Actions

Encrypted Email with Thunderbird, Enigmail and TorBirdy

From Whonix

About this Encrypted Email with Thunderbird and Enigmail Page
Support Status stable
Difficulty medium
Maintainer tempest / torjunkie
Support Support

Credits[edit]

Gratitude is expressed to tempest for permission to use this material for the Whonix ™ wiki documentation. [1] This material forms chapter 4.5 of A Beginner Friendly Comprehensive Guide to Installing and Using a Safer Anonymous Operating System, which can be found here. Minor editorial changes have been made to the source material, along with additional Qubes-Whonix ™ steps and wiki / external references where appropriate.

Introduction[edit]

Due to the complexity of software in the past, one of the most underutilized forms of protection for users is email encryption. However, it is now easier to take advantage of encrypted email via the use of Thunderbird (Mozilla's email client) and Enigmail, which is a graphical front-end for using the GnuPG ("GPG") encryption program. The TorBirdy extension is also available to make Thunderbird connections take place over the Tor network. [2]

Ambox warning pn.svg.png It is estimated that within 10 to 15 years, Quantum Computers will break today's common asymmetric public-key cryptography algorithms used for web encryption (https), e-mail encryption (GnuPG...), SSH and other purposes. See Post-Quantum Cryptography (PQCrypto).

Encrypted subject and references headers are also now possible in Enigmail, reducing the leakage of metadata. [3] [4] However, MIME is not used in these instructions to reduce the risk of Enigmail bugs exposing unencrypted messages, meaning the subject line will not be encrypted. On the upside, this configuration change allows the user to confirm their message is actually encrypted before it is sent.

The following guide provides a higher security and privacy standard than relying upon online services such as ProtonMail or Lavabit, that promise "encrypted email" in transit or storage. Online systems can still be broken by an attacker capable of exploiting JavaScript flaws or undermining certificate authorities that provide encryption certificates for websites; see Webmail. Further, online providers can be compelled by National Security Letters to allow government access for extended periods. This is often coupled with a gag order that threatens severe legal sanctions, preventing the announcement of government backdooring. [5]

To minimize these risks and improve security, the following guide uses a suitable Desktop Email Client instead of webmail, paired with strong, end-to-end encryption that protects the contents so it can only be read by the intended recipient. Further, a strong encryption key-pair is created so the user has strict control over the private key, which is stored securely. Keep in mind this method does not make email infallible -- advanced adversaries can easily penetrate Internet-facing endpoints of targets with today's cutting-edge surveillance and offensive systems. Also, mistakes or poor security practices on behalf of the email recipient can inadvertently lead to disclosures of plaintext.

Info Tip: If possible, critical information that is of high value should not traverse computer networks at all, or even risk exposure to Internet-facing computers. [6] High-risk users might also consider combining the use of One Time Pads with email encryption for even greater security, and creating an airgapped OpenPGP key pair rather than relying on Enigmail as per these instructions.

Overview[edit]

The following guide provides steps to:

  1. Install the Thunderbird email client.
  2. Install the Enigmail add-on for Thunderbird.
  3. Install the TorBirdy plugin for the Thunderbird email desktop client.
  4. Create an email account anonymously with a suitable provider via Tor Browser.
  5. Store the login credentials in KeePassXC (optional). [7]
  6. Setup the new email account: Thunderbird account settings, install necessary extensions (add-ons), and enforce connections to the email provider's Onion Service.
  7. Create an OpenPGP encryption key pair and revocation certificate using the Enigmail Setup Wizard.
  8. Encrypt and store the revocation certificate securely.
  9. Configure Thunderbird preferences for greater security and anonymity.
  10. Configure additional OpenPGP preferences via Enigmail.
  11. Key management: import GPG public keys.
  12. Export the public key to a GPG key server (optional).
  13. Prepare an email signature with the public GPG key ID and fingerprint (optional).
  14. Compose and send a test encrypted email to vfemail.net
  15. Open an encrypted email received in Thunderbird.

Warnings[edit]

Ambox warning pn.svg.png Due to email's design, it is a very insecure system where privacy and anonymity are concerned. Use it sparingly, and only with great discipline and caution.

Operational security is imperative to maintain the integrity of properly encrypted email. Consider the following scenarios which would allow an adversary access to the plaintext or other metadata that might help deanonymize a user:

  • Even if all email sent to a recipient is encrypted, if the recipient fails to encrypt the email response, then adversaries will be able to read the message and likely a quote of the original one sent.
  • The names of email recipients cannot be encrypted and are therefore visible to adversaries. However, the subject line and references email header are now encrypted as of TorBirdy v2.3 and above - although disabled in the following configuration.
  • There are several different types of metadata that can be harvested from email, depending on how it is used. Therefore, users must be careful when relying on email for sensitive communications.

Glossary[edit]

Terms that are commonly used in reference to email encryption are outlined below.

Table: Email Encryption Terms [8]

Term Description
Key Pair A pair of of asymmetric keys, commonly known as public and private keys.
Public Key The half of a key pair that is distributed publicly and used for encrypting.
Private Key The half of a key pair that is kept secret, and is used for decryption.
Key Server A server or website used for the distribution and verification of public keys.
Integrity A verification that the enclosed contents have not been tampered with in transit.
Confidentiality A verification that the enclosed contents are unreadable, except for the intended recipient.
Authentication A verification that the person who is sending / signing is who they say they are.
Non-repudiation Assurance that nobody, including the author, can dispute the origin of the message itself.
Asymmetric Keys Commonly referred to as a 'keypair'. It is two seperate keys: one public, one private.
Symmetric Keys Symmetric encryption depends on using a password to encrypt the single key used for both encryption and decryption.

Ambox warning pn.svg.png Warning: Unless otherwise instructed to do so, manual installation of packages should be avoided, even trusted ones.[9] To install software users should prefer the APT secure package manager. For more information on this, See: Installing Software Best Practices.

Install the Thunderbird Email Client[edit]

For users that would like to learn more about Thunderbird refer to the official support page. However, modifications should not be made to Thunderbird unless you know what you are doing.

The Thunderbird email client can be installed from the konsole using APT secure package manager.

In Whonix-Workstation ™ (whonix-ws-14 TemplateVM Qubes-Whonix ™) konsole, run.

sudo apt-get install thunderbird

Note: If the following output appears Thunderbird is already installed and no further action is needed.

Reading package lists... Done
Building dependency tree       
Reading state information... Done
thunderbird is already the newest version.

Install Enigmail Add-on for Thunderbird[edit]

Enigmail provides Thunderbird users with access to the authentication and encryption features provided by GnuPG. For a full listing of features and and configuration options see the official Enigmail Documentation.

Enigmail add-on can be installed from the konsole using APT secure package manager.

In Whonix-Workstation ™ (whonix-ws-14 TemplateVM Qubes-Whonix ™) konsole, run.

sudo apt-get install enigmail

Note: If the following output appears Enigmail is already installed and no further action is needed.

Reading package lists... Done
Building dependency tree       
Reading state information... Done
enigmail is already the newest version.

Install the Torbirdy Plugin in Thunderbird[edit]

Info TorBirdy is an equivalent of TorButton. Proxy settings are not required for Stream Isolation because Whonix ™ has been natively supported since TorBirdy v0.1.0. [10]

Users who want to learn more about TorBirdy should refer to the official wiki documentation. A host of additional preferences can be optionally configured.

The following instructions install the latest available version of TorBirdy from The Tor Project so manual changes to the display character set and key server options are not required. Users who prefer the version available from Debian stable can instead install it from the command line and make necessary manual adjustments. [11]

Tor Project Download[edit]

1. Open a Konsole session in Whonix-Workstation ™.

Info Tip: Users should create a dedicated VM / AppVM solely for the use of encrypted email with Thunderbird.

Qubes-Whonix ™: anon-whonixKonsole

Non-Qubes-Whonix: Double-click the Konsole icon on the Desktop.

Figure: Konsole Shortcut

Tempest screenshot 1.png

2. Navigate to the Downloads directory.

In Non-Qubes-Whonix ™, type.

cd Downloads

In Qubes-Whonix ™, type.

cd /home/user/Downloads

And press Enter.

3. Download TorBirdy.

Note: TorBirdy is a desktop email plugin created by the Tor Project to further anonymize Thunderbird. At the time of writing, the version available for download was v0.2.6. [12]

Type.

wget https://www.torproject.org/dist/torbirdy/torbirdy-current.xpi

And press Enter.

4. Download the necessary files to verify the integrity of the TorBirdy installer.

Type.

wget https://www.torproject.org/dist/torbirdy/torbirdy-current.xpi.asc

And press Enter.

5. Import the GPG public key of Sukhbir Singh, one of the developers of TorBirdy.

Type.

gpg --recv-key E4ACD3975427A5BA8450A1BEB01C8B006DA77FAA

And press Enter.

When the process completes, the screen should be similar to the screenshot below.

Figure: GPG Key Importation

Tempest screenshot 2.png

6. Verify the public key fingerprint.

It is important to verify the fingerprint of the key that was imported. Run.

gpg --fingerprint 0xE4ACD3975427A5BA8450A1BEB01C8B006DA77FAA

At the time of writing, the following output should appear.

pub   4096R/0xB01C8B006DA77FAA 2016-02-25 [expires: 2020-02-24]
         Key fingerprint = E4AC D397 5427 A5BA 8450  A1BE B01C 8B00 6DA7 7FAA
uid                 [ unknown] Sukhbir Singh <azadi@riseup.net>
uid                 [ unknown] Sukhbir Singh <sukhbir@torproject.org>
sub   4096R/0x1AF20C043D9F9289 2016-02-25 [expires: 2020-02-24]

7. Verify the integrity of TorBirdy.

Type.

gpg --verify torbirdy-current.xpi.asc

And press Enter.

When the verification is complete, the screen should look similar to the screenshot below. If the following message appears:

gpg: Good signature from "Sukhbir Singh <azadi@riseup.net>

Then the integrity of the program installer has been successfully verified. The "key is not certified" warning that appears after that line can be safely ignored.

Figure: Good Signature Message

Tempest screenshot 3.png

If the following message appears:

gpg: BAD signature from "Sukhbir Singh <azadi@riseup.net>"

Delete torbirdy-current.xpi.asc and torbirdy-current.xpi and do not use it. A bad signature means the downloaded program may have been tampered with or was corrupted during the download process.

If this occurs, delete the files and either wait 10-15 minutes for the Tor circuits to change, or open up the "Arm Tor Controller" in the Whonix ™ Gateway (sys-whonix) and type "n" to create new Tor circuits. Then, repeat steps 3-6 after a random period of time has elapsed.

If the following message appears:

gpg: no valid OpenPGP data found.
gpg: the signature could not be verified.
Please remember that the signature file (.sig or .asc) should be the first file given on the command line.

Then delete the TorBirdy files, download them again and retry the verification step.

Debian Stable Download[edit]

Info These steps only need to be completed if TorBirdy was installed from Debian stretch stable repository. [13] [14]

Ambox warning pn.svg.png Important: This modification is for Whonix ™ only! The same TorBirdy steps in any other OS may harm anonymity or privacy!

1. Modify TorBirdy to allow for importation/exportation of GPG keys in Thunderbird.

Without modifying Torbirdy, key management is much more difficult in Thunderbird due to various errors.

Type.

7z x torbirdy-current.xpi components

And press Enter.

2. Maximize the terminal window.

The part of the file that will be edited is moved to the right by spaces. Therefore it is easier to edit if the terminal window is maximized.

Click on the up-arrow (Qubes-Whonix ™: "+" key) in the upper right side of your terminal window.

Figure: Terminal Maximization

Tempest screenshot 4.png

3. Edit the torbirdy.js file.

Type.

nano components/torbirdy.js

And press Enter.

4. Open a search routine.

Press the LEFT-CTRL + W keys simultaneously to open a search routine. Type.

--display-charset utf-8

And press Enter.

Figure: Search Routine

Tempest screenshot 5.png

5. Modify the display character set.

The cursor will appear on a line that shows "--display-charset utf-8 " + as per the screen shot below.

Figure: Charset Search

Tempest screenshot 6.png

Remove the "+" sign and type.

,

Immediately following the quotation mark so it looks like the screen shot below.

Figure: Charset Modification

Tempest screenshot 7.png

6. Modify the keyserver options.

Move the cursor down 2 lines to the line beginning with "--keyserver-options" as pictured below.

Figure: Keyserver Options

Tempest screenshot 8.png

Type.

//

So it appears before the quotation mark as pictured below.

Figure: Modified Keyserver Options

Tempest screenshot 9.png

7. Save the modified file.

Press LEFT-CTRL + X buttons at the same time and type Y when asked about saving the modified buffer.

When prompted for the file name to write, press Enter.

8. Add the modified file to the torbirdy-current.xpi install package.

Type.

7z u torbirdy-current.xpi components/torbirdy.js

And press Enter.

9. Close the Konsole session.

Type.

exit

And press Enter.

Create a New Email Account with Tor Browser[edit]

Choose an Appropriate Email Provider[edit]

Info VFEmail servers are down and are likely to remain that way permanently. Do not try to use VFEmail as a provider. Choose an alternative from the list of providers recommended by The Tor Project, Whonix ™ and JonDonym. Please be patient - wiki maintainers are currently updating this page and a new email provider will soon be used in all relevant sections.

First and foremost, there are multiple email providers that users can choose from. For the purpose of this tutorial, VFEmail (vfemail.net) is used as an example. This is not an endorsement for VFEmail, nor are they necessarily the most secure or private email provider available. Refer to the list of Onion Service Providers for possible alternatives.

At the time of writing, VFEmail is one of the few free and reliable email providers offering POP3 email access through an .onion address, which does not require additional verification details to register an account. For more details regarding the features and offerings of VFEmail, visit https://344c6kbnjnljjzlz.onion/faq.php. If used properly with GPG encryption, VFEmail's onion email service will provide the user with strong anonymity and privacy.

If problems are experienced with VFEmail, refer to the list of providers recommended by The Tor Project, Whonix ™ and JonDonym.

Ambox warning pn.svg.png Never forget this is an Onion Service which means there is no way of determining who is running it. If GPG is not used to encrypt e-mail and/or the recipient of email does not encrypt it either, it can be easily read by the e-mail service provider, random computers on the internet that relay a sent email message, or anyone else who manages to gain access to the account!

Anonymous Registration[edit]

It is critical to create a new email account anonymously with Tor Browser. In Whonix-Workstation ™ (Qubes-Whonix ™: anon-whonix), launch Tor Browser via the icon on the toolbar (Non-Qubes-Whonix ™) or via the Qube Manager (or widget).

When Tor Browser opens, type.

https://344c6kbnjnljjzlz.onion/register

Into the URL bar to nagivate to the VFEmail Onion Service web page.

Figure: VFEmail Onion Service

Tempest screenshot 10.png

Info If using another email provider, navigate to the respective registration page, create the new account, use KeePassXC to generate a password for it, [15] and continue from the Setup the New Email Account section.

Add SSL Certificate / Security Exceptions[edit]

Add an SSL certificate exception for the VFEmail onion service. Tor Browser will warn that the web page "connection is not secure." This is expected. The warning arises because the SSL certificate received is from vfemail.net, but the domain the user is connected to is 344c6kbnjnljjzlz.onion

Select "Advanced"Select "add exception"

Figure: SSL Certificate Exception

Tempest screenshot 11.png

Next, add a security exception for VFEmail.

A window prompting the user to "add security exception" will appear. Click on the "Confirm Security Exception" button.

Figure: Add a Security Exception

Tempest screenshot 12.png

Finalize Registration[edit]

1. Temporarily allow JavaScript for the mail provider.

The registration screen for VFEmail will now load. At the time of writing, JavaScript is required for the registration process due to the CAPTCHA used to block spam bots. [16]

Click on the NoScript iconSelect "temporarily allow https://344c6kbnjnljjzlz.onion"

Figure: Javascript Temporary Permissions

Tempest screenshot 13.png

After the page reloads, a new email account name and password can be created.

2. Create an anonymous account with a strong password.

Ambox warning pn.svg.png When creating an account and password do not use identifying or familiar data in either! Also consider the principles for stronger passwords and the option of lengthy Diceware passphrases.

Open up KeePassXC and create an account and password entry for your new e-mail account with the warning above in mind. When the password has been created in KeePassXC (or manually with diceware passphrases):

  1. Type fake information into the fields under "First Name" and "Last Name."
  2. Type the email name that will be used in the field under "User Name."
  3. Select "vfemail.net" in the pull down menu under "Domain name."
  4. Copy/type the password created in KeePassXC/manually and enter/paste it into the fields under "Password" and "Confirm Password." [17]
  5. Check the box next to "I'm not a robot" and solve the CAPTCHA puzzles. When a green check appears next to "I'm not a robot," click on the "Create Account" button.

Figure: Account Creation

Tempest screenshot 14.png

3. Confirm the account was successfully created.

The next screen will confirm an account has been created and the email address chosen will be displayed on the page.

Figure: Account Confirmation

Tempest screenshot 15.png

4. Optional: Save the account details in KeePassXC.

Copy the address and paste it into the "description" or "username" fields of KeePassXC that is associated with your password. [18] Next, save the KeePassXC database. Then, click the "X" button to close Tor Browser and continue to the next section.

Setup the New Email Account[edit]

Thunderbird First Run[edit]

1. Open Thunderbird.

  • Non-Qubes-Whonix: Click the blue "K" start buttonSelect "Mail Client"
  • Qubes-Whonix ™: Click the blue "Q" buttonClick on anon-whonixSelect "Thunderbird"

Figure: Thunderbird Email Client (Non-Qubes-Whonix)

Tempest screenshot 17.png

2. Close unnecessary windows on the first run.

When Thunderbird first opens, two windows will appear inside of it. These should be cancelled. In the window entitled "Mail Account Setup," click the "Cancel" button.

Figure: Mail Account Setup Cancellation

Tempest screenshot 18.png

Next, in the "Enigmail Setup Wizard," click the "Cancel" button.

Figure: Enigmail Setup Wizard Cancellation

Tempest screenshot 19.png

When the "Enigmail Alert" window appears, click the "Close" button.

Figure: Dismiss Enigmail Alert

Tempest screenshot 20.png

Install and Configure TorBirdy[edit]

1. Navigate to the add-ons manager.

After reaching the main Thunderbird window, click on the Thunderbird Menu icon which looks like a hamburger symbol -- three horizontal lines stacked on top of each other -- towards the top right side of the window. Then, click on "Add-ons."

Figure: Thunderbird Add-ons Manager

Tempest screenshot 21.png

2. Disable plugins.

Next, click on "Extensions." Then click the "Disable" buttons next to "Lightning" and "Torbirdy" to disable them.

Info Lightning is a calendar plugin that is probably unnecessary. A newer version of TorBirdy is installed at a later step and modified to work better with Whonix ™.

Figure: Disable Plugins

Tempest screenshot 22.png

3. Install the latest TorBirdy release.

The modified version of TorBirdy will now be installed. Click the gear icon towards the top of the window and then click on "Install Add-on From File..."

Figure: TorBirdy File Installation

Tempest screenshot 23.png

In the next window that appears, click on "user" under "Places" towards the left side of the window. Then, double-click on Downloads.

Figure: Downloads Folder

Tempest screenshot 24.png

At the next screen, click on torbirdy-current.xpi and then click the "Open" button.

Figure: Select the TorBirdy File

Tempest screenshot 25.png

Next, a "Software Installation" window will appear warning to only install add-ons from authors you trust. After the brief time delay finishes, click the "Install Now" button.

Figure: Install the TorBirdy Add-on

Tempest screenshot 26.png

4. Restart Thunderbird.

After being returned to the "Add-ons Manager" in Thunderbird, click the "Restart Now" button that appears towards the top of the window.

Figure: Restart Thunderbird

Tempest screenshot 27.png

Thunderbird Second Run[edit]

1. Dismiss Thunderbird's email creation option.

When Thunderbird opens, a window will appear asking if you would like a new e-mail address. Click on the button stating "I think I'll configure my account later."

Figure: Configure the Account Later

Tempest screenshot 28.png

2. Disable automatic reports.

After returning to the "Add-ons Manager," at the bottom of the Thunderbird window, a message will appear asking "Would you like to help improve Thunderbird Mail/News by automatically reporting memory usage, performance and responsiveness to Mozilla?" Click the "No" button.

Figure: Uncheck Automatic Reports

Tempest screenshot 29.png

3. Enable Torbirdy.

Enable the new version by clicking the "Enable" button next to "Torbirdy."

Figure: Enable TorBirdy

Tempest screenshot 30.png

4. Restart Thurderbird.

After TorBirdy is enabled, click on the "Restart now" link that causes Thunderbird to restart.

Figure: Restart Thunderbird

Tempest screenshot 31.png

Configure the Thunderbird Email Account[edit]

1. Configure the email account on Thunderbird's third run.

The first window that appears after restarting Thunderbird will prompt to configure an email account. Type a suitable alias in the field next to "Your name." This will appear next to the email address in emails you send to others.

Next, type the vfemail.net email address that was just created into the field next to "Email address." Finally, uncheck "remember password" and click the "Continue" button.

Ambox warning pn.svg.png IMPORTANT NOTE: Never use Thunderbird to save the email account password! Thunderbird does not store passwords in an encrypted format. Therefore, if Whonix-Workstation ™ (anon-whonix) is compromised in the future, an attacker may be able to gain access to the email account if they view Thunderbird's unencrypted password storage file.

Figure: Email Account Details

Tempest screenshot 32.png

The next window that appears will inform that Torbirdy has blocked the automatic configuration process to protect your anonymity. Click on the "OK" button to continue.

Figure: Disabled Auto-configuration

Tempest screenshot 33.png

2. Configure Thunderbird to connect to the email Onion Service.

In the next window, Thunderbird must be configured to connect to the Onion Service of vfemail.net (change the values as appropriate for alternate providers). The fields to change are highlighted in red in the figure below:

  • Type 344c6kbnjnljjzlz.onion in the field next to "Server Name."
  • Type the complete email address into the field next to "User Name."
  • Uncheck the box next to "Leave messages on server."
  • Check the box next to "Empty Trash on Exit" and continue to the next step.

Figure: Onionized Server Configuration

Tempest screenshot 34.png

3. Configure Thunderbird folders.

Click on "Copies and Folders" in the left column. Each option to change is highlighted in red in the figure below:

  • In the pull down menu next to "Sent Folder on", select "Local Folders."
  • Next, in the pull down menu next to "Archives Folder on", select "Local Folders."
  • In the pull down menu next to "Drafts Folder on", select "Local Folders."
  • In the pull down menu next to "Templates Folder on", select "Local Folders."
  • Check the box next to "Show confirmation dialog when messages are saved."

Figure: Folder Configuration

Tempest screenshot 35.png

4. Empty Thunderbird trash on exit.

Click on "Local Folders" in the left column. Then, mark the box next to "Empty trash on exit."

Figure: Empty Local Folders

Tempest screenshot 36.png

5. Configure the outgoing server.

Click on "Outgoing Server (SMTP)" in the left column. Then, click on the "Edit" button.

Figure: Outgoing Server Configuration

Tempest screenshot 37.png

In the next window that appears:

  • Type 344c6kbnjnljjzlz.onion (or alternative .onion) in the field next to "Server Name."
  • Click on the pulldown menu next to "Connection security" and select "STARTTLS." [19]
  • Type the complete email address into the field next to "User Name."
  • Finally, click the "OK" button.

Figure: Onionized Server Configuration

Tempest screenshot 38.png

6. Confirm settings and exit.

After returning to the "Account Settings" window, click the "OK" button.

Figure: Confirm Settings

Tempest screenshot 39.png

After returning to the "Add-ons Manager" tab of Thunderbird. Click on the "x" in the tab entitled "Add-ons Manager" to close the Add-ons Manager window.

Figure: Close Add-ons Manager

Tempest screenshot 40.png

Create an OpenPGP Key Pair and Revocation Certificate[edit]

There are two methods for creating an OpenPGP key pair and revocation certificate - using either the Enigmail Setup Wizard, or manually creating them from the command line. The easier Enigmail method is outlined below, but the manual creation of stronger keys from the command line is recommended for advanced users or those at high risk.

Launch Enigmail Setup Wizard[edit]

To start the Enigmail Setup Wizard, after returning to the main Thunderbird window, click the "hamburger" icon that has the 3 horizontal bars towards the upper right corner.

Then, hover the mouse over "Preferences" and click "Menu Bar" when the next menu appears.

Figure: Menu Bar

Tempest screenshot 41.png

A menu bar will now appear towards the top of the Thunderbird window. In the menu bar, click "Enigmail" and then click "Setup Wizard."

Figure: Enigmail Setup Wizard

Tempest screenshot 42.png

Create an OpenPGP Key Pair[edit]

1. Access Enigmail's extended configuration options.

After the Enigmail Setup Wizard starts, on the next screen click the circle next to "I prefer an extended configuration" and then click the "Next" button.

Figure: Extended Enigmail Configuration

Tempest screenshot 43.png

2. Create a new key pair.

Next, a prompt will appear to either create a GPG keypair or use an existing one.

Click the circle next to "I want to create a new key pair for signing and encrypting my email" and then click the "Next" button.

Figure: Create a New Key Pair

Tempest screenshot 44.png

3. Create a strong passphrase for the key pair.

In the next window that appears, a prompt will appear to create a passphrase for the GPG private key.

Ambox warning pn.svg.png This passphrase should be long and random! You will need this passphrase to sign messages with GPG or to decrypt messages sent to you.

With a strong passphrase, if the machine is ever compromised and someone steals the GPG secret key, this provides an extra layer of protection to prevent the attacker from being able to easily decrypt emails sent to you, or to impersonate you by signing emails with the GPG key.

Type an appropriately secure and random passphrase into the fields under "Passphrase" and "Please confirm your passphrase by typing it again." Then, click on the "Next" button.

4. Optional: Store the passphrase in KeePassXC.

Create a new entry in KeePassXC to store the GPG passphrase and manually enter the passphrase into the new entry. Then, save the KeePassXC database. This will be useful if the GPG passphrase is forgotten. [20]

Figure: GPG Private Key Passphrase

Tempest screenshot 45.png

Create a Revocation Certificate[edit]

After Enigmail has finished creating the new GPG key pair, click the "Create Revocation Certificate" button.

Figure: Create a Revocation Certificate

Tempest screenshot 46.png

A prompt will now appear to enter the passphrase created in the last step. Paste the GPG passphrase from KeePassXC (or enter it manually) into the "Passphrase" field and click the "OK" button.

Figure: Enter the GPG Passphrase

Tempest screenshot 47.png

Store the Revocation Certificate[edit]

1. Choose the location for the revocation certificate.

The next window will ask where the GPG revocation certificate should be stored.

Click on "user" in the left column. Next, replace the spaces and parentheses signs with periods in the default filename for the GPG revocation certificate. The spaces and parentheses signs in the default name can make a step later in this guide trickier. Finally, click the "Save" button.

Figure: Store the Revocation Certificate

Tempest screenshot 48.png

2. Confirm the certificate was created.

Next, a message will inform that the GPG revocation certificate was successfully created. Click the "OK" button.

Figure: Certificate Creation Confirmation

Tempest screenshot 49.png

3. Finalize the procedure.

After returning to the "Key Creation" window, click the "Next" button.

Figure: Finalize the Procedure

Tempest screenshot 50.png

The next window will state that Enigmail is now ready to use. Click the "Finish" button.

Figure: Enigmail Success

Tempest screenshot 51.png

Encrypt the Revocation Certificate[edit]

The revocation certificate will now be encrypted and stored in the persistent storage directory. The GPG revocation certificate can be used to revoke the public encryption key that is added to key servers, even if access to the GPG secret key is lost or the password is forgotten.

If an attacker accesses the GPG revocation certificate, they can revoke the keys. Encrypting the GPG revocation certificate with a passphrase that is easily remembered will protect against this action.

1. Open up a Konsole / Terminal session to get a command prompt.

  • Non-Qubes-Whonix: Click the "K" start buttonClick "Terminal"
  • Qubes-Whonix ™: Click the "Q" taskbar buttonanon-whonixKonsole

Figure: Open a Terminal (Non-Qubes-Whonix)

Tempest screenshot 52.png

2. Create a storage location.

When the terminal window opens, create a directory in the persistent storage folder to store the encrypted GPG revocation key. Run the following commands.

mkdir storage
mkdir storage/gpg-revoke

3. Encrypt the revocation certificate.

In the command below, replace "RevocationCertificateFileName" with the actual name of the revocation certificate. Type.

gpg --cipher-algo AES256 --symmetric RevocationCertificateFileName

A prompt will appear to "Enter passphrase." Choose a strong passphrase and enter it into the passphrase field, then click the "OK" button.

Ambox warning pn.svg.png This passphrase should be strong and unique! Do not re-use passphrases for multiple functions, activities or accounts.

If the revocation certificate ever needs to be used, then this passphrase is first used to decrypt it.

4. Optional: Create a new entry in KeePassXC to store the GPG revocation certificate passphrase.

Manually enter the passphrase into the new entry, then save the KeePassXC database. This will be useful in case the passphrase is ever forgotten.

Figure: Passphrase Prompt

Tempest screenshot 53.png

A prompt will appear, asking for the passphrase to be re-entered. Type it again into the passphrase field and click the "OK" button.

Figure: Passphrase Confirmation

Tempest screenshot 54.png

Note: If an error appears that states.

gpg: error creating passphrase: invalid passphrase

Then a typo was made somewhere in the last two steps - start over from the beginning of this section.

5. Move the revocation certificate.

If no error messages appear and the user is returned to the command prompt, type.

mv *.gpg storage/gpg-revoke

And press Enter.

6. Test decryption of the revocation key.

In the future, if the revocation key is ever needed, decrypt it by typing.

gpg -o RevocationCertificateFilename.asc -d \~/storage/gpg-revoke/RevocationCertificateFilename.gpg

7. Shred the unencrypted revocation certificate that is sitting in the home folder.

sudo shred --remove RevocationCertificateFileName

Type exit to close the terminal and return to Thunderbird.

Final Thunderbird Preferences and Settings[edit]

General Thunderbird Preferences[edit]

1. Access Thunderbird preferences.

Navigate to the main Thunderbird window, then Click on "Edit""Preferences"

Figure: Thunderbird Preferences

Tempest screenshot 55.png

2. Disable search and indexing functions.

In the window that appears, click the "Advanced" tab. Uncheck the box next to "Enable Global Search and Indexer." This will save disk space.

Figure: Enable Global Search and Indexer

Tempest screenshot 56.png

3. Disable the return receipt function.

Next, click the "Return Receipts" button. In the next window that appears, mark the circle next to "Never send a return receipt." Then, click the "OK" button.

Figure: Disable Return Receipts

Tempest screenshot 57.png

4. Disable the crash reporter.

After returning to the "Thunderbird Preferences" window, click the "Data Choices" tab. Then, uncheck the box next to "Enable Crash Reporter."

Figure: Disable Crash Reporter

Tempest screenshot 58.png

5. Disable cookies and website history.

Next, click the "Privacy" button. Then, uncheck the boxes next to "Remember websites and links I've visited" and "Accept cookies from sites." Then, click the "close" button.

Figure: Modify Privacy Settings

Tempest screenshot 59.png

Additional Settings[edit]

Some further changes are required that are unaddressed by Enigmail Setup Wizard.

1. Modify OpenPGP settings.

On the main Thunderbird window, click on EditAccount Settings

Figure: Thunderbird Account Settings

Tempest screenshot 60.png

In the window that appears:

  • Click on "OpenPGP Security" in the left column.
  • Check the boxes next to "Encrypt messages by default" and "Sign encrypted messages."
  • Uncheck the box next to "Use PGP/MIME by default."
  • Click the "Enigmail Preferences" button. [21]

Figure: OpenPGP Options

Tempest screenshot 61.png

2. Enforce manual encryption.

In the "Sending" tab of the "Enigmail Preferences" window, click the circle next to "Manual encryption settings." Then click the circle next to "Always" under "Confirm before sending" and click the "OK" button.

Figure: Set Manual Encryption Settings

Tempest screenshot 62.png

When returned to the "OpenPGP Options" window, click the "OK" button.

Figure: Settings Confirmation

Tempest screenshot 63.png

Enigmail Key Management[edit]

Search for and Import GPG Keys[edit]

1. Navigate to the key management section.

In the menu bar, Click on EnigmailKey management

Figure: Enigmail Key Management

Tempest screenshot 64.png

2. Search for keys with a keyserver.

In the Key Management window that opens, your key is in bold and the key imported for Sukhbir Singh is also visible. Click on KeyserverSearch for Keys.

Figure: Key Search

Tempest screenshot 65.png

The next window that appears enables a search for GPG keys hosted on public GPG key servers. It is possible to search for GPG keys by e-mail address, a short key ID or an individual's public GPG fingerprint.

This step starts a search for the key belong to anonguide@vfemail.net based on its public GPG fingerprint. Paste.

64222A88D25730910C47A904BD8083C5237F796B

In the field next to "Search for key" and click the "OK" button.

Figure: Fingerprint Key Search

Tempest screenshot 66.png

Info Always search with the long fingerprint of a GPG key in the key manager - short or even long key IDs can be forged. [22]. The results are more secure and work more often. Everyone who shares a public GPG key should share a long fingerprint.

3. Import the desired key(s).

In the next window that appears, an entry for "anonguide@bitmessage.ch" with a Key ID of "237F796B" should be displayed with a check mark next to it. Click the "OK" button to import the key.

Figure: Key Importation

Tempest screenshot 67.png

A window should appear stating that the key for "anonguide@vfemail.net" was successfully imported.

It is not a problem that the e-mail address is different than the "anonguide@bitmessage.ch" listed above when importing the key. Multiple e-mail addresses can be used with a GPG public key.

"Anonguide@bitmessage.ch" is simply an older e-mail address associated with the key. The important aspect to note is the finger print, which should appear as:

6422 2A88 D257 3091 0C47
A904 BD80 83C5 237F 796B

Click the "OK" button to continue.

Info If the fingerprint is different than what is shown above, delete the key for the "anonguide" e-mail address in the key manager and start over from the "Enigmail Key Management" step.

Figure: Key Importation Confirmation

Tempest screenshot 68.png

Ambox warning pn.svg.png Important: It is critical to verify any GPG public key that is added to the keyring with a fingerprint provided by the person you intend to communicate with.

Always remember that anyone can add a GPG public key to a key server and claim to belong to a certain email account. Consider the following attack vector:

  1. An attacker is monitoring an email account through surveillance.
  2. An encryption key is mistakenly used that was created to falsely correspond to the intended recipient of communications.
  3. The attacker is now able to read the user's email.

Import Public Keys from Websites[edit]

On occasion, the GPG public key of an intended email recipient is not located on a key server, but a public key block is hosted on a website.

To import these keys into Thunderbird:

  1. Copy the public key from the website to the clipboard.
  2. Navigate to the Enigmail key management program: EnigmailKey Management
  3. Import the keys: EditImport Keys from Clipboard

Alternative Key Server Methods[edit]

There are two alternatives for interacting with key servers:

  • KGpg: To fetch contacts' GPG keys from the key server, open KGpg and navigate to Key Server Dialog. Search for relevant email addresses and import the keys.
  • GPG command line: Searching, fetching and importing keys from key servers from the command line is relatively simple.

Note: Previously, Enigmail's keyserver interaction features did not work out of the box. [23] [24] With these instructions, it should no longer be necessary to apply manual settings following a restart of Thunderbird in order to interact with key servers. [25] [26] [27] [28]

Export the Public Key to a GPG Server[edit]

1. Select the key to be uploaded.

Right-click on the entry for the email address and click "Upload Public Keys to Keyserver."

Figure: Upload Public Keys

Tempest screenshot 69.png

A progress meter will then appear. If the upload is successful, no confirmation message will be received.

Figure: Upload Progress Meter

Tempest screenshot 70.png

2. Confirm the key successfully uploaded.

To check that the GPG public key was successfully uploaded to the keyserver, do a search for your own key the same way you searched for the key belonging to "anonguide@vfemail.net" in an earlier step.

3.Examine the GPG fingerprint.

Right-click on the GPG keyClick "Key Properties"

The GPG fingerprint will appear towards the top of the window. Highlight it and then copy it to the clipboard.

To search for it in a manner similar to the earlier step, paste it into the search field and simply remove the spaces between the letters and numbers.

Public GPG Key Signature Block[edit]

Locate the Key Fingerprint[edit]

The following steps configure Thunderbird to inform people about the public GPG key by embedding it in the email signature.

1. Open the key properties section.

Double-click on the key entry for the vfemail.net (or alternate) email address to open the "Key Properties" window.

Figure: Key Properties

Tempest screenshot 71.png

2. Copy the fingerprint.

In the window that appears, use the mouse to highlight the text next to "Fingerprint." Then, right-click the highlighted text and click "Copy."

Figure: Copy the Key Fingerprint

Tempest screenshot 72.png

When the GPG fingerprint has been copied, click the "Close" button.

Figure: Procedure Confirmation

Tempest screenshot 73.png

3. Close the Enigmail Key Management window.

Click the "X" in the upper right corner of the window.

Figure: Close Enigmail Key Management

Tempest screenshot 74.png

4. Navigate to account settings.

After returning to the main Thunderbird window, click on EditAccount Settings

Figure: Further Account Settings

Tempest screenshot 75.png

Create a PGP Email Signature[edit]

A signature is now created that will be included in all outgoing mail, which contains both the GPG public key ID and the GPG public key fingerprint. In the next window that appears:

  1. Click in the text field located underneath "Signature text."
  2. Paste the contents of the clipboard on to two separate lines in the text field.
  3. On the first line:
    1. Type "GPG Public Key:" before the fingerprint that was just pasted.
    2. Delete all but the last 16 characters of the fingerprint from this line. [29]
    3. Type "0x" (that is the numeral zero) directly in front of the remaining characters. [30]
  4. On the second line, type "Fingerprint:" in front of the characters pasted there. This will help enable people who download the GPG public key to verify that it is they key you wish them to use. When finished, click the "OK" button.

Figure: PGP Email Signature Block

Tempest screenshot 76.png

Compose and Send Encrypted Email[edit]

The first section will test the correct sending of the first encrypted email to anonguide@vfemail.net with Enigmail.

The second section outlines using KGpg instead of Enigmail. This is for users who require a higher level of security for importing private keys and creating ciphertext which can be sent via Thunderbird. [31] [32] [33] [34]

Using Enigmail[edit]

1. Compose a new email message.

Click the "Write" button located in the upper left region of the window.

Figure: Compose a New Email

Tempest screenshot 77.png

A new window will open for you to compose an email message. In the "To" field, type.

anonguide@vfemail.net

In the "Subject" field, type.

key test

Next, type an innocuous message into the message body. Do not go into great detail; a large amount of text is unnecessary.

The point of this email is to test the encryption key and to become familiar with a common encrypted email exchange. Take note of the padlock and pencil icons located towards the upper-left side of the window next to the "Enigmail:" header. These icons should be marked as active by a gray square around them with the padlock closed, which means the message will be signed and encrypted (if you possess a corresponding public key). To the far right of these icons, a status message also informs that the message will be signed and encrypted.

Ambox warning pn.svg.png In this configuration, the subject field is never encrypted, even when the message and attachments are encrypted. [35] Therefore, be wary of any information entered into in a subject field.

2. Send the email message.

When the message is ready for sending, click the "Send" button.

Figure: Send an Encrypted Email

Tempest screenshot 78.png

A prompt will appear to enter the GPG passphrase. This makes it possible for the message sent to be signed. When a message is signed, this provides a mechanism for the email recipient to be confident that the sender actually wrote the email, and not an impostor. Type the passphrase and click the "OK" button.

Figure: GPG Passphrase Prompt

Tempest screenshot 79.png

After typing in the passphrase, a confirmation window will appear asking if a signed and encrypted email should be sent to anonguide@vfemail.net. Take note of the body of the email message under that window. This text should be clearly visible:

-----BEGIN PGP MESSAGE-----

Followed by a series of random characters. This proves the email has been encrypted and it is safe to click the "Send Message" button. However, if the original text of the message is visible, then it is not encrypted and the "Cancel" button should be clicked.

Figure: Email Encryption Confirmation

Tempest screenshot 80.png

3. Add a security exception.

The first time an email is sent, an "Add Security Exception" window will next appear (this is expected). The warning appears because the SSL certificate that was received is from vfemail.net (or alternate provider), but Thunderbird is configured to connect to the 344c6kbnjnljjzlz.onion domain.

Click the "Confirm Security Exception" button; this action is not required again in the future.

Figure: Add a Security Exception

Tempest screenshot 81.png

4. Resend the email message.

As a result of the issue with the SSL certificate in the last step, the sending of the message will fail. Select the Thunderbird "Write: key test" window from the task bar.

Figure: Select the Key Test Window

Tempest screenshot 82.png

Next, click the "OK" button in the "Send Message Error" window that appears.

Figure: Message Failure Notification

Tempest screenshot 83.png

After returning to the email composition window, click the "Send" button again.

Figure: Resend the Email

Tempest screenshot 84.png

5. Enter the password.

Finally, a prompt will appear to confirm that a signed and encrypted email should be sent. Click the "Send Message" button.

Figure: Send Email Confirmation

Tempest screenshot 85.png

Next, a prompt will appear to enter the password for the vfemail.net account. This will happen each time Thunderbird is started and the first email is sent, since the password is not stored by the program. However, once the password is entered, Thunderbird will remember it for the session. The same process applies to receiving email.

When asked to enter the password, copy it from KeePassXC (or refer to your physical record), paste it into the password field and click the "OK" button.

Figure: Passphrase Prompt

Tempest screenshot 86.png

Ambox warning pn.svg.png Do not use Thunderbird's Password Manager to store the password! Thunderbird does not encrypt stored passwords by default. Thus, if an attacker compromises the machine and manages to access the Thunderbird folder, they will gain the password to the email account.

After returning to the main Thunderbird window, a new "Sent" folder should appear in the Local Folders on the left side of the window, indicating the email to anonguide@vfemail.net was sent.

Figure: Thunderbird Sent Folder

Tempest screenshot 87.png

6. Optional: Send the GPG public key as an attachment.

Sometimes it is necessary to send an email to an address where the GPG public key is not in the keyring. If the GPG public key for the e-mail address cannot be located through a search, it is possible to send them your public key.

After reaching the new mail composition window, the GPG public key can be sent to the recipient as an attachment. Since this message will not be encrypted, click on the padlock icon next to "Enigmail:" so it looks like an open lock. Then, click on the "Attach My Public Key" button before sending the email.

Figure: GPG Public Key Attachment

Tempest screenshot 88.png

After composing the message, click the "Send" button.

Info Remember that this email is unencrypted. Therefore it could be read if someone intercepts the email at some point. Be wary of what information is shared in an unencrypted email.

Using KGpg[edit]

  1. Open KGpg and select the recipient key. If selecting more than one key, press CTRL while clicking.
  2. Navigate to: FileOpen Editor and write the message.
  3. Encrypt the message to ciphertext by clicking on the Encrypt lock icon. Choose your private key in the prompt that appears and click OK.
  4. Copy the ciphertext into Thunderbird and send it as per normal procedures. Do not include subject lines since they are not encrypted.

Download and Read Encrypted Email[edit]

In the near future, the user will want to check if anyone has sent email messages or if a response was received to the test email composed in the previous section.

1. Check for new email messages.

From the main Thunderbird window, click the "Get Messages" icon to check for any new email messages on the server and download them.

Figure: New Email Check

Tempest screenshot 89.png

2. Add a security exception.

When first checking for mail on vfemail.net, another "Add Security Exception" window will appear (this is expected). The warning is because the SSL certificate received at an earlier step is from vfemail.net, but the email desktop client is connecting to the 344c6kbnjnljjzlz.onion domain (or alternate .onion address). Click the "Confirm Security Exception" button; this action is not needed again in the future.

Figure: Add a Security Exception

Tempest screenshot 90.png

3. Check for email messages.

After returning to the main Thunderbird window, click the "Get Messages" button again.

Figure: Recheck for New Messages

Tempest screenshot 91.png

4. Enter the password.

A prompt will appear to enter the password for the email account. After entering the password, Thunderbird will remember it for the session. When asked to enter the password, type it into the password field (or copy and paste it from KeePassXC) and click the "OK" button.

Figure: Passphrase Prompt

Tempest screenshot 92.png

5. Read new (encrypted) email messages.

When new emails are received, a counter will appear next to "Inbox" in the left column. Click on "Inbox" to go to the list of new emails, then click the email that you wish to read.

Figure: Thunderbird Inbox

Tempest screenshot 93.png

If the message received was encrypted with your public key, the GPG passphrase is needed to decrypt it. If a window like the one in the image below appears, type the GPG passphrase and click the "OK" button.

Figure: GPG Passphrase Prompt

Tempest screenshot 94.png

The email will now display in the lower portion of the Thunderbird window. From here, the user has the option of replying, forwarding, deleting, and so on. If a message is read that was sent from anonguide@vfemail.net, the encryption configuration is working correctly.

Figure: Successful Email Decryption

Tempest screenshot 95.png

Final Warnings[edit]

If all steps have been successfully completed then you now have an anonymous email account paired with strong encryption.

It should be emphasized this wiki entry is not a substitute for an all-inclusive tutorial on the safest way to use GPG/PGP encryption, however it provides a solid foundation for fundamental practices. Numerous advanced resources and expert opinions exist on the Internet, and these can provide additional tips that might better address a user's perceived threat model and circumstances. [36] At a minimum, it is recommended to review the Safe Email Principles section, along with additional learning resources.

Finally, always heed the following warnings regarding email:

  • E-mail is a very insecure means of communication where anonymity is concerned. A lot of metadata is leaked with e-mail, so it should be used sparingly and only when strictly necessary.
  • Do not contact people you know in real life at non-anonymous email addresses with the email account that was created here. Always separate real world identities from online identities used with Whonix ™.
  • Be circumspect about sharing personal information in email! Encrypted email does not protect against the email recipient storing personal emails in an unencrypted format. Nor does encryption protect against an email recipient maliciously using personal information in order to exploit you.
  • Never include sensitive information in an email subject line, even if the email is encrypted! Subject headers in email are not encrypted in this configuration, despite the fact the rest of the message is.
  • If an email is sent to a recipient without encryption, assume it can be read by anyone!
  • Utilize the Tor Onion Service (.onion domain) whenever it is made available by the email provider. After first confirming the domain is controlled by the email provider, it will afford greater protection than a clearnet address.

Further Reading[edit]

Interested readers can refer to the following additional resources on GPG, Enigmail, KGpg, and safe email practices:

License[edit]

This wiki entry is based on chapter 4.5 of A Beginner Friendly Comprehensive Guide to Installing and Using a Safer Anonymous Operating System, which can be found here. This material has been used with the author's permission. [1]

Footnotes[edit]

  1. 1.0 1.1 http://forums.whonix.org/t/tor-project-support-of-whonix/5030
  2. https://trac.torproject.org/projects/tor/wiki/torbirdy
  3. https://blog.torproject.org/our-latest-release-torbirdy-thunderbird-includes-new-enigmail-features
  4. https://trac.torproject.org/projects/tor/ticket/21880
  5. As was the case for RiseUp. Relying on warrant canaries alone is also not recommended, as they have proven ineffective in several cases.
  6. Similarly, that same information should not be stored on electronic media in the first place, if that is feasible in the circumstances.
  7. Installed by default in Whonix ™ 15.
  8. Source:
    torproject.org Gnu Privacy Guard / GnuPG
    license:
    Content on this site is Copyright The Tor Project, Inc.. Reproduction of content is permitted under a Creative Commons Attribution 3.0 United States License. All use under such license must be accompanied by a clear and prominent attribution that identifies The Tor Project, Inc. as the owner and originator of such content. The Tor Project Inc. reserves the right to change licenses and permissions at any time in its sole discretion.
  9. This is because packages are often unsigned, and users may forget to update the software in a timely fashion.
  10. TorBirdy sets the Socks Host to 10.152.152.10 and Port to 9102 if the WHONIX variable is set, which is the default in /etc/environment since Whonix ™ 0.5.5.
  11. https://packages.debian.org/stretch-backports/xul-ext-torbirdy
  12. Released on 6 October, 2018.
  13. TorBirdy v2.4 and later work without these modifications.
  14. Without modifications, Enigmail cannot fetch GPG keys because TorBirdy points to a local proxy running on port 8118, which is not running in the Whonix-Workstation ™. Prior to TorBirdy v2.4, the modification of the --display-charset and --keyserver-options lines allow for the fetching or uploading of GPG keys with Engimail and Thunderbird.
  15. Or create random Diceware passphrases of sufficient length.
  16. This is undesirable from a security perspective. Email providers which do not rely upon JavaScript for registration should be preferred in general.
  17. The obvious alternative is to write it down at home and store it in a safe place.
  18. Alternatively it may be written down and stored in a safe place.
  19. Depending on the service provider in use, they may or may not enable TLS/STARTTLS connection security for their Onion domain. The reason is because it is redundant, as end-to-end Tor encryption provides security properties for authenticating to the server. It is best to leave it turned on by default and only disable it if problems arise.
  20. This is optional because some users may not place trust in the integrity of KeePassXC or other password managers, and they remain an attractive target for hackers.
  21. Note this action prevents TorBirdy from encrypting the subject line and references headers, but improves confirmation of email encryption prior to it being sent.
  22. Due to the threat of collisions, see: https://superuser.com/questions/769452/what-is-a-openpgp-gnupg-key-id
  23. As it has been made fail closed by TorBirdy developers, otherwise there could be a DNS leak in setups not using Whonix ™.
  24. A previous proposal on how to make keyservers in Enigmail in Whonix ™ work out of the box: do not use keyserver-options in Whonix ™
  25. Upstream bug report: Can't set custom http-proxy on GnuPG-settings, lost after restart.
  26. There is no need for this setting in Whonix ™ since Enigmail calls GPG, everything is already torified, and gpg is stream isolated by a uwt wrapper.
  27. Forum discussion: https://forums.whonix.org/t/gpg-keyservers-from-within-whonix-workstation
  28. Previous instructions: ThunderbirdEnigmail (from menu bar)PreferencesDisplay Expert Settings and MenusAdvancedAdditional Parameters → remove the following part --keyserver-options http-proxy=http://127.0.0.1:8118OK
  29. In the example below, the fingerprint consists of 10 groups of 4 characters. Delete the first six groups, then delete the spaces in between the remaining groups of characters.
  30. In the example below, that results in 0xE2A4440ABE1DE630. The end result of what is created here is the GPG public key ID. People can enter that into various GPG key servers to find the public key and send you encrypted messages.
  31. Avoiding Enigmail bypasses any unexpected behavior with message encryption. For instance, in one case bugs in email clients and Enigmail lead to the auto-saving of drafts as plaintext.
  32. https://tails.boum.org/security/claws_mail_leaks_plaintext_to_imap/index.en.html
  33. http://sourceforge.net/p/enigmail/bugs/502
  34. Persons in critical situations may prefer to encrypt emails in such a way to mitigate the risk of leaks.
  35. The TorBirdy version currently installed supports this feature, but this was deactivated in earlier configuration steps.
  36. For instance, users at high risk might generate a strong airgapped OpenPGP key pair on the command line for greater security, rather than rely on Enigmail.
  37. KGpg Homepage, KGpg wiki with screenshot

No user support in comments. See Support. Comments will be deleted after some time. Specifically after comments have been addressed in form of wiki enhancements. See Wiki Comments Policy.


Add your comment
Whonix welcomes all comments. If you do not want to be anonymous, register or log in. It is free.


Random News:

Have you read our Documentation, Technical Design and Developer Portal links yet?


https | (forcing) onion

Follow: Twitter | Facebook | gab.ai | Stay Tuned | Whonix News

Share: Twitter | Facebook

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation.

Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)

Whonix ™ is a derivative of and not affiliated with Debian. Debian is a registered trademark owned by Software in the Public Interest, Inc.

Whonix ™ is produced independently from the Tor® anonymity software and carries no guarantee from The Tor Project about quality, suitability or anything else.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint.