversaries will be able to read the message and likely a quote of the original one sent.
  • The names of email recipients cannot be encrypted and are therefore visible to adversaries. However, the subject line and references email header are now encrypted as of TorBirdy v2.3 and above - although disabled in the following configuration.
  • There are several different types of metadata that can be harvested from email, depending on how it is used. Therefore, users must be careful when relying on email for sensitive communications.

Glossary[edit]

Terms that are commonly used in reference to email encryption are outlined below.

Table: Email Encryption Terms [7]

Term Description
Key Pair A pair of of asymmetric keys, commonly known as public and private keys.
Public Key The half of a key pair that is distributed publicly and used for encrypting.
Private Key The half of a key pair that is kept secret, and is used for decryption.
Key Server A server or website used for the distribution and verification of public keys.
Integrity A verification that the enclosed contents have not been tampered with in transit.
Confidentiality A verification that the enclosed contents are unreadable, except for the intended recipient.
Authentication A verification that the person who is sending / signing is who they say they are.
Non-repudiation Assurance that nobody, including the author, can dispute the origin of the message itself.
Asymmetric Keys Commonly referred to as a 'keypair'. It is two seperate keys: one public, one private.
Symmetric Keys Symmetric encryption depends on using a password to encrypt the single key used for both encryption and decryption.

Install the Torbirdy Plugin in Thunderbird[edit]

The following instructions install the latest available version of TorBirdy from The Tor Project so manual changes to the display character set and key server options are not required. Users who prefer the version available from Debian stable (jessie v0.1.3-1; stretch v0.2.1-1) can instead install it from the command line.


Users who want to learn more about TorBirdy should refer to the official wiki documentation. A host of additional preferences can be optionally configured.

1. Open a Konsole session in Whonix-Workstation.


Qubes-Whonix: anon-whonix -> Konsole.

Non-Qubes-Whonix: Double-click the Konsole icon on the Desktop.

Figure: Konsole Shortcut

Tempest screenshot 1.png

2. Navigate to the Downloads directory.

In non-Qubes-Whonix, type.

cd Downloads

In Qubes-Whonix, type.

cd /home/user/Downloads

And press Enter.

3. Download TorBirdy.

Note: TorBirdy is a desktop email plugin created by the Tor Project to further anonymize Thunderbird. At the time of writing, the version available for download was v0.2.4.

Type.

wget https://www.torproject.org/dist/torbirdy/torbirdy-current.xpi

And press Enter.

4. Download the necessary files to verify the integrity of the TorBirdy installer.

Type.

wget https://www.torproject.org/dist/torbirdy/torbirdy-current.xpi.asc

And press Enter.

5. Import the GPG public key of Sukhbir Singh, one of the developers of TorBirdy.

Type.

gpg --recv-key E4ACD3975427A5BA8450A1BEB01C8B006DA77FAA

And press Enter.

When the process completes, the screen should be similar to the screenshot below.

Figure: GPG Key Importation

Tempest screenshot 2.png

6. Verify the public key fingerprint.

It is important to verify the fingerprint of the key that was imported. Run.

gpg --fingerprint 0xE4ACD3975427A5BA8450A1BEB01C8B006DA77FAA

At the time of writing, the following output should appear.

pub   4096R/0xB01C8B006DA77FAA 2016-02-25 [expires: 2020-02-24]
         Key fingerprint = E4AC D397 5427 A5BA 8450  A1BE B01C 8B00 6DA7 7FAA
uid                 [ unknown] Sukhbir Singh <azadi@riseup.net>
uid                 [ unknown] Sukhbir Singh <sukhbir@torproject.org>
sub   4096R/0x1AF20C043D9F9289 2016-02-25 [expires: 2020-02-24]

7. Verify the integrity of TorBirdy.

Type.

gpg --verify torbirdy-current.xpi.asc

And press Enter.

When the verification is complete, the screen should look similar to the screenshot below. If the following message appears:

gpg: Good signature from "Sukhbir Singh <azadi@riseup.net>

Then the integrity of the program installer has been successfully verified. The "key is not certified" warning that appears after that line can be safely ignored.

Figure: Good Signature Message

Tempest screenshot 3.png

If the following message appears:

gpg: BAD signature from "Sukhbir Singh <azadi@riseup.net>"

Delete torbirdy-current.xpi.asc and torbirdy-current.xpi and do not use it. A bad signature means the downloaded program may have been tampered with or was corrupted during the download process.

If this occurs, delete the files and either wait 10-15 minutes for the Tor circuits to change, or open up the "Arm Tor Controller" in the Whonix Gateway (sys-whonix) and type "n" to create new Tor circuits. Then, repeat steps 3-6 after a random period of time has elapsed.

If the following message appears:

gpg: no valid OpenPGP data found.
gpg: the signature could not be verified.
Please remember that the signature file (.sig or .asc) should be the first file given on the command line.

Then delete the TorBirdy files, download them again and retry the verification step.

8. Modify TorBirdy to allow for importation/exportation of GPG keys in Thunderbird.


Without modifying Torbirdy, key management is much more difficult in Thunderbird due to various errors.

Type.

7z x torbirdy-current.xpi components

And press Enter.

9. Maximize the terminal window.

The part of the file that will be edited is moved to the right by spaces. Therefore it is easier to edit if the terminal window is maximized.

Click on the up-arrow (Qubes-Whonix: "+" key) in the upper right side of your terminal window.

Figure: Terminal Maximization

Tempest screenshot 4.png

10. Edit the torbirdy.js file.

Type.

nano components/torbirdy.js

And press Enter.

11. Open a search routine.

Press the LEFT-CTRL + W keys simultaneously to open a search routine. Type.

--display-charset utf-8

And press Enter.

Figure: Search Routine

Tempest screenshot 5.png

12. Modify the display character set.

The cursor will appear on a line that shows "--display-charset utf-8 " + as per the screen shot below.

Figure: Charset Search

Tempest screenshot 6.png

Remove the "+" sign and type.

Immediately following the quotation mark so it looks like the screen shot below.

Figure: Charset Modification

Tempest screenshot 7.png

13. Modify the keyserver options.

Move the cursor down 2 lines to the line beginning with "--keyserver-options" as pictured below.

Figure: Keyserver Options

Tempest screenshot 8.png

Type.

So it appears before the quotation mark as pictured below.

Figure: Modified Keyserver Options

Tempest screenshot 9.png

14. Save the modified file.

Press LEFT-CTRL + X buttons at the same time and type Y when asked about saving the modified buffer.

When prompted for the file name to write, press Enter.

15. Add the modified file to the torbirdy-current.xpi install package.

Type.

7z u torbirdy-current.xpi components/torbirdy.js

And press Enter.

16. Close the Konsole session.

Type.

exit

And press Enter.

Create a New Email Account with Tor Browser[edit]

1. Launch Tor Browser.

It is critical to create a new email account anonymously with Tor Browser.

In Whonix-Workstation (Qubes-Whonix: anon-whonix), launch Tor Browser via the icon on the toolbar (non-Qubes-Whonix) or via the Qubes VM Manager (or widget).

2. Choose an appropriate email provider.

First and foremost, there are multiple email providers that users can choose from. For the purpose of this tutorial, VFEmail (vfemail.net) is used as an example. This is not an endorsement for VFEmail, nor are they necessarily the most secure or private email provider available.

At the time of writing, VFEmail is one of the few free and reliable email providers offering POP3 email access through an .onion address, which does not require additional verification details to register an account.

For more details regarding the features and offerings of VFEmail, visit https://344c6kbnjnljjzlz.onion/faq.php. If used properly with GPG encryption, VFEmail's onion email service will provide the user with strong anonymity and privacy.


If problems are experienced with VFEmail, users should consider the use of alternatives such as cadamail, or refer to the list of providers recommended by The Tor Project, Whonix and JonDonym.

When Tor Browser opens, type.

https://344c6kbnjnljjzlz.onion/register

Into the URL bar to nagivate to the VFEmail Onion Service web page.

Figure: VFEmail Onion Service

Tempest screenshot 10.png


3. Add an SSL certificate exception for the VFEmail .onion

Tor Browser will warn that the web page "connection is not secure." This is expected. The warning arises because the SSL certificate received is from vfemail.net, but the domain the user is connected to is 344c6kbnjnljjzlz.onion

Select "Advanced" -> Select "add exception".

Figure: SSL Certificate Exception

Tempest screenshot 11.png

4. Add a security exception for VFEmail.

A window prompting the user to "add security exception" will appear. Click on the "Confirm Security Exception" button.

Figure: Add a Security Exception

Tempest screenshot 12.png

5. Allow JavaScript for the registration page.

The registration screen for VFEmail will now load. At the time of writing, JavaScript is required for the registration process due to the CAPTCHA used to block spam bots. [12]

Click on the NoScript icon -> Select "temporarily allow https://344c6kbnjnljjzlz.onion"

Figure: Javascript Temporary Permissions

Tempest screenshot 13.png

6. Register an email account name and password.

After the page reloads, a new email account name and password can be created.


Open up KeePassX and create an account and password entry for your new e-mail account with the warning above in mind.

When the password has been created in KeePassX (or manually with diceware passphrases):

  1. Type fake information into the fields under "First Name" and "Last Name."
  2. Type the email name that will be used in the field under "User Name."
  3. Select "vfemail.net" in the pull down menu under "Domain name."
  4. Copy (type) the password (passphrase) created in KeePassX (manually) and paste it into the fields under "Password" and "Confirm Password." [13]
  5. Check the box next to "I'm not a robot" and solve the CAPTCHA puzzles. When a green check appears next to "I'm not a robot," click on the "Create Account" button.


Figure: Account Creation

Tempest screenshot 14.png

7. Confirm the account creation.

The next screen will confirm an account has been created and the email address chosen will be displayed on the page. Optional: Copy that address and paste it into the "description" or "username" fields of KeePassX that are associated with your password immediately. [14]

Figure: Account Confirmation

Tempest screenshot 15.png

Next, save the KeePassX database. Then, click the X button to close Tor Browser and continue to the next step.

Setup the New Email Account[edit]

Thunderbird First Run[edit]

1. Open Thunderbird.

In non-Qubes-Whonix: Click the blue "K" start button -> Select "Mail Client."

In Qubes-Whonix: Click the blue "Q" button -> Click on anon-whonix -> Select "Thunderbird."

Figure: Thunderbird Email Client

Tempest screenshot 17.png

2. Close unnecessary windows on the first run.

When Thunderbird first opens, two windows will appear inside of it. These should be cancelled. In the window entitled "Mail Account Setup," click the "Cancel" button.

Figure: Mail Account Setup Cancellation

Tempest screenshot 18.png

Next, in the "Enigmail Setup Wizard," click the "Cancel" button.

Figure: Enigmail Setup Wizard Cancellation

Tempest screenshot 19.png

When the "Enigmail Alert" window appears, click the "Close" button.

Figure: Dismiss Enigmail Alert

Tempest screenshot 20.png

Install and Configure TorBirdy[edit]

1. Navigate to the add-ons manager.

After reaching the main Thunderbird window, click on the Thunderbird Menu icon which looks like a hamburger symbol - three horizontal lines stacked on top of each other - towards the top right side of the window. Then, click on "Add-ons."

Figure: Thunderbird Add-ons Manager

Tempest screenshot 21.png

2. Disable plugins.

Next, click on "Extensions." Then click the "Disable" buttons next to "Lightning" and "Torbirdy" to disable them.


Figure: Disable Plugins

Tempest screenshot 22.png

3. Install the latest TorBirdy release and restart Thunderbird.

The modified version of TorBirdy will now be installed. Click the gear icon towards the top of the window and then click on "Install Add-on From File..."

Figure: TorBirdy File Installation

Tempest screenshot 23.png

In the next window that appears, click on "user" under "Places" towards the left side of the window. Then, double-click on Downloads.

Figure: Downloads Folder

Tempest screenshot 24.png

At the next screen, click on torbirdy-current.xpi and then click the "Open" button.

Figure: Select the TorBirdy File

Tempest screenshot 25.png

Next, a "Software Installation" window will appear warning to only install add-ons from authors you trust. After the brief time delay finishes, click the "Install Now" button.

Figure: Install the TorBirdy Add-on

Tempest screenshot 26.png

After being returned to the "Add-ons Manager" in Thunderbird, click the "Restart Now" button that appears towards the top of the window.

Figure: Restart Thunderbird

Tempest screenshot 27.png

Thunderbird Second Run[edit]

When Thunderbird opens, a window will appear asking if you would like a new e-mail address. Click on the button stating "I think I'll configure my account later."

Figure: Configure the Account Later

Tempest screenshot 28.png

After returning to the "Add-ons Manager," at the bottom of the Thunderbird window, a message will appear asking "Would you like to help improve Thunderbird Mail/News by automatically reporting memory usage, performance and responsiveness to Mozilla?" Click the "No" button.

Figure: Uncheck Automatic Reports

Tempest screenshot 29.png

Enable the new version by clicking the "Enable" button next to "Torbirdy."

Figure: Enable TorBirdy

Tempest screenshot 30.png

After TorBirdy is enabled, click on the "Restart now" link that causes Thunderbird to restart.

Figure: Restart Thunderbird

Tempest screenshot 31.png

Configure the Thunderbird Email Account[edit]

1. Configure the email account on Thunderbird's third run.

The first window that appears after restarting Thunderbird will prompt to configure an email account. Type a suitable alias in the field next to "Your name." This will appear next to the email address in emails you send to others.

Next, type the vfemail.net email address that was just created into the field next to "Email address." Finally, uncheck "remember password" and click the "Continue" button.


Figure: Email Account Details

Tempest screenshot 32.png

The next window that appears will inform that Torbirdy has blocked the automatic configuration process to protect your anonymity. Click on the "OK" button to continue.

Figure: Disabled Auto-configuration

Tempest screenshot 33.png

2. Configure Thunderbird to connect to the email Onion Service.

In the next window, Thunderbird must be configured to connect to the Onion Service of vfemail.net (change the values as appropriate for alternate providers). The fields to change are highlighted in red in the figure below:

  • Type 344c6kbnjnljjzlz.onion in the field next to "Server Name."
  • Type the complete email address into the field next to "User Name."
  • Uncheck the box next to "Leave messages on server."
  • Check the box next to "Empty Trash on Exit" and continue to the next step.


Figure: Onionized Server Configuration

Tempest screenshot 34.png

3. Configure Thunderbird folders.

Click on "Copies and Folders" in the left column. Each option to change is highlighted in red in the figure below:

  • In the pull down menu next to "Sent Folder on", select "Local Folders."
  • Next, in the pull down menu next to "Archives Folder on", select "Local Folders."
  • In the pull down menu next to "Drafts Folder on", select "Local Folders."
  • In the pull down menu next to "Templates Folder on", select "Local Folders."
  • Check the box next to "Show confirmation dialog when messages are saved."


Figure: Folder Configuration

Tempest screenshot 35.png

4. Empty Thunderbird trash on exit.

Click on "Local Folders" in the left column. Then, mark the box next to "Empty trash on exit."

Figure: Empty Local Folders

Tempest screenshot 36.png

5. Configure the outgoing server.

Click on "Outgoing Server (SMTP)" in the left column. Then, click on the "Edit" button.

Figure: Outgoing Server Configuration

Tempest screenshot 37.png

In the next window that appears:

  • Type 344c6kbnjnljjzlz.onion (or alternative .onion) in the field next to "Server Name."
  • Click on the pulldown menu next to "Connection security" and select "STARTTLS." [15]
  • Type the complete email address into the field next to "User Name."
  • Finally, click the "OK" button.


Figure: Onionized Server Configuration

Tempest screenshot 38.png

After returning to the "Account Settings" window, click the "OK" button.

Figure: Confirm Settings

Tempest screenshot 39.png

After returning to the "Add-ons Manager" tab of Thunderbird. Click on the "x" in the tab entitled "Add-ons Manager" to close the Add-ons Manager window.

Figure: Close Add-ons Manager

Tempest screenshot 40.png

Create an OpenPGP Key Pair and Revocation Certificate[edit]

There are two methods for creating an OpenPGP key pair and revocation certificate - using either the Enigmail Setup Wizard, or manually creating them from the command line. The easier Enigmail method is outlined below, but the manual creation of stronger keys from the command line is recommended for high risk users.

Enigmail Setup Wizard[edit]

1. Start the Enigmail Setup Wizard.

After returning to the main Thunderbird window, click the "hamburger" icon that has the 3 horizontal bars towards the upper right corner.

Then, hover the mouse over "Preferences" and click "Menu Bar" when the next menu appears.

Figure: Menu Bar

Tempest screenshot 41.png

A menu bar will now appear towards the top of the Thunderbird window. In the menu bar, click "Enigmail" and then click "Setup Wizard."

Figure: Enigmail Setup Wizard

Tempest screenshot 42.png

2. Create the OpenPGP key pair.

The Enigmail Setup Wizard will start running. On the next screen, click the circle next to "I prefer an extended configuration" and then click the "Next" button.

Figure: Extended Enigmail Configuration

Tempest screenshot 43.png

Next, a prompt will appear to either create a GPG keypair or use an existing one.

Click the circle next to "I want to create a new key pair for signing and encrypting my email" and then click the "Next" button.

Figure: Create a New Key Pair

Tempest screenshot 44.png

In the next window that appears, a prompt will appear to create a passphrase for the GPG private key.


With a strong passphrase, if the machine is ever compromised and someone steals the GPG Secret Key, this provides an extra layer of protection to prevent the attacker from being able to easily decrypt emails sent to you, or to impersonate you by signing emails with the GPG key.

Type an appropriately secure and random passphrase into the fields under "Passphrase" and "Please confirm your passphrase by typing it again." Then, click on the "Next" button.

Optional: Create a new entry in KeePassX to store the GPG passphrase and manually enter the passphrase into the new entry. Then, save the KeePassX database. This will be useful if the GPG passphrase is forgotten. [16]

Figure: GPG Private Key Passphrase

Tempest screenshot 45.png

At this point, Enigmail will begin creating the new GPG key pair. When it finishes, click the "Create Revocation Certificate" button.

Figure: Create a Revocation Certificate

Tempest screenshot 46.png

3. Create the revocation certificate.

A prompt will now appear to enter the passphrase created in the last step. Paste the GPG passphrase from KeePassX (or enter it manually) in the "Passphrase" field and click the "OK" button.

Figure: Enter the GPG Passphrase

Tempest screenshot 47.png

The next window will ask where the GPG Revocation Certificate should be stored.

Click on "user" in the left column. Next, replace the spaces and parentheses signs with periods in the default filename for the GPG Revocation Certificate. The spaces and parentheses signs in the default name can make a step later in this guide trickier. Finally, click the "Save" button.

Figure: Store the Revocation Certificate

Tempest screenshot 48.png

Next, a message will inform that the GPG revocation certificate was successfully created. Click the "OK" button.

Figure: Certificate Creation Confirmation

Tempest screenshot 49.png

After returning to the "Key Creation" window, click the "Next" button.

Figure: Finalize the Procedure

Tempest screenshot 50.png

The next window will state that Enigmail is now ready to use. Click the "Finish" button.

Figure: Enigmail Success

Tempest screenshot 51.png

4. Encrypt and store the revocation certificate.

The revocation certificate will now be encrypted and stored in the persistent storage directory. The GPG revocation certificate can be used to revoke the public encryption key that is added to key servers, even if access to the GPG Secret Key is lost or the password is forgotten.

If an attacker accesses the GPG revocation certificate, they can revoke the keys. Encrypting the GPG revocation certificate with a passphrase that is easily remembered will protect against an attacker using it to revoke the keys (if they manage to steal the revocation certificate).

Open up a Konsole / Terminal session to get a command prompt.

  • In non-Qubes-Whonix: Click the "K" start button -> Click "Terminal."
  • In Qubes-Whonix: Click the "Q" taskbar button -> anon-whonix -> Konsole).


Figure: Open a Terminal

Tempest screenshot 52.png

When the terminal window opens, create a directory to store the encrypted GPG revocation key in the persistent storage folder. Run the following commands.

mkdir storage
mkdir storage/gpg-revoke

To encrypt the revocation certificate, in the command below, replace "RevocationCertificateFileName" with the name of the revocation certificate. Type.

gpg --cipher-algo AES256 --symmetric RevocationCertificateFileName

A prompt will appear to "Enter passphrase." Choose a strong passphrase and enter it into the passphrase field, then click the "OK" button.


If the revocation certificate ever needs to be used, then this passphrase is first used to decrypt it.

Optional: Create a new entry in KeePassX to store the GPG revocation certificate passphrase and manually enter the passphrase into the new entry. Then, save the KeePassX database. This will be useful in case the passphrase is forgotten.

Figure: Passphrase Prompt

Tempest screenshot 53.png

A prompt will appear, asking for the passphrase to be re-entered. Type it again into the passphrase field and click the "OK" button.

Figure: Passphrase Confirmation

Tempest screenshot 54.png

Note: If an error appears that states.

gpg: error creating passphrase: invalid passphrase

Then a typo was made somewhere in the last two steps. Start over from the earlier step "Encrypt the revocation certificate."

If no error messages appear and the user is returned to the command prompt, type.

mv *.gpg storage/gpg-revoke

And press Enter.

In the future, if the revocation key is ever needed, decrypt it by typing.

gpg -o RevocationCertificateFilename.asc -d \~/storage/gpg-revoke/RevocationCertificateFilename.gpg

5. Shred the unencrypted revocation certificate.

Remove the unencrypted revocation certificate that is sitting in the home folder.

sudo shred --remove RevocationCertificateFileName

Type exit to close the terminal and return to Thunderbird.

Manual Creation from the Command Line[edit]

Advanced users should follow these instructions.

Configure Final Thunderbird Preferences[edit]

1. Edit the final Thunderbird preferences.

Navigate to the main Thunderbird window, then Click on "Edit" -> "Preferences."

Figure: Thunderbird Preferences

Tempest screenshot 55.png

In the window that appears, click the "Advanced" tab. Uncheck the box next to "Enable Global Search and Indexer." This will save disk space. Next, click the "Return Receipts" button.

Figure: Enable Global Search and Indexer

Tempest screenshot 56.png

In the next window that appears, mark the circle next to "Never send a return receipt." Then, click the "OK" button.

Figure: Disable Return Receipts

Tempest screenshot 57.png

After returning to the "Thunderbird Preferences" window, click the "Data Choices" tab. Then, uncheck the box next to "Enable Crash Reporter."

Figure: Disable Crash Reporter

Tempest screenshot 58.png

Next, click the "Privacy" button. Then, uncheck the boxes next to "Remember websites and links I've visited" and "Accept cookies from sites." Then, click the "close" button.

Figure: Modify Privacy Settings

Tempest screenshot 59.png

2. Change settings that were not addressed by the Enigmail Setup Wizard.

On the main Thunderbird window, click on Edit -> Account Settings.

Figure: Thunderbird Account Settings

Tempest screenshot 60.png

In the window that appears:

  • Click on "OpenPGP Security" in the left column.
  • Check the boxes next to "Encrypt messages by default" and "Sign encrypted messages."
  • Uncheck the box next to "Use PGP/MIME by default."
  • Click the "Enigmail Preferences" button. [17]


Figure: OpenPGP Options

Tempest screenshot 61.png

In the "Sending" tab of the "Enigmail Preferences" window, click the circle next to "Manual encryption settings." Then click the circle next to "Always" under "Confirm before sending" and click the "OK" button.

Figure: Set Manual Encryption Settings

Tempest screenshot 62.png

When returned to the "OpenPGP Options" window, click the "OK" button.

Figure: Settings Confirmation

Tempest screenshot 63.png

3. Configure Enigmail Key Management.

In the menu bar, Click on Enigmail -> Key management.

Figure: Enigmail Key Management

Tempest screenshot 64.png

In the Key Management window that opens, your key is in bold and the key imported for Sukhbir Singh is also visible. Click on Keyserver -> Search for Keys.

Figure: Key Search

Tempest screenshot 65.png

Search for GPG keys[edit]

The next window that appears enables a search for GPG keys hosted on public GPG key servers. It is possible to search for GPG keys by e-mail address, a short key ID or an individual's public GPG fingerprint.

This step starts a search for the key belong to anonguide@vfemail.net based on its public GPG fingerprint. Paste.

64222A88D25730910C47A904BD8083C5237F796B

In the field next to "Search for key" and click the "OK" button.

Figure: Fingerprint Key Search

Tempest screenshot 66.png


In the next window that appears, an entry for "anonguide@bitmessage.ch" with a Key ID of "237F796B" should be displayed with a check mark next to it. Click the "OK" button to import the key.

Figure: Key Importation

Tempest screenshot 67.png

A window should appear stating that the key for "anonguide@vfemail.net" was successfully imported.

It is not a problem that the e-mail address is different than the "anonguide@bitmessage.ch" listed above when importing the key. Multiple e-mail addresses can be used with a GPG public key.

"Anonguide@bitmessage.ch" is simply an older e-mail address associated with the key. The important aspect to note is the finger print, which should appear as:

6422 2A88 D257 3091 0C47
A904 BD80 83C5 237F 796B

Click the "OK" button to continue.


Figure: Key Importation Confirmation

Tempest screenshot 68.png


It is important to realize that anyone can add a GPG public key to a key server and claim to belong to a certain email account. Consider the following attack vector:

  1. An attacker is monitoring an email account through surveillance.
  2. An encryption key is mistakenly used that was created to falsely correspond to the intended recipient of communications.
  3. The attacker is now able to read the user's email.

Import Public Keys from Websites[edit]

On occasion, the GPG public key of an intended email recipient is not located on a key server, but a public key block is hosted on a website.

To import these keys into Thunderbird:

  • Copy the public key from the website to the clipboard.
  • Navigate to the Enigmail key management program: Enigmail -> Key Management
  • Import the keys: Edit -> Import Keys from Clipboard

Alternate Key Server Methods[edit]

There are two alternatives for interacting with key servers:

  • KGpg: To fetch contacts' GPG keys from the key server, open KGpg and navigate to Key Server Dialog. Search for relevant email addresses and import the keys.
  • GPG command line: searching, fetching and importing keys from key servers from the command line is relatively simple.


Note: Enigmail's keyserver interaction features previously did not work out of the box. [19] [20] With these instructions, it should no longer be necessary to apply manual settings following a restart of Thunderbird in order to interact with key servers. [21] [22] [23] [24]

Export the Public Key to a GPG Server[edit]

Right-click on the entry for the email address and click "Upload Public Keys to Keyserver."

Figure: Upload Public Keys

Tempest screenshot 69.png

A progress meter will then appear. If the upload is successful, no confirmation message will be received.

Figure: Upload Progress Meter

Tempest screenshot 70.png

To check that the GPG public key was successfully uploaded to the keyserver, do a search for your own key the same way you searched for the key belonging to "anonguide@vfemail.net" in an earlier step.

To inspect the GPG fingerprint:

Right-click on the GPG key -> Click "Key Properties."

The GPG fingerprint will appear towards the top of the window. Highlight it and then copy it to the clipboard.

To search for it in a manner similar to the earlier step, paste it into the search field and simply remove the spaces between the letters and numbers.

Public GPG Key Signature Block[edit]

1. Locate the key's fingerprint.

The following steps configure Thunderbird to inform people about the public GPG key via embedding it in the email signature.

Double-click on the key entry for the vfemail.net (or alternate) email address to open the "Key Properties" window.

Figure: Key Properties

Tempest screenshot 71.png

In the window that appears, use the mouse to highlight the text next to "Fingerprint." Then, right-click the highlighted text and click "Copy."

Figure: Copy the Key Fingerprint

Tempest screenshot 72.png

When the GPG fingerprint has been copied, click the "Close" button.

Figure: Procedure Confirmation

Tempest screenshot 73.png

Now, close the Enigmail Key Management window. Click the "X" in the upper right corner of the window.

Figure: Close Enigmail Key Management

Tempest screenshot 74.png

After returning to the main Thunderbird window, click on Edit -> Account Settings.

Figure: Further Account Settings

Tempest screenshot 75.png

2. Create a PGP email signature.

A signature is now created that will be included in all outgoing mail, which contains both the GPG public key ID and the GPG public key fingerprint. In the next window that appears:

  • Click in the text field located underneath "Signature text."
  • Paste the contents of the clipboard on to two separate lines in the text field.
  • On the first line:
    • Type "GPG Public Key:" before the fingerprint that was just pasted.
    • Delete all but the last 16 characters of the fingerprint from this line. [25]
    • Type "0x" (that is the numeral zero) directly in front of the remaining characters. [26]
  • On the second line, type "Fingerprint:" in front of the characters pasted there. This will help enable people who download the GPG public key to verify that it is they key you wish them to use. When finished, click the "OK" button.


Figure: PGP Email Signature Block

Tempest screenshot 76.png

Compose and Send Encrypted Email[edit]

The first section will test the correct sending of the first encrypted email to anonguide@vfemail.net with Enigmail.

The second section outlines using KGpg instead of Enigmail. This is for users who require a higher level of security for importing private keys and creating ciphertext which can be sent via Thunderbird. [27] [28][29] [30]

Using Enigmail[edit]

1. Compose a new email message.

Click the "Write" button located in the upper left region of the window.

Figure: Compose a New Email

Tempest screenshot 77.png

A new window will open for you to compose an email message. In the "To" field, type.

anonguide@vfemail.net

In the "Subject" field, type.

key test

Next, type an innocuous message into the message body. Do not go into great detail; a large amount of text is unnecessary.

The point of this email is to test the encryption key and to become familiar with a common encrypted email exchange. Take note of the padlock and pencil icons located towards the upper-left side of the window next to the "Enigmail:" header. These icons should be marked as active by a gray square around them with the padlock closed, which means the message will be signed and encrypted (if you possess a corresponding public key). To the far right of these icons, a status message also informs that the message will be signed and encrypted.


2. Send the email message.

When the message is ready for sending, click the "Send" button.

Figure: Send an Encrypted Email

Tempest screenshot 78.png

A prompt will appear to enter the GPG passphrase. This makes it possible for the message sent to be signed. When a message is signed, this provides a mechanism for the email recipient to be confident that the sender actually wrote the email, and not an impostor. Type the passphrase and click the "OK" button.

Figure: GPG Passphrase Prompt

Tempest screenshot 79.png

After typing in the passphrase, a confirmation window will appear asking if a signed and encrypted email should be sent to anonguide@vfemail.net. Take note of the body of the email message under that window. This text should be clearly visible:

-----BEGIN PGP MESSAGE-----

Followed by a series of random characters. This proves the email has been encrypted and it is safe to click the "Send Message" button. However, if the original text of the message is visible, then it is not encrypted and the "Cancel" button should be clicked.

Figure: Email Encryption Confirmation

Tempest screenshot 80.png

3. Add a security exception.

The first time an email is sent, an "Add Security Exception" window will next appear (this is expected). The warning appears because the SSL certificate that was received is from vfemail.net (or alternate provider), but Thunderbird is configured to connect to the 344c6kbnjnljjzlz.onion domain.

Click the "Confirm Security Exception" button; this action is not required again in the future.

Figure: Add a Security Exception

Tempest screenshot 81.png

4. Resend the email message.

As a result of the issue with the SSL certificate in the last step, the sending of the message will fail. Select the Thunderbird "Write: key test" window from the task bar.

Figure: Select the Key Test Window

Tempest screenshot 82.png

Next, click the "OK" button in the "Send Message Error" window that appears.

Figure: Message Failure Notification

Tempest screenshot 83.png

After returning to the email composition window, click the "Send" button again.

Figure: Resend the Email

Tempest screenshot 84.png

Finally, a prompt will appear to confirm that a signed and encrypted email should be sent. Click the "Send Message" button.

Figure: Send Email Confirmation

Tempest screenshot 85.png

Next, a prompt will appear to enter the password for the vfemail.net account. This will happen each time Thunderbird is started and the first email is sent, since the password is not stored by the program. However, once the password is entered, Thunderbird will remember it for the session. The same process applies to receiving email.

When asked to enter the password, copy it from KeePassX (or refer to your physical record), paste it into the password field and click the "OK" button.

Figure: Passphrase Prompt

Tempest screenshot 86.png


After returning to the main Thunderbird window, a new "Sent" folder should appear in the Local Folders on the left side of the window, indicating the email to anonguide@vfemail.net was sent.

Figure: Thunderbird Sent Folder

Tempest screenshot 87.png

5. Optional: Send the GPG public key as an attachment.

Sometimes it is necessary to send an email to an address where the GPG public key is not in the keyring. If the GPG public key for the e-mail address cannot be located through a search, it is possible to send them your public key.

After reaching the new mail composition window, the GPG public key can be sent to the recipient as an attachment. Since this message will not be encrypted, click on the padlock icon next to "Enigmail:" so it looks like an open lock. Then, click on the "Attach My Public Key" button before sending the email.

Figure: GPG Public Key Attachment

Tempest screenshot 88.png

After composing the message, click the "Send" button.

Using KGpg[edit]

1. Open KGpg and select the recipient key. If selecting more than one key, press CTRL while clicking.

2. Navigate to: File -> Open Editor and write the message.

3. Encrypt the message to ciphertext by clicking on the Encrypt lock icon. Choose your private key in the prompt that appears and click OK.

4. Copy the ciphertext into Thunderbird and send it as per normal procedures. Do not include subject lines since they are not encrypted.

Download and Read Encrypted Email[edit]

In the near future, the user will want to check if anyone has sent email messages or if a response was received to the test email composed in the previous section.

1. Check for new email messages.

From the main Thunderbird window, click the "Get Messages" icon to check for any new email messages on the server and download them.

Figure: New Email Check

Tempest screenshot 89.png

2. Add a security exception.

When first checking for mail on vfemail.net, another "Add Security Exception" window will appear (this is expected). The warning is because the SSL certificate received at an earlier step is from vfemail.net, but the email desktop client is connecting to the 344c6kbnjnljjzlz.onion domain (or alternate .onion address). Click the "Confirm Security Exception" button; this action is not needed again in the future.

Figure: Add a Security Exception

Tempest screenshot 90.png

3. Read email messages in the inbox.

After returning to the main Thunderbird window, click the "Get Messages" button again.

Figure: Recheck for New Messages

Tempest screenshot 91.png

A prompt will appear to enter the password for the email account. After entering the password, Thunderbird will remember it for the session. When asked to enter the password, copy it from KeePassX (or from physical records), paste it into the password field and click the "OK" button.

Figure: Passphrase Prompt

Tempest screenshot 92.png

When new emails are received, a counter will appear next to "Inbox" in the left column. Click on "Inbox" to go to the list of new emails. Then, click the email that you wish to read.

Figure: Thunderbird Inbox

Tempest screenshot 93.png

If the message received was encrypted with your public key, the GPG passphrase is needed to decrypt it. If a window like the one in the image below appears, type the GPG passphrase and click the "OK" button.

Figure: GPG Passphrase Prompt

Tempest screenshot 94.png

The email will now display in the lower portion of the Thunderbird window. From here, the user has the option of replying, forwarding, deleting, and so on. If a message is read that was sent from anonguide@vfemail.net, the encryption configuration is working correctly.

Figure: Successful Email Decryption

Tempest screenshot 95.png

Final Warnings[edit]

If all steps have been successfully completed then the user now has an anonymous email account paired with strong encryption.

It should be emphasized this wiki entry is not a substitute for an all-inclusive tutorial on the safest way to use GPG/PGP encryption. Numerous advanced resources and expert opinions exist on the Internet, and these can provide additional tips that might better address a user's perceived threat model and circumstances. [32] However, this tutorial provides a solid foundation that lays down the basic fundamentals of using email encryption.

Finally, always heed the following warnings regarding email:

  • E-mail is a very insecure means of communication where anonymity is concerned. A lot of metadata is leaked with e-mail, so it should be used sparingly and only when strictly necessary.
  • Do not contact people you know in real life at non-anonymous email addresses with the email account that was created here. Always separate real world identities from online identities used with Whonix.
  • Be circumspect about sharing personal information in email! Encrypted email does not protect against the email recipient storing personal emails in an unencrypted format. Nor does encryption protect against an email recipient maliciously using personal information in order to exploit you.
  • Never include sensitive information in an email subject line, even if the email is encrypted! Subject headers in email are not encrypted in this configuration, despite the fact the rest of the message is.
  • If an email is sent to a recipient without encryption, assume it can be read by anyone!
  • Utilize the Tor Onion Service (with the .onion extension) whenever it is made available by the email provider. After first confirming the domain is controlled by the email provider, it will afford greater protection than a clearnet address.

Further Reading[edit]

Interested readers can refer to the following additional resources on GPG, Enigmail, KGpg, and safe email practices:

License[edit]

This wiki entry is based on chapter 4.5 of A Beginner Friendly Comprehensive Guide to Installing and Using a Safer Anonymous Operating System, which can be found here. This material has been used with the author's permission. [34]

Footnotes[edit]

  1. http://forums.whonix.org/t/tor-project-support-of-whonix/5030
  2. https://trac.torproject.org/projects/tor/wiki/torbirdy
  3. https://blog.torproject.org/our-latest-release-torbirdy-thunderbird-includes-new-enigmail-features
  4. https://trac.torproject.org/projects/tor/ticket/21880
  5. As was the case for RiseUp. Relying on warrant canaries alone is also not recommended, as they have proven ineffective in several cases.
  6. Similarly, that same information should not be stored on electronic media in the first place, if that is feasible in the circumstances.
  7. This material is taken directly from the Tor Project wiki.
  8. TorBirdy sets the Socks Host to 10.152.152.10 and Port to 9102 if the WHONIX variable is set, which is the default in /etc/environment since Whonix 0.5.5.
  9. TorBirdy v2.4 and later work without these modifications.
  10. Without modifications, Enigmail cannot fetch GPG keys because TorBirdy points to a local proxy running on port 8118, which is not running in the Whonix-Workstation. Prior to TorBirdy v2.4, the modification of the --display-charset and --keyserver-options lines allow for the fetching or uploading of GPG keys with Engimail and Thunderbird.
  11. Or create random diceware passphrases of sufficient length.
  12. This is undesirable from a security perspective. Email providers which do not rely upon JavaScript for registration should be preferred in general, such as cadamail.
  13. The obvious alternative is to write it down at home and store it in a safe place.
  14. Alternatively it may be written down.
  15. Depending on the service provider in use, they may or may not enable TLS/STARTTLS connection security for their Onion domain. The reason is because it is redundant, as end-to-end Tor encryption provides security properties for authenticating to the server. It is best to leave it turned on by default and only disable it if problems arise.
  16. This is optional because some users may not place trust in the integrity of KeePassX.
  17. Note this action prevents TorBirdy from encrypting the subject line and references headers, but improves confirmation of email encryption prior to it being sent.
  18. Due to the threat of collisions, see: https://superuser.com/questions/769452/what-is-a-openpgp-gnupg-key-id
  19. As it has been made fail closed by TorBirdy developers, otherwise there could be a DNS leak in setups not using Whonix.
  20. A previous proposal on how to make keyservers in Enigmail in Whonix work out of the box: do not use keyserver-options in Whonix
  21. Upstream bug report: Can't set custom http-proxy on GnuPG-settings, lost after restart.
  22. There is no need for this setting in Whonix since Enigmail calls GPG, everything is already torified, and gpg is stream isolated by a uwt wrapper.
  23. Forum discussion: https://forums.whonix.org/t/gpg-keyservers-from-within-whonix-workstation
  24. Previous instructions: Thunderbird -> Enigmail (from menu bar) -> Preferences -> Display Expert Settings and Menus -> Advanced -> Additional Parameters -> remove the following part --keyserver-options http-proxy=http://127.0.0.1:8118 -> OK
  25. In the example below, the fingerprint consists of 10 groups of 4 characters. Delete the first six groups, then delete the spaces in between the remaining groups of characters.
  26. In the example below, that results in 0xE2A4440ABE1DE630. The end result of what is created here is the GPG public key ID. People can enter that into various GPG key servers to find the public key and send you encrypted messages.
  27. Avoiding Enigmail bypasses any unexpected behavior with message encryption. For instance, in one case bugs in email clients and Enigmail lead to the auto-saving of drafts as plaintext.
  28. https://tails.boum.org/security/claws_mail_leaks_plaintext_to_imap/index.en.html
  29. http://sourceforge.net/p/enigmail/bugs/502
  30. Persons in critical situations may prefer to encrypt emails in such a way to mitigate the risk of leaks.
  31. The TorBirdy version currently installed supports this feature, but this was deactivated in earlier configuration steps.
  32. For instance, users at high risk might generate a strong airgapped OpenPGP key pair on the command line for greater security, rather than rely on Enigmail.
  33. KGpg Homepage, KGpg wiki with screenshot
  34. http://forums.whonix.org/t/tor-project-support-of-whonix/5030

Random News:

Did you know that anyone can edit the Whonix wiki to improve it?


https | (forcing) onion

Share: Twitter | Facebook

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation.

Whonix is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Libre Software license as Whonix itself. (Why?)