GPG in Thunderbird 78+

Posted About 3 years ago. Visible to the public.

Thunderbird 78 and newer handles GPG differently than previous versions as previously the extension Enigmail was used to handle GPG functionality. Now Thunderbird has GPG built-in, Enigmail is no longer needed and no longer works.

The main implication due to this is that Thunderbird uses its own keystore. Therefore you don't have to enter a passphrase for your key. The good news is that you can, if you want and know what you do, use your system GPG (as previosly) for private key operations. See the appropriate section below, if you want to do that.

Disable encryption of mail subject

We do not want that GPG-mails encrypt the subject because those mails are largly non-searchable anyway, not seeing the subject makes searching for it impossible. Sadly they did not think of this at first, but there is a way, how we can disable it.

Thunderbird Burger Menu
  -> Preferences
    -> General (scroll to bottom)
      -> Config Editor... (on the bottom right, accept risk)
      -> Search for "mail.identity.default.protectSubject"
      -> Double click on value column to change from true to false

Creating a new key pair

If you don't have a GPG key already, do the following steps.
See the section "Advanced: Export/Import your private GPG key" later in this document if you want to migrate your GPG key from one setup to another.

  • Click on the Thunderbird burger menu and select Account Settings.
  • Select End-To-End Encryption on the left.
  • Click on Add Key.
  • Select Create a new OpenPGP Key and click on Continue.
  • Choose a key expiry between 1 and 3 years. Do not choose an infinitely valid key.
  • Either use ECC as key type or use RSA with at least 4096 bits key size.
  • Click Generate Key and confirm on the next page.

Update the expiry date of your existing key

If your GPG key is about to expire soon or already expired, follow these steps:

  • Click on the Thunderbird burger menu and select Tools -> OpenPGP Key Manager.
  • Select your own key (marked bold).
  • Right-click on it and select Key Properties.
  • Cick on the Change Expiration Date-button and alter the expiry date.
  • Click Ok twice and close the OpenPGP Key Manager.
  • Upload your changed public key to the keyservers (see below)

Retrieve public GPG keys from keyserver

You can retrieve our public keys from Web Key Directory (WKD) or the keys.openpgpg.org Show archive.org snapshot keyserver via Thunderbird Burger Menu -> Tools -> OpenPGP Key Manager -> Keyserver -> Discover Keys Online.
Or when you write a mail and you don't have a public key for it, Thunderbird allows you to search for the public key online.

Publish your (updated) public GPG key

We upload our keys to keys.makandra.de Show archive.org snapshot for general lookup and WKD and keyserver.ubuntu.com Show archive.org snapshot .
First, save your public key in a file.

Thunderbird Burger Menu
  -> Tools
  -> OpenPGP Key Manager
  -> Select your own key (marked bold)
  -> Right-click and select `Export Keys To File`
  -> Save it to a location where you want

Now you should have a .asc-file with your public key.
Follow the instructions in this card to publish it.

Send an encrypted mail

When you write a mail, click on the small arrow beneath Security and select "Require Encryption".
Encryption Technology should be OpenPGP (this should be the default).
Now send your mail as usual.

You will see an error, if you haven't imported your receivers key already.
Close the error message, select the receiver in the upcoming dialog and click on "Manage keys for selected recipient...". Then click on "Discover new or updated key" and accept the key. Close the dialogs with Ok.
Now you can click on send again and it should work.

Advanced: Use system GPG for private key operations

The default in Thunderbird 78 and above is to use it's own GPG implementation.
This makes the installation easier especially on Windows and Mac, but also has some disadvantages.
Thunderbird doesn't use the GPG keyring anymore, so GPG at CLI is separated from GPG at Thunderbird.
Smartcards etc. also doesn't work and the private key is not encrypted unless you use a master password in Thunderbird.

But there exists a way in Thunderbird to use the system GPG implementation for private key operations (decrypting and signing).
NOTE: if you do this, you must manage your private key in the CLI.
To configure this, do the following:

  • Get your GPG Key ID via this command: (It should consist of exactly 16 hexadecimal characters.)
gpg --with-colons --list-secret-keys |grep '^sec' |cut -d: -f5
  • Allow the use of external GPG (on Ubuntu 20.04 this should be the default)
Thunderbird Burger Menu
  -> Preferences
    -> General (scroll to bottom)
      -> Editor Config (on the bottom right, accept risk)
      -> Search for "mail.openpgp.allow_external_gnupg"
      -> Double click on value column to change from false to true, if true ist not already set
  • Configure Thunderbird to use the system GPG for private key operations
Thunderbird Burger Menu
  -> Account Settings
    -> End-To-End Encryption
      -> Add Key
        -> Select `Use you external key through GnuPG (e.g. from a smartcard)`
        -> Continue
        -> Enter your Key ID from above
        -> Save key ID

If you don't have to enter your GPG password after you followed the steps above at signing or decrypting mails, make sure your private key is not imported into Thunderbird, but is saved in the system GPG keyring.

Advanced: Export/Import your private GPG key

If you need your private GPG key, you can do the following to export it into a file.
This is e.g. necessary if you migrate your system

Thunderbird Burger Menu
  -> Tools
  -> OpenPGP Key Manager
  -> File -> Backup Secret Key(s) To File
  -> Select a secure location (where only you can read)
  -> Choose a good password to protect your key

Never share your private key with anyone. Use always a secure location to store the secret key.

On the new installation:

Thunderbird Burger Menu
  -> Tools
  -> OpenPGP Key Manager
  -> File -> Import Secret Key(s) From File
  -> Select the backup file created previously
  -> Click on Continue and enter the password you secured your key file with
  -> Close all windows
Alexander Krabler
Last edit
About 2 years ago
Simon Hofmann
License
Source code in this card is licensed under the MIT License.
Posted by Alexander Krabler to makandra orga (2021-03-15 09:14)