Encrypted Email with Thunderbird and Enigmail
|About this Encrypted Email with Thunderbird and Enigmail Page|
- 1 Credits
- 2 Introduction
- 3 Install the Torbirdy Plugin in Thunderbird
- 4 Create a New Email Account with Tor Browser
- 5 Setup the New Email Account
- 6 Create an OpenPGP Key Pair and Revocation Certificate
- 7 Configure Final Thunderbird Preferences
- 8 Compose and Send Encrypted Email
- 9 Download and Read Encrypted Email
- 10 Final Warnings
- 11 Further Reading
- 12 License
- 13 Footnotes
Gratitude is expressed to tempest for permission to use this material for the Whonix wiki documentation.  This material forms chapter 4.5 of A Beginner Friendly Comprehensive Guide to Installing and Using a Safer Anonymous Operating System, which can be found here. Minor edits have been made to the source material: for phrasing; to incorporate Whonix wiki and external references where appropriate; and to accommodate Qubes-Whonix users.
Due to the complexity of software in the past, one of the most underutilized forms of protection for users is email encryption. However, it is now easier to take advantage of encrypted email via the use of Thunderbird (Mozilla's email client) and Enigmail, which is a graphical front-end for using the GnuPG ("GPG") encryption program. The TorBirdy extension is also available to make Thunderbird connections take place over the Tor network. 
|It is estimated that within 10 to 15 years, Quantum Computers will break today's common asymmetric public-key cryptography algorithms used for web encryption (https), e-mail encryption (GnuPG...), SSH and other purposes. See Post-Quantum Cryptography (PQCrypto).|
Encrypted subject and references headers are also now possible in Enigmail, reducing the leakage of metadata.   However, MIME is not used in these instructions to reduce the risk of Enigmail bugs exposing unencrypted messages, meaning the subject line will not be encrypted. On the upside, this configuration change allows the user to confirm their message is actually encrypted before it is sent.
To minimize these risks, the following method of email encryption involves direct end-to-end encryption that can only be read by the intended recipient, making it much more secure. Further, a strong encryption key-pair is created so the user has strict control over the private key, which is stored securely.
Users should understand this method does not make email infallible - advanced adversaries can easily penetrate Internet-facing endpoints of targets with today's cutting-edge surveillance and offensive systems.
|Tip: If possible, critical information that is of high value should not traverse computer networks at all, or even risk exposure to Internet-facing computers.  High-risk users might also consider combining the use of One Time Pads with email encryption for even greater seccurity, and creating an airgapped OpenPGP key pair rather than relying on Enigmail as per these instructions.|
Always remember that mistakes or poor security practices on behalf of the email recipient can inadvertently lead to disclosures of plaintext.
The following guide provides steps to:
- Install the TorBirdy plugin for the Thunderbird email desktop client.
- Create an email account anonymously with a suitable provider via Tor Browser.
- Store the login credentials in KeePassX (optional).
- Setup the new email account: Thunderbird account settings, install necessary extensions (add-ons), and enforce connections to the email provider's Onion Service.
- Create an OpenPGP encryption key pair and revocation certificate using the Enigmail Setup Wizard.
- Encrypt and store the revocation certificate securely.
- Configure Thunderbird preferences for greater security and anonymity.
- Configure additional OpenPGP preferences via Enigmail.
- Key management: import GPG public keys.
- Export the public key to a GPG key server (optional).
- Prepare an email signature with the public GPG key ID and fingerprint (optional).
- Compose and send a test encrypted email to vfemail.net
- Open an encrypted email received in Thunderbird.
|Be aware that with respect to privacy and anonymity, email is a very insecure system by design. Use it sparingly, and only with great discipline and caution.|
Operational security is imperative to maintain the integrity of properly encrypted email. Consider the following scenarios which would allow an adversary access to the plaintext or other metadata that might help deanonymize a user:
- Even if all email sent to a recipient is encrypted, if the recipient fails to encrypt the email response, then adversaries will be able to read the message and likely a quote of the original one sent.
- The names of email recipients cannot be encrypted and are therefore visible to adversaries. However, the subject line and references email header are now encrypted as of TorBirdy v2.3 and above - although disabled in the following configuration.
- There are several different types of metadata that can be harvested from email, depending on how it is used. Therefore, users must be careful when relying on email for sensitive communications.
Terms that are commonly used in reference to email encryption are outlined below.
Table: Email Encryption Terms 
|Key Pair||A pair of of asymmetric keys, commonly known as public and private keys.|
|Public Key||The half of a key pair that is distributed publicly and used for encrypting.|
|Private Key||The half of a key pair that is kept secret, and is used for decryption.|
|Key Server||A server or website used for the distribution and verification of public keys.|
|Integrity||A verification that the enclosed contents have not been tampered with in transit.|
|Confidentiality||A verification that the enclosed contents are unreadable, except for the intended recipient.|
|Authentication||A verification that the person who is sending / signing is who they say they are.|
|Non-repudiation||Assurance that nobody, including the author, can dispute the origin of the message itself.|
|Asymmetric Keys||Commonly referred to as a 'keypair'. It is two seperate keys: one public, one private.|
|Symmetric Keys||Symmetric encryption depends on using a password to encrypt the single key used for both encryption and decryption.|
Install the Torbirdy Plugin in Thunderbird
The following instructions install the latest available version of TorBirdy from The Tor Project so manual changes to the display character set and key server options are not required. Users who prefer the version available from Debian stable (jessie v0.1.3-1; stretch v0.2.1-1) can instead install it from the command line.
|TorBirdy is an equivalent of TorButton. Proxy settings are not required for Stream Isolation because Whonix has had native support since TorBirdy v0.1.0. |
1. Open a Konsole session in Whonix-Workstation.
|Tip: Users should create a dedicated VM / AppVM solely for the use of encrypted email with Thunderbird.|
Non-Qubes-Whonix: Double-click the Konsole icon on the Desktop.
Figure: Konsole Shortcut
2. Navigate to the Downloads directory.
In non-Qubes-Whonix, type.
In Qubes-Whonix, type.
3. Download TorBirdy.
Note: TorBirdy is a desktop email plugin created by the Tor Project to further anonymize Thunderbird. At the time of writing, the version available for download was v0.2.4.
4. Download the necessary files to verify the integrity of the TorBirdy installer.
5. Import the GPG public key of Sukhbir Singh, one of the developers of TorBirdy.
gpg --recv-key E4ACD3975427A5BA8450A1BEB01C8B006DA77FAA
When the process completes, the screen should be similar to the screenshot below.
Figure: GPG Key Importation
6. Verify the public key fingerprint.
It is important to verify the fingerprint of the key that was imported. Run.
gpg --fingerprint 0xE4ACD3975427A5BA8450A1BEB01C8B006DA77FAA
At the time of writing, the following output should appear.
pub 4096R/0xB01C8B006DA77FAA 2016-02-25 [expires: 2020-02-24] Key fingerprint = E4AC D397 5427 A5BA 8450 A1BE B01C 8B00 6DA7 7FAA uid [ unknown] Sukhbir Singh <email@example.com> uid [ unknown] Sukhbir Singh <firstname.lastname@example.org> sub 4096R/0x1AF20C043D9F9289 2016-02-25 [expires: 2020-02-24]
7. Verify the integrity of TorBirdy.
gpg --verify torbirdy-current.xpi.asc
When the verification is complete, the screen should look similar to the screenshot below. If the following message appears:
gpg: Good signature from "Sukhbir Singh <email@example.com>
Then the integrity of the program installer has been successfully verified. The "key is not certified" warning that appears after that line can be safely ignored.
Figure: Good Signature Message
If the following message appears:
gpg: BAD signature from "Sukhbir Singh <firstname.lastname@example.org>"
torbirdy-current.xpi and do not use it. A bad signature means the downloaded program may have been tampered with or was corrupted during the download process.
If this occurs, delete the files and either wait 10-15 minutes for the Tor circuits to change, or open up the "Arm Tor Controller" in the Whonix Gateway (
sys-whonix) and type "n" to create new Tor circuits. Then, repeat steps 3-6 after a random period of time has elapsed.
If the following message appears:
gpg: no valid OpenPGP data found. gpg: the signature could not be verified. Please remember that the signature file (.sig or .asc) should be the first file given on the command line.
Then delete the TorBirdy files, download them again and retry the verification step.
8. Modify TorBirdy to allow for importation/exportation of GPG keys in Thunderbird.
|Steps 8 to 15 only need to be completed if TorBirdy was installed from Debian jessie or stretch stable repositories.  |
|Important: This modification is for Whonix only! The same TorBirdy steps in any other OS may harm anonymity or privacy!|
Without modifying Torbirdy, key management is much more difficult in Thunderbird due to various errors.
7z x torbirdy-current.xpi components
9. Maximize the terminal window.
The part of the file that will be edited is moved to the right by spaces. Therefore it is easier to edit if the terminal window is maximized.
Click on the up-arrow (Qubes-Whonix: "+" key) in the upper right side of your terminal window.
Figure: Terminal Maximization
10. Edit the
11. Open a search routine.
W keys simultaneously to open a search routine. Type.
Figure: Search Routine
12. Modify the display character set.
The cursor will appear on a line that shows
"--display-charset utf-8 " + as per the screen shot below.
Figure: Charset Search
Remove the "+" sign and type.
Immediately following the quotation mark so it looks like the screen shot below.
Figure: Charset Modification
13. Modify the keyserver options.
Move the cursor down 2 lines to the line beginning with
"--keyserver-options" as pictured below.
Figure: Keyserver Options
So it appears before the quotation mark as pictured below.
Figure: Modified Keyserver Options
14. Save the modified file.
X buttons at the same time and type
Y when asked about saving the modified buffer.
When prompted for the file name to write, press
15. Add the modified file to the torbirdy-current.xpi install package.
7z u torbirdy-current.xpi components/torbirdy.js
16. Close the Konsole session.
Create a New Email Account with Tor Browser
1. Launch Tor Browser.
It is critical to create a new email account anonymously with Tor Browser.
In Whonix-Workstation (Qubes-Whonix:
anon-whonix), launch Tor Browser via the icon on the toolbar (non-Qubes-Whonix) or via the Qubes VM Manager (or widget).
2. Choose an appropriate email provider.
First and foremost, there are multiple email providers that users can choose from. For the purpose of this tutorial, VFEmail (vfemail.net) is used as an example. This is not an endorsement for VFEmail, nor are they necessarily the most secure or private email provider available.
At the time of writing, VFEmail is one of the few free and reliable email providers offering POP3 email access through an .onion address, which does not require additional verification details to register an account.
For more details regarding the features and offerings of VFEmail, visit https://344c6kbnjnljjzlz.onion/faq.php. If used properly with GPG encryption, VFEmail's onion email service will provide the user with strong anonymity and privacy.
|Never forget this is an Onion Service which means there is no way of determining who is running it. If GPG is not used to encrypt e-mail and/or the recipient of email does not encrypt it either, it can be easily read by the e-mail service provider, random computers on the internet that relay a sent email message, or anyone else who manages to gain access to the account!|
When Tor Browser opens, type.
Into the URL bar to nagivate to the VFEmail Onion Service web page.
Figure: VFEmail Onion Service
|If using another email provider, navigate to the respective registration page, create the new account, use KeePassX to generate a password for it,  and continue from the "Setup the New Email Account" section.|
3. Add an SSL certificate exception for the VFEmail .onion
Tor Browser will warn that the web page "connection is not secure." This is expected. The warning arises because the SSL certificate received is from vfemail.net, but the domain the user is connected to is 344c6kbnjnljjzlz.onion
Select "Advanced" ->
Select "add exception".
Figure: SSL Certificate Exception
4. Add a security exception for VFEmail.
A window prompting the user to "add security exception" will appear. Click on the "Confirm Security Exception" button.
Figure: Add a Security Exception
Click on the NoScript icon ->
Select "temporarily allow
6. Register an email account name and password.
After the page reloads, a new email account name and password can be created.
|When creating an account and password do not use identifying or familiar data in either! Also consider the principles for stronger passwords and the option of lengthy diceware passphrases.|
Open up KeePassX and create an account and password entry for your new e-mail account with the warning above in mind.
When the password has been created in KeePassX (or manually with diceware passphrases):
- Type fake information into the fields under "First Name" and "Last Name."
- Type the email name that will be used in the field under "User Name."
- Select "vfemail.net" in the pull down menu under "Domain name."
- Copy (type) the password (passphrase) created in KeePassX (manually) and paste it into the fields under "Password" and "Confirm Password." 
- Check the box next to "I'm not a robot" and solve the CAPTCHA puzzles. When a green check appears next to "I'm not a robot," click on the "Create Account" button.
Figure: Account Creation
7. Confirm the account creation.
The next screen will confirm an account has been created and the email address chosen will be displayed on the page. Optional: Copy that address and paste it into the "description" or "username" fields of KeePassX that are associated with your password immediately. 
Figure: Account Confirmation
Next, save the KeePassX database. Then, click the X button to close Tor Browser and continue to the next step.
Setup the New Email Account
Thunderbird First Run
1. Open Thunderbird.
Click the blue "K" start button ->
Select "Mail Client."
Click the blue "Q" button ->
Click on anon-whonix ->
Figure: Thunderbird Email Client
2. Close unnecessary windows on the first run.
When Thunderbird first opens, two windows will appear inside of it. These should be cancelled. In the window entitled "Mail Account Setup," click the "Cancel" button.
Figure: Mail Account Setup Cancellation
Next, in the "Enigmail Setup Wizard," click the "Cancel" button.
Figure: Enigmail Setup Wizard Cancellation
When the "Enigmail Alert" window appears, click the "Close" button.
Figure: Dismiss Enigmail Alert
Install and Configure TorBirdy
1. Navigate to the add-ons manager.
After reaching the main Thunderbird window, click on the Thunderbird Menu icon which looks like a hamburger symbol - three horizontal lines stacked on top of each other - towards the top right side of the window. Then, click on "Add-ons."
Figure: Thunderbird Add-ons Manager
2. Disable plugins.
Next, click on "Extensions." Then click the "Disable" buttons next to "Lightning" and "Torbirdy" to disable them.
|Lightning is a calendar plugin that is probably unnecessary. A newer version of TorBirdy is installed at a later step and modified to work better with Whonix.|
Figure: Disable Plugins
3. Install the latest TorBirdy release and restart Thunderbird.
The modified version of TorBirdy will now be installed. Click the gear icon towards the top of the window and then click on "Install Add-on From File..."
Figure: TorBirdy File Installation
In the next window that appears, click on "user" under "Places" towards the left side of the window. Then, double-click on Downloads.
Figure: Downloads Folder
At the next screen, click on
torbirdy-current.xpi and then click the "Open" button.
Figure: Select the TorBirdy File
Next, a "Software Installation" window will appear warning to only install add-ons from authors you trust. After the brief time delay finishes, click the "Install Now" button.
Figure: Install the TorBirdy Add-on
After being returned to the "Add-ons Manager" in Thunderbird, click the "Restart Now" button that appears towards the top of the window.
Figure: Restart Thunderbird
Thunderbird Second Run
When Thunderbird opens, a window will appear asking if you would like a new e-mail address. Click on the button stating "I think I'll configure my account later."
Figure: Configure the Account Later
After returning to the "Add-ons Manager," at the bottom of the Thunderbird window, a message will appear asking "Would you like to help improve Thunderbird Mail/News by automatically reporting memory usage, performance and responsiveness to Mozilla?" Click the "No" button.
Figure: Uncheck Automatic Reports
Enable the new version by clicking the "Enable" button next to "Torbirdy."
Figure: Enable TorBirdy
After TorBirdy is enabled, click on the "Restart now" link that causes Thunderbird to restart.
Figure: Restart Thunderbird
Configure the Thunderbird Email Account
1. Configure the email account on Thunderbird's third run.
The first window that appears after restarting Thunderbird will prompt to configure an email account. Type a suitable alias in the field next to "Your name." This will appear next to the email address in emails you send to others.
Next, type the vfemail.net email address that was just created into the field next to "Email address." Finally, uncheck "remember password" and click the "Continue" button.
|IMPORTANT NOTE: Never use Thunderbird to save the email account password! Thunderbird does not store passwords in an encrypted format. Thus, if the Whonix-Workstation (|
Figure: Email Account Details
The next window that appears will inform that Torbirdy has blocked the automatic configuration process to protect your anonymity. Click on the "OK" button to continue.
Figure: Disabled Auto-configuration
2. Configure Thunderbird to connect to the email Onion Service.
In the next window, Thunderbird must be configured to connect to the Onion Service of vfemail.net (change the values as appropriate for alternate providers). The fields to change are highlighted in red in the figure below:
- Type 344c6kbnjnljjzlz.onion in the field next to "Server Name."
- Type the complete email address into the field next to "User Name."
- Uncheck the box next to "Leave messages on server."
- Check the box next to "Empty Trash on Exit" and continue to the next step.
Figure: Onionized Server Configuration
3. Configure Thunderbird folders.
Click on "Copies and Folders" in the left column. Each option to change is highlighted in red in the figure below:
- In the pull down menu next to "Sent Folder on", select "Local Folders."
- Next, in the pull down menu next to "Archives Folder on", select "Local Folders."
- In the pull down menu next to "Drafts Folder on", select "Local Folders."
- In the pull down menu next to "Templates Folder on", select "Local Folders."
- Check the box next to "Show confirmation dialog when messages are saved."
Figure: Folder Configuration
4. Empty Thunderbird trash on exit.
Click on "Local Folders" in the left column. Then, mark the box next to "Empty trash on exit."
Figure: Empty Local Folders
5. Configure the outgoing server.
Click on "Outgoing Server (SMTP)" in the left column. Then, click on the "Edit" button.
Figure: Outgoing Server Configuration
In the next window that appears:
- Type 344c6kbnjnljjzlz.onion (or alternative .onion) in the field next to "Server Name."
- Click on the pulldown menu next to "Connection security" and select "STARTTLS." 
- Type the complete email address into the field next to "User Name."
- Finally, click the "OK" button.
Figure: Onionized Server Configuration
After returning to the "Account Settings" window, click the "OK" button.
Figure: Confirm Settings
After returning to the "Add-ons Manager" tab of Thunderbird. Click on the "x" in the tab entitled "Add-ons Manager" to close the Add-ons Manager window.
Figure: Close Add-ons Manager
Create an OpenPGP Key Pair and Revocation Certificate
There are two methods for creating an OpenPGP key pair and revocation certificate - using either the Enigmail Setup Wizard, or manually creating them from the command line. The easier Enigmail method is outlined below, but the manual creation of stronger keys from the command line is recommended for high risk users.
Enigmail Setup Wizard
1. Start the Enigmail Setup Wizard.
After returning to the main Thunderbird window, click the "hamburger" icon that has the 3 horizontal bars towards the upper right corner.
Then, hover the mouse over "Preferences" and click "Menu Bar" when the next menu appears.
Figure: Menu Bar
A menu bar will now appear towards the top of the Thunderbird window. In the menu bar, click "Enigmail" and then click "Setup Wizard."
Figure: Enigmail Setup Wizard
2. Create the OpenPGP key pair.
The Enigmail Setup Wizard will start running. On the next screen, click the circle next to "I prefer an extended configuration" and then click the "Next" button.
Figure: Extended Enigmail Configuration
Next, a prompt will appear to either create a GPG keypair or use an existing one.
Click the circle next to "I want to create a new key pair for signing and encrypting my email" and then click the "Next" button.
Figure: Create a New Key Pair
In the next window that appears, a prompt will appear to create a passphrase for the GPG private key.
|This passphrase should be long and random! You will need this passphrase to sign messages with GPG or to decrypt messages sent to you.|
With a strong passphrase, if the machine is ever compromised and someone steals the GPG Secret Key, this provides an extra layer of protection to prevent the attacker from being able to easily decrypt emails sent to you, or to impersonate you by signing emails with the GPG key.
Type an appropriately secure and random passphrase into the fields under "Passphrase" and "Please confirm your passphrase by typing it again." Then, click on the "Next" button.
Optional: Create a new entry in KeePassX to store the GPG passphrase and manually enter the passphrase into the new entry. Then, save the KeePassX database. This will be useful if the GPG passphrase is forgotten. 
Figure: GPG Private Key Passphrase
At this point, Enigmail will begin creating the new GPG key pair. When it finishes, click the "Create Revocation Certificate" button.
Figure: Create a Revocation Certificate
3. Create the revocation certificate.
A prompt will now appear to enter the passphrase created in the last step. Paste the GPG passphrase from KeePassX (or enter it manually) in the "Passphrase" field and click the "OK" button.
Figure: Enter the GPG Passphrase
The next window will ask where the GPG Revocation Certificate should be stored.
Click on "user" in the left column. Next, replace the spaces and parentheses signs with periods in the default filename for the GPG Revocation Certificate. The spaces and parentheses signs in the default name can make a step later in this guide trickier. Finally, click the "Save" button.
Figure: Store the Revocation Certificate
Next, a message will inform that the GPG revocation certificate was successfully created. Click the "OK" button.
Figure: Certificate Creation Confirmation
After returning to the "Key Creation" window, click the "Next" button.
Figure: Finalize the Procedure
The next window will state that Enigmail is now ready to use. Click the "Finish" button.
Figure: Enigmail Success
4. Encrypt and store the revocation certificate.
The revocation certificate will now be encrypted and stored in the persistent storage directory. The GPG revocation certificate can be used to revoke the public encryption key that is added to key servers, even if access to the GPG Secret Key is lost or the password is forgotten.
If an attacker accesses the GPG revocation certificate, they can revoke the keys. Encrypting the GPG revocation certificate with a passphrase that is easily remembered will protect against an attacker using it to revoke the keys (if they manage to steal the revocation certificate).
Open up a Konsole / Terminal session to get a command prompt.
- In non-Qubes-Whonix:
Click the "K" start button->
- In Qubes-Whonix:
Click the "Q" taskbar button->
Figure: Open a Terminal
When the terminal window opens, create a directory to store the encrypted GPG revocation key in the persistent storage folder. Run the following commands.
mkdir storage mkdir storage/gpg-revoke
To encrypt the revocation certificate, in the command below, replace "RevocationCertificateFileName" with the name of the revocation certificate. Type.
gpg --cipher-algo AES256 --symmetric RevocationCertificateFileName
A prompt will appear to "Enter passphrase." Choose a strong passphrase and enter it into the passphrase field, then click the "OK" button.
|This passphrase should be strong and unique! Do not re-use passphrases for multiple functions, activities or accounts.|
If the revocation certificate ever needs to be used, then this passphrase is first used to decrypt it.
Optional: Create a new entry in KeePassX to store the GPG revocation certificate passphrase and manually enter the passphrase into the new entry. Then, save the KeePassX database. This will be useful in case the passphrase is forgotten.
Figure: Passphrase Prompt
A prompt will appear, asking for the passphrase to be re-entered. Type it again into the passphrase field and click the "OK" button.
Figure: Passphrase Confirmation
Note: If an error appears that states.
gpg: error creating passphrase: invalid passphrase
Then a typo was made somewhere in the last two steps. Start over from the earlier step "Encrypt the revocation certificate."
If no error messages appear and the user is returned to the command prompt, type.
mv *.gpg storage/gpg-revoke
In the future, if the revocation key is ever needed, decrypt it by typing.
gpg -o RevocationCertificateFilename.asc -d \~/storage/gpg-revoke/RevocationCertificateFilename.gpg
5. Shred the unencrypted revocation certificate.
Remove the unencrypted revocation certificate that is sitting in the home folder.
sudo shred --remove RevocationCertificateFileName
Type exit to close the terminal and return to Thunderbird.
Manual Creation from the Command Line
Advanced users should follow these instructions.
Configure Final Thunderbird Preferences
1. Edit the final Thunderbird preferences.
Navigate to the main Thunderbird window, then
Click on "Edit" ->
Figure: Thunderbird Preferences
In the window that appears, click the "Advanced" tab. Uncheck the box next to "Enable Global Search and Indexer." This will save disk space. Next, click the "Return Receipts" button.
Figure: Enable Global Search and Indexer
In the next window that appears, mark the circle next to "Never send a return receipt." Then, click the "OK" button.
Figure: Disable Return Receipts
After returning to the "Thunderbird Preferences" window, click the "Data Choices" tab. Then, uncheck the box next to "Enable Crash Reporter."
Figure: Disable Crash Reporter
Next, click the "Privacy" button. Then, uncheck the boxes next to "Remember websites and links I've visited" and "Accept cookies from sites." Then, click the "close" button.
Figure: Modify Privacy Settings
2. Change settings that were not addressed by the Enigmail Setup Wizard.
On the main Thunderbird window, click on
Figure: Thunderbird Account Settings
In the window that appears:
- Click on "OpenPGP Security" in the left column.
- Check the boxes next to "Encrypt messages by default" and "Sign encrypted messages."
- Uncheck the box next to "Use PGP/MIME by default."
- Click the "Enigmail Preferences" button. 
Figure: OpenPGP Options
In the "Sending" tab of the "Enigmail Preferences" window, click the circle next to "Manual encryption settings." Then click the circle next to "Always" under "Confirm before sending" and click the "OK" button.
Figure: Set Manual Encryption Settings
When returned to the "OpenPGP Options" window, click the "OK" button.
Figure: Settings Confirmation
3. Configure Enigmail Key Management.
In the menu bar,
Click on Enigmail ->
Figure: Enigmail Key Management
In the Key Management window that opens, your key is in bold and the key imported for Sukhbir Singh is also visible. Click on
Search for Keys.
Figure: Key Search
Search for GPG keys
The next window that appears enables a search for GPG keys hosted on public GPG key servers. It is possible to search for GPG keys by e-mail address, a short key ID or an individual's public GPG fingerprint.
This step starts a search for the key belong to email@example.com based on its public GPG fingerprint. Paste.
In the field next to "Search for key" and click the "OK" button.
Figure: Fingerprint Key Search
|Always search with the long fingerprint of a GPG key in the key manager - short or even long key IDs can be forged. . The results are more secure and work more often. Everyone who shares a public GPG key should share a long fingerprint.|
In the next window that appears, an entry for "firstname.lastname@example.org" with a Key ID of "237F796B" should be displayed with a check mark next to it. Click the "OK" button to import the key.
Figure: Key Importation
A window should appear stating that the key for "email@example.com" was successfully imported.
It is not a problem that the e-mail address is different than the "firstname.lastname@example.org" listed above when importing the key. Multiple e-mail addresses can be used with a GPG public key.
"Anonguide@bitmessage.ch" is simply an older e-mail address associated with the key. The important aspect to note is the finger print, which should appear as:
6422 2A88 D257 3091 0C47 A904 BD80 83C5 237F 796B
Click the "OK" button to continue.
|If the fingerprint is different than what is shown above, delete the key for the "anonguide" e-mail address in the key manager and start over from the "Enigmail Key Management" step.|
Figure: Key Importation Confirmation
|Important: It is critical to verify any GPG public key that is added to the keyring with a fingerprint provided by the person you intend to communicate with.|
It is important to realize that anyone can add a GPG public key to a key server and claim to belong to a certain email account. Consider the following attack vector:
- An attacker is monitoring an email account through surveillance.
- An encryption key is mistakenly used that was created to falsely correspond to the intended recipient of communications.
- The attacker is now able to read the user's email.
Import Public Keys from Websites
On occasion, the GPG public key of an intended email recipient is not located on a key server, but a public key block is hosted on a website.
To import these keys into Thunderbird:
- Copy the public key from the website to the clipboard.
- Navigate to the Enigmail key management program:
- Import the keys:
Import Keys from Clipboard
Alternate Key Server Methods
There are two alternatives for interacting with key servers:
- KGpg: To fetch contacts' GPG keys from the key server, open KGpg and navigate to Key Server Dialog. Search for relevant email addresses and import the keys.
- GPG command line: searching, fetching and importing keys from key servers from the command line is relatively simple.
Note: Enigmail's keyserver interaction features previously did not work out of the box.   With these instructions, it should no longer be necessary to apply manual settings following a restart of Thunderbird in order to interact with key servers.    
Export the Public Key to a GPG Server
Right-click on the entry for the email address and click "Upload Public Keys to Keyserver."
Figure: Upload Public Keys
A progress meter will then appear. If the upload is successful, no confirmation message will be received.
Figure: Upload Progress Meter
To check that the GPG public key was successfully uploaded to the keyserver, do a search for your own key the same way you searched for the key belonging to "email@example.com" in an earlier step.
To inspect the GPG fingerprint:
Right-click on the GPG key ->
Click "Key Properties."
The GPG fingerprint will appear towards the top of the window. Highlight it and then copy it to the clipboard.
To search for it in a manner similar to the earlier step, paste it into the search field and simply remove the spaces between the letters and numbers.
Public GPG Key Signature Block
1. Locate the key's fingerprint.
The following steps configure Thunderbird to inform people about the public GPG key via embedding it in the email signature.
Double-click on the key entry for the vfemail.net (or alternate) email address to open the "Key Properties" window.
Figure: Key Properties
In the window that appears, use the mouse to highlight the text next to "Fingerprint." Then, right-click the highlighted text and click "Copy."
Figure: Copy the Key Fingerprint
When the GPG fingerprint has been copied, click the "Close" button.
Figure: Procedure Confirmation
Now, close the Enigmail Key Management window. Click the "X" in the upper right corner of the window.
Figure: Close Enigmail Key Management
After returning to the main Thunderbird window, click on
Figure: Further Account Settings
2. Create a PGP email signature.
A signature is now created that will be included in all outgoing mail, which contains both the GPG public key ID and the GPG public key fingerprint. In the next window that appears:
- Click in the text field located underneath "Signature text."
- Paste the contents of the clipboard on to two separate lines in the text field.
- On the first line:
- On the second line, type "Fingerprint:" in front of the characters pasted there. This will help enable people who download the GPG public key to verify that it is they key you wish them to use. When finished, click the "OK" button.
Figure: PGP Email Signature Block
Compose and Send Encrypted Email
The first section will test the correct sending of the first encrypted email to firstname.lastname@example.org with Enigmail.
The second section outlines using KGpg instead of Enigmail. This is for users who require a higher level of security for importing private keys and creating ciphertext which can be sent via Thunderbird.   
1. Compose a new email message.
Click the "Write" button located in the upper left region of the window.
Figure: Compose a New Email
A new window will open for you to compose an email message. In the "To" field, type.
In the "Subject" field, type.
Next, type an innocuous message into the message body. Do not go into great detail; a large amount of text is unnecessary.
The point of this email is to test the encryption key and to become familiar with a common encrypted email exchange. Take note of the padlock and pencil icons located towards the upper-left side of the window next to the "Enigmail:" header. These icons should be marked as active by a gray square around them with the padlock closed, which means the message will be signed and encrypted (if you possess a corresponding public key). To the far right of these icons, a status message also informs that the message will be signed and encrypted.
|In this configuration, the subject field is never encrypted, even when the message and attachments are encrypted.  Therefore, be wary of any information entered into in a subject field.|
2. Send the email message.
When the message is ready for sending, click the "Send" button.
Figure: Send an Encrypted Email
A prompt will appear to enter the GPG passphrase. This makes it possible for the message sent to be signed. When a message is signed, this provides a mechanism for the email recipient to be confident that the sender actually wrote the email, and not an impostor. Type the passphrase and click the "OK" button.
Figure: GPG Passphrase Prompt
After typing in the passphrase, a confirmation window will appear asking if a signed and encrypted email should be sent to email@example.com. Take note of the body of the email message under that window. This text should be clearly visible:
-----BEGIN PGP MESSAGE-----
Followed by a series of random characters. This proves the email has been encrypted and it is safe to click the "Send Message" button. However, if the original text of the message is visible, then it is not encrypted and the "Cancel" button should be clicked.
Figure: Email Encryption Confirmation
3. Add a security exception.
The first time an email is sent, an "Add Security Exception" window will next appear (this is expected). The warning appears because the SSL certificate that was received is from vfemail.net (or alternate provider), but Thunderbird is configured to connect to the 344c6kbnjnljjzlz.onion domain.
Click the "Confirm Security Exception" button; this action is not required again in the future.
Figure: Add a Security Exception
4. Resend the email message.
As a result of the issue with the SSL certificate in the last step, the sending of the message will fail. Select the Thunderbird "Write: key test" window from the task bar.
Figure: Select the Key Test Window
Next, click the "OK" button in the "Send Message Error" window that appears.
Figure: Message Failure Notification
After returning to the email composition window, click the "Send" button again.
Figure: Resend the Email
Finally, a prompt will appear to confirm that a signed and encrypted email should be sent. Click the "Send Message" button.
Figure: Send Email Confirmation
Next, a prompt will appear to enter the password for the vfemail.net account. This will happen each time Thunderbird is started and the first email is sent, since the password is not stored by the program. However, once the password is entered, Thunderbird will remember it for the session. The same process applies to receiving email.
When asked to enter the password, copy it from KeePassX (or refer to your physical record), paste it into the password field and click the "OK" button.
Figure: Passphrase Prompt
|Do not use Thunderbird's Password Manager to store the password! Thunderbird does not encrypt stored passwords by default. Thus, if an attacker compromises the machine and manages to access the Thunderbird folder, they will gain the password to the email account.|
After returning to the main Thunderbird window, a new "Sent" folder should appear in the Local Folders on the left side of the window, indicating the email to firstname.lastname@example.org was sent.
Figure: Thunderbird Sent Folder
5. Optional: Send the GPG public key as an attachment.
Sometimes it is necessary to send an email to an address where the GPG public key is not in the keyring. If the GPG public key for the e-mail address cannot be located through a search, it is possible to send them your public key.
After reaching the new mail composition window, the GPG public key can be sent to the recipient as an attachment. Since this message will not be encrypted, click on the padlock icon next to "Enigmail:" so it looks like an open lock. Then, click on the "Attach My Public Key" button before sending the email.
Figure: GPG Public Key Attachment
After composing the message, click the "Send" button.
|Remember that this email is unencrypted. Therefore it could be read if someone intercepts the email at some point. Be wary of what information is shared in an unencrypted email.|
1. Open KGpg and select the recipient key. If selecting more than one key, press
CTRL while clicking.
2. Navigate to:
Open Editor and write the message.
3. Encrypt the message to ciphertext by clicking on the Encrypt lock icon. Choose your private key in the prompt that appears and click
4. Copy the ciphertext into Thunderbird and send it as per normal procedures. Do not include subject lines since they are not encrypted.
Download and Read Encrypted Email
In the near future, the user will want to check if anyone has sent email messages or if a response was received to the test email composed in the previous section.
1. Check for new email messages.
From the main Thunderbird window, click the "Get Messages" icon to check for any new email messages on the server and download them.
Figure: New Email Check
2. Add a security exception.
When first checking for mail on vfemail.net, another "Add Security Exception" window will appear (this is expected). The warning is because the SSL certificate received at an earlier step is from vfemail.net, but the email desktop client is connecting to the 344c6kbnjnljjzlz.onion domain (or alternate .onion address). Click the "Confirm Security Exception" button; this action is not needed again in the future.
Figure: Add a Security Exception
3. Read email messages in the inbox.
After returning to the main Thunderbird window, click the "Get Messages" button again.
Figure: Recheck for New Messages
A prompt will appear to enter the password for the email account. After entering the password, Thunderbird will remember it for the session. When asked to enter the password, copy it from KeePassX (or from physical records), paste it into the password field and click the "OK" button.
Figure: Passphrase Prompt
When new emails are received, a counter will appear next to "Inbox" in the left column. Click on "Inbox" to go to the list of new emails. Then, click the email that you wish to read.
Figure: Thunderbird Inbox
If the message received was encrypted with your public key, the GPG passphrase is needed to decrypt it. If a window like the one in the image below appears, type the GPG passphrase and click the "OK" button.
Figure: GPG Passphrase Prompt
The email will now display in the lower portion of the Thunderbird window. From here, the user has the option of replying, forwarding, deleting, and so on. If a message is read that was sent from email@example.com, the encryption configuration is working correctly.
Figure: Successful Email Decryption
If all steps have been successfully completed then the user now has an anonymous email account paired with strong encryption.
It should be emphasized this wiki entry is not a substitute for an all-inclusive tutorial on the safest way to use GPG/PGP encryption. Numerous advanced resources and expert opinions exist on the Internet, and these can provide additional tips that might better address a user's perceived threat model and circumstances.  However, this tutorial provides a solid foundation that lays down the basic fundamentals of using email encryption.
Finally, always heed the following warnings regarding email:
- E-mail is a very insecure means of communication where anonymity is concerned. A lot of metadata is leaked with e-mail, so it should be used sparingly and only when strictly necessary.
- Do not contact people you know in real life at non-anonymous email addresses with the email account that was created here. Always separate real world identities from online identities used with Whonix.
- Be circumspect about sharing personal information in email! Encrypted email does not protect against the email recipient storing personal emails in an unencrypted format. Nor does encryption protect against an email recipient maliciously using personal information in order to exploit you.
- Never include sensitive information in an email subject line, even if the email is encrypted! Subject headers in email are not encrypted in this configuration, despite the fact the rest of the message is.
- If an email is sent to a recipient without encryption, assume it can be read by anyone!
- Utilize the Tor Onion Service (with the .onion extension) whenever it is made available by the email provider. After first confirming the domain is controlled by the email provider, it will afford greater protection than a clearnet address.
Interested users can refer to the following additional resources on GPG, Enigmail, KGpg, and safe email practices:
- GnuPG documentation
- Enigmail documentation
- KDE upstream KGpg documentation
- openSUSE KGpg documentation
- OpenPGP key distribution strategies
- Best Practices
- KGpg  and GnuPG are pre-installed.
This wiki entry is based on chapter 4.5 of A Beginner Friendly Comprehensive Guide to Installing and Using a Safer Anonymous Operating System, which can be found here. This material has been used with the author's permission. 
- As was the case for RiseUp. Relying on warrant canaries alone is also not recommended, as they have proven ineffective in several cases.
- Similarly, that same information should not be stored on electronic media in the first place, if that is feasible in the circumstances.
- This material is taken directly from the Tor Project wiki.
- TorBirdy sets the Socks Host to 10.152.152.10 and Port to 9102 if the
WHONIXvariable is set, which is the default in /etc/environment since Whonix 0.5.5.
- TorBirdy v2.4 and later work without these modifications.
- Without modifications, Enigmail cannot fetch GPG keys because TorBirdy points to a local proxy running on port 8118, which is not running in the Whonix-Workstation. Prior to TorBirdy v2.4, the modification of the
--keyserver-optionslines allow for the fetching or uploading of GPG keys with Engimail and Thunderbird.
- Or create random diceware passphrases of sufficient length.
- The obvious alternative is to write it down at home and store it in a safe place.
- Alternatively it may be written down.
- Depending on the service provider in use, they may or may not enable TLS/STARTTLS connection security for their Onion domain. The reason is because it is redundant, as end-to-end Tor encryption provides security properties for authenticating to the server. It is best to leave it turned on by default and only disable it if problems arise.
- This is optional because some users may not place trust in the integrity of KeePassX.
- Note this action prevents TorBirdy from encrypting the subject line and references headers, but improves confirmation of email encryption prior to it being sent.
- Due to the threat of collisions, see: https://superuser.com/questions/769452/what-is-a-openpgp-gnupg-key-id
- As it has been made fail closed by TorBirdy developers, otherwise there could be a DNS leak in setups not using Whonix.
- A previous proposal on how to make keyservers in Enigmail in Whonix work out of the box: do not use keyserver-options in Whonix
- Upstream bug report: Can't set custom http-proxy on GnuPG-settings, lost after restart.
- There is no need for this setting in Whonix since Enigmail calls GPG, everything is already torified, and gpg is stream isolated by a uwt wrapper.
- Forum discussion: https://forums.whonix.org/t/gpg-keyservers-from-within-whonix-workstation
- Previous instructions:
Enigmail (from menu bar)->
Display Expert Settings and Menus->
Additional Parameters-> remove the following part
- In the example below, the fingerprint consists of 10 groups of 4 characters. Delete the first six groups, then delete the spaces in between the remaining groups of characters.
- In the example below, that results in
0xE2A4440ABE1DE630.The end result of what is created here is the GPG public key ID. People can enter that into various GPG key servers to find the public key and send you encrypted messages.
- Avoiding Enigmail bypasses any unexpected behavior with message encryption. For instance, in one case bugs in email clients and Enigmail lead to the auto-saving of drafts as plaintext.
- Persons in critical situations may prefer to encrypt emails in such a way to mitigate the risk of leaks.
- The TorBirdy version currently installed supports this feature, but this was deactivated in earlier configuration steps.
- For instance, users at high risk might generate a strong airgapped OpenPGP key pair on the command line for greater security, rather than rely on Enigmail.
- KGpg Homepage, KGpg wiki with screenshot
This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation.