Monday, June 9, 2014

Simple Email Encryption: GPG/PGP Encryption with Mozilla Thunderbird and Enigmail


This is an introduction to the use of GPG/PGP encryption with Mozilla Thunderbird and Enigmail. You can use Enigmail to secure email transferred between you and another person without sharing a password. This will protect your message from  interception by corporations and the government. Encrypting email will also protect it if it is stored on compromised platforms like gmail, hotmail, yahoo, etc.


This blog will cover the following topics:
  • Installing and Configuring Thunderbird and Enigmail
  • Create your private key
  • Export your private key
  • Export your public key
  • Import a friend's public key
  • Decrypt and verify an email
  • Encrypt and sign an email

Installing and Configuring Thunderbird and Enigmail

1. Install Mozilla Thunderbird.
2. Install Enigmail prerequisites (GnuPG/OpenPGP)
    a. Option 1(MS Windows): Install Cryptophane (Howto, Video)
        Note: Follow the instructions below to create your private key which is stronger that the Cryptophane private key by default.
    b. Option 2(MS Windows): Install GnuPG (Howto)
    c. Option 3(Mac OSX): Install MacGPG (Howto)
3. Install and Configure Enigmail
    a. Open Thunderbird
    b. On the top right hand of the Thunderbird window click the properties button and choose Add-ons.
      c. Search for Enigmail and click Install.
    d. Click Restart Now.
    e. Close the Add-ons Manager.
    Note: If the Configuration Wizard opens click Cancel.
    f. Click the Properties button, choose OpenPGP and click on Preferences.
    g. On the OpenPGP alert click OK twice.
    h. Put a tick on the right side of Override and then click browse.
    I. Browse to the OpenPGP installation folder and click Open and then click OK.

Create a Private Key

1. Start Thunderbird.
2. Click the Properties button, choose OpenPGP and click on Key Management.
3. Click Generate, New Key Pair.
4.  Add a strong passphrase and click Generate Key.
5. When the confirmation window opens click Generate Key.
    Note: It will take a moment for the private key to be generated (watch the green bar at the bottom on the window).
6.  On the confirmation window click on Generate Certificate to create the revocation certificate.
7. Save the revocation certificate:
        a. Click on Documents
        b. Create a folder called PGP Keys
        c. Append the users first and last name to the file name, in this case I added the name Jonno Galt to the front of the default file name.
        d. Click Save.
8. Type your password and click OK.
9. Read the Alert and click OK.

Export a Private Key

1. Start Thunderbird.
2. Click the Properties button, choose OpenPGP and click on Key Management.
3. Put a tick beside Dispay All Keys by Default
    Note: You can now see you private key and the private key's Key ID (used to identify the key)
4. Right click on your private key and choose Export Keys to File.
5. Click on Export Secret Keys.
6. Click Save.
7. On the alert, click OK.
8. Close the OpenPGP Key Management window.

Export a Public Key

1. Start Thunderbird.
2. Click the Properties button, choose OpenPGP and click on Key Management.
3. Right click on your private key and choose Export Keys to File.
4. Click on Export Public Keys Only.
5. Click Save.
6. On the alert, click OK.
7. Close the OpenPGP Key Management window.
8. Open a new email, attach your public key and send it to your friend.
    Note: Your friend will now be able to encrypt messages and send them to you without having to know your password.

Import a Friend's Public Key

1. If a friend sends you their public key, save it to Documents > PGP Keys.


2. Click the Properties button, choose OpenPGP and click on Key Management.
3. Click File, Import Keys from File.
4. Choose the public key you just saved from the previous step and click Open.
5. Review the alert and click OK.
6. Right click on the newly imported public key and choose Set Owner Trust.
7. Choose I trust fully and click OK.
    Note: Only choose “I trust fully” if you have verified the key id with the key owner. The Key ID is is an 8 character hexidecimal number which will either look something like 0F8CC153 or 0x0F8CC153.
8. Right click on the newly imported public key and choose Sign Key.
9. Review the key to be signed(your friends public key – confirm the key ID), which key you will sign it with (your private key), indicate how well you have confirmed the identity of the owner of the key and click OK.
    Note: You can choose Local Signature if you DO NOT want to make the key exportable.
10. Close the OpenPGP Key Management window.

Decrypt and Verify an Email.

1. Start Thunderbird.
2. Click on an encrypted message.
3. Enter the password to your private key and you will be able to see the contents of the encrypted message.


4. If the message has been signed you should see a green bar at the top of the message. The green bar means that the message is signed by your friends private key (you can verify the message is from them) and it also means that the message was not tampered with en route.

Encrypt and Sign an Email

1. Start Thunderbird.
2. Either press SHIFT and click Write, or press SHIFT and click Reply (both will allow you to write an encrypted message)
3. If prompted, enter the password for your private key and click OK.


4. Type your message.
5. Click the OpenPGP button, choose Sign Message and Encrypted Message and click OK.


6. Click Send.
    Note: You may be prompted for the password for your private key because you are signing  the message with your private key. Signing your message proves the messages's authenticity and allows the recipient to know if the message has been tampered with en route.

These basic skills will allow you to quickly send encrypted messages to your friends and family.

No comments:

Post a Comment