(Redirected from TorBirdy)
Mozilla Thunderbird with TorBirdy


You can either use webmail through Tor Browser or Mozilla Thunderbird with TorBirdy.

None of the solutions is perfect. This is not a Whonix related issue. It is a general issue with email over Tor.


Registering the email address anonymously, i.e. not entering personal data and always accessing it over Tor is a must. To avoid messing up, ideally consider using an email provider that you did not previously use non-anonymously.

The email provider is always a single point of failure. If the provider gets pressured, forced or decides not to like your opinion anymore or feels like terminating the service for everyone, the email account can be easily terminated in seconds. This can significantly slow down correspondence. Therefore it is always good to have a few backup email address and alternative communication channels.

You must be careful when receiving attachments. To avoid being infected with malware, open attachments in a virtual machine that has no internet connection.

It is often recommended to use mail encryption (enigmail). Yes, that's good. Use it. Remember, as stated on the Warning page, subjects are always unencrypted. That's not everything however.

Even if subjects are random, hidden, just a dash (-), empty or misleading and the content is encrypted, the email provider can still log valuable data. When and with whom you are in contact, when you logged in, how long, how often you fetch mail. That's quite a lot metadata, which may lead into (false) assumptions by an adversary.

Many webmail services require JavaScript, display web bugs[1] and JavaScript allows them to learn how fast you type, how long you read a message, which spelling mistakes you make and correct as you type, to which address mails are sent, when you receive mails, from which addresses and when. Therefore webmail especially when it requires JavaScript is discouraged. A browser is no safe environment to write stuff. Read more on the Surfing, Posting, Blogging page. The best compromise of usability and security is using Mozilla Thunderbird with TorBirdy with POP3 and SMTP. IMAP is to be avoided, because it leaks more metadata. [2]

Email Provider Comparison[edit]


It has been asked whether I2Pmail is safer than tormail, [3] [4] riseup, gmail and so on. The Threats chapter above states "email is always a single point of failure". It doesn't really matter, apart from privacy by policy, no email provider can significantly improve privacy by design. The most important thing about email providers you should ask about email providers is: Will they tolerate me signing up by Tor and exclusively using the email service over Tor? Will they suspend my email account because I speak against someone and they get forced to suspend my account? The latter question applies more, if you run a project, movement or something like that and less for accounts, which barely anyone knows.

Other than privacy by design, privacy by policy is always a weak protection. An exception might be services, which are not classical email and therefore incompatible, but email alike services such as Usenet (see below), I2P-Bote (see below), RetroShare or Ricochet IM (See Chat).

A few frequently discussed mail providers are described above with some facts. There is no recommendation for or against any mail providers.[edit]

  • Quoted from wikipedia I2P[5]: "I2P has a free pseudonymous email service run by an individual called Postman. Susimail is a web-based email client intended primarily for use with Postman's mail servers, and is designed with security and anonymity in mind. Susimail was created to address privacy concerns in using these servers directly using traditional email clients, such as leaking the user's hostname while communicating with the SMTP server. It is currently included in the default I2P distribution, and can be accessed through the I2P router console web interface. Mail.I2P can contact both I2P email users, via user@mail.I2P and public internet email users from a address."
  • Cleaning the mail header is nice, but TorBirdy can do the same.
  • It is technically impossible to encrypt mails to clearnet addresses [6], unless the sender and recipient are using end-to-end encryption such as OpenPGP.
  • Therefore it is no more/less secure than using riseup, tormail, etc.
  • Even though based on I2P, you can still use it in Whonix over Tor, see I2P for information how to tunnel I2P over Tor.
  • We haven't heard about any email accounts which got suspended. (Well, we don't know about spam abuse, but that's another story.)
  • Things said in the Threats chapter still apply.[edit]

  • Works reliable on mailing lists.
  • Privacy by policy.
  • Tor friendly.
  • Servers hosted in the US.
  • We haven't heard about any email accounts which got suspended. (Well, we don't know about spam abuse, but that's another story.)
  • Things said in the Threats chapter still apply.
  • Doesn't update warrant canary on a fixed, regular basis.
  • "Forgot" to update canary on multiple occasions.
  • likely compromised


  • Mike Hearn from Google addressed this issue on tor-talk[7]:

Access to Google accounts via Tor (or any anonymizing proxy service) is not allowed unless you have established a track record of using those services beforehand. You have several ways to do that:

1) With Tor active, log in via the web and answer a security question, if any is presented. You may need to receive a code on your phone. If you don't have a phone number on the account the access may be denied.

2) Log in via the web without Tor, then activate Tor and log in again WITHOUT clearing cookies. The GAPS cookie on your browser is a large random number that acts as a second factor and will whitelist your access.

Once we see that your account has a track record of being successfully accessed via Tor the security checks are relaxed and you should be able to use TorBirdy.

  • Recommended against. Not Tor friendly. It would be very difficult to sign up using Tor and to exclusively use it over Tor. They most likely ask for phone verification and this is almost impossible to do without jeopardizing anonymity. [8]

Anonymity Friendly Email Provider List[edit]

Another anonymity network provider (JonDos), maintains a list of their recommended email providers. Whonix developer Patrick Schleizer does NOT check this list. Might still be useful. See list (w), look for "Recommended Mail Provider".

Encrypted Email[edit]

The Mozilla Thunderbird email client, together with the add-ons Enigmail and TorBirdy [9] [10] are installed by default in Whonix. If used correctly, they can be used for easy GPG encryption and anonymous (or pseudonymous) email messaging.

A complete set of instructions is now available to:

  • Install the latest TorBirdy plugin for the Thunderbird email desktop client.
  • Create an email account anonymously with a suitable provider via Tor Browser.
  • Setup the new email account: Thunderbird account settings, install necessary extensions (add-ons), and enforce connections to the email provider's Onion Service.
  • Create an OpenPGP encryption key pair and revocation certificate using the Enigmail Setup Wizard.
  • Encrypt and store the revocation certificate securely.
  • Configure Thunderbird preferences for greater security and anonymity.
  • Configure additional OpenPGP preferences via Enigmail.
  • Key management: import GPG public keys.
  • Export the public key to a GPG key server (optional).
  • Prepare an email signature with the public GPG key ID and fingerprint (optional).
  • Compose and send a test encrypted email.
  • Open an encrypted email received in Thunderbird.

Email Alternatives[edit]

Pretty Easy Privacy[edit]

pretty Easy privacy (p≡p) is a pluggable data encryption and verification system, which provides automatic key management and a KeySync protocol (yet being tested, not activated already) to sync private key material across the devices you want to read the same messages on.[11] It is cross-platform, message protocol agnostic and p2p. It exists as plugin for mail clients (Thunderbird and Outlook) on all major desktop systems and also as a mobile app for Android and iOS. Its cryptographic functionality is handled by open source p≡p engine relying on already existing cryptographic implementations in software like GnuPG, a modified version of netpgp (used only in iOS) and (as of p≡p v2.0) GNUnet. A non-transferable copyright cross-licensing agreement has just been concluded to allow distributing of the GNUnet binary as part of pEp under non-GPL licenses on restrictive platforms like the Apple store.[12]

In its default configuration, pEp does not rely on a web of trust or any form of centralized trust infrastructure, but instead lets users verify each others' authenticity by comparing cryptographic fingerprints in the form of natural language strings, which the pEp developers have chosen to call "trustwords". If both sides are using pEp, it automatically uses the anonymous transport provided by GNUnet. With that technology, meta data is no longer readable for an attacker. pEp is fully peer to peer itself. And only you have the keys. However it can inter-operate with legacy mail to secure that whenever applicable (if the intended recipient has a GPG key).[13] The pEp project is guided by a foundation that supports libre software.[14] Enigmail announced its intention to integrate the pEp encryption scheme by October 2016.[15] pEp's code has been audited.[16]

For further information on the project's check their milestones pages.



BitMessage is a P2P asynchronous communications protocol used to send encrypted messages to another person or to many subscribers. The PyBitmessage client is in Python with a Qt GUI. It is decentralized and trustless, meaning that you need-not inherently trust any entities like root certificate authorities. It uses strong self-authenticating Bitcoin style addresses which means that the sender of a message cannot be spoofed. Messages for offline recipients are stored for up to 28 days before being deleted. It relies on Proof-of-Work to prevent spamming. Development of Android clients has stalled. Connecting with a mobile client needs a full node running on a user's PC.

BitMessage hides sender/recipient metadata by broadcasting everybody's messages to everybody, acting as a simple private information retrieval (PIR) system. For the best possible anonymity run it in Whonix.

Some features include subscription support and Chans (Decentralized Mailing Lists) [17] For other use-cases see the Arch wiki on BitMessage.

Bridging services between the BitMessage network and legacy/regular email exist. The most popular is, also available as an onion service. See setup instructions to setup an account then register. Note that GPG needs to be used for confidentiality when communicating with email users. Thunderbird with Enigmail could be configured to use this service (optionally over Tor) for seamless GPG support.

For comparison between it and other open source communications software see the FAQ.

No professional audit has been done for BitMessage to date. While we never condone criminal abuse of technology, its past use by miscreants running a ransomware operation (over Tor) without getting caught, shows that it is somewhat "battle-tested".[18] We hope that dissidents in rogue nations could profit from that experiment.


The following instructions are for compiling/starting BitMessage and upgrading.[19] Bitmessage developers sign their their source code TO-DO: Add instructions to verfy git tags.

sudo apt-get install git python openssl libssl-dev git python-msgpack python-qt4
git clone $HOME/PyBitmessage


To upgrade Bitmessage run the following commands:

cd $HOME/PyBitmessage
git pull

Send Attachments[edit]

While explicitly attaching files is not supported, technically any file can be sent within the message body.[20]

First convert your file with base64 and then copy and paste the contents of the text file.

base64 < binary.file > text.file

Don't forget to include instructions to the receiver how to decode it. In order to decode the file, the recipient can copy and paste the code into file and convert it with this command:

base64 -d < text.file > binary.file

It is not very practical to send large files with BitMessage. Alternatively you can encrypt a file or archive containing a collection with GPG and upload it to un-trusted cloud storage and send recipients the link. Encryption can be done using a contact's public key or with symmetric encryption requiring a password which you send in BitMessage. For GPG symmetric encryption follow this example:

gpg -vv -c --cipher-algo AES256 your-file.tar.gz

Note that you can use the extended output of pwgen (pre-installed in Whonix 14+) for secure passwords.

User Data Back-Up[edit]

To backup the BitMessage profile and all user-generated program data, copy the folder under this path to your shared folder: /home/user/.config/PyBitmessage. Private keys are stored in keys.dat[21] and other data such as inbox contents, contacts and black/white-list info is stored in the messages.dat[22] database file. Copy the folder to this location to restore BitMessage data for new installs.

To maintain separate BitMessage identities, the safest way is to run each with its own BitMessage instance in separate Whonix-Workstations.


Freemail[23] is an email system implemented upon the anonymous data distribution network Freenet. It is most similar to I2P-Bote, another anonymous and distributed email solution.

Like most Freenet plugins, it makes use of an anti-spam mechanism called the Web of Trust[24] to block abusers. Attachment sizes are virtually unlimited. Users would upload files on Freenet and link to them in Freemail messages.

See recommended tips for Freemail.


I2P-Bote is a serverless, encrypted email plugin that uses I2P for anonymity. Messages are stored in the distributed hash table (DHT) for 100 days, during which the recipient is able to download them.

To back up I2P-Bote data, copy the i2pbote folder inside the I2P config directory (~/.i2p/i2pbote on Unix systems or /var/lib/i2p/i2p-config when running as a daemon).

Compartmentalize activities and only use the I2P-Bote/Susimail VM snapshot for this purpose. Generally, applications that run with a browser interface are vulnerable to a whole class of bugs, including cross-site request forgery (CSRF).[25][26]


  • A webmail interface.
  • A user interface translated into 15 languages.
  • One-click creation of email accounts (called email identities).
  • Emails can be sent either under a sender identity or anonymously.
  • 2048-bit ElGamal, 256/521-bit Elliptic Curve and NTRU-1087 encryption.
  • Transparent, automatic encryption and signing without relying on third-party software such as PGP/GnuPG.
  • Sending and receiving via relays with delay periods set by the user, similar to Mixmaster.
  • Theme support.
  • POP3 / IMAP / SMTP.
  • Cc and Bcc support.
  • Delivery confirmation.
  • Attachments.
  • Basic support for short recipient names.
  • Android support (via I2P's Android client).

Planned Features:

  • An outproxy to interoperate with clearnet mail servers.
  • Custom folders.
  • Multi-device identity syncing.
  • Support for short email addresses like myname@bote.i2p
  • HashCash as an anti-spam solution should it become a problem.
  • Lots of other small improvements.

Anonymous Remailers[edit]

Anonymous Remailers are a generation of privacy networks that precede Tor. These are single purpose networks (only support sending email) that use high-latency designs to defeat surveillance. The latest on-going project is the Mixmaster network. While sending one-way messages is relatively straight forward, receiving replies requires registration with a Nymserver and setting up a program to fetch messages from the decentralized Usenet boards.

Footnotes / References[edit]

  2. For example, how long you run your mail client. And saving drafts on the server as you type is not great either.
  3. The Tor Mail service is now offline, as it was hosted on Freedom Hosting which was taken down by the FBI.
  6. Such as gmail, riseup etc.
  8. Because they are also aware of online phone and messaging services and blacklisting the for verification upon knowledge.
  9. TorBirdy Homepage
  10. TorBirdy Source Code


Liberte Linux Philosophy page Copyright (C) 2013 Maxim Kammerer <mk at dee dot su>
Whonix Anonymity wiki page Copyright (C) 2013 - 2018 ENCRYPTED SUPPORT LP <>

This program with ABSOLUTELY NO WARRANTY; for details see the wiki source code.
This is free software, and you are welcome to redistribute it
under certain conditions; see the wiki source code for details.

Random News:

We are looking for maintainers and developers.

https | (forcing) onion

Share: Twitter | Facebook

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation.

Whonix is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Libre Software license as Whonix itself. (Why?)