GPG in Thunderbird 78+
Thunderbird 78 and newer handles GPG differently than previous versions as previously the extension Enigmail was used to handle GPG functionality. Now Thunderbird has GPG built-in, Enigmail is no longer needed and no longer works.
The main implication due to this is that Thunderbird uses its own keystore. Therefore you don't have to enter a passphrase for your key. The good news is that you can, if you want and know what you do, use your system GPG (as previosly) for private key operations. See the appropriate section below, if you want to do that.
We do not want that GPG-mails encrypt the subject because those mails are largly non-searchable anyway, not seeing the subject makes searching for it impossible. Sadly they did not think of this at first, but there is a way, how we can disable it.
Thunderbird Burger Menu -> Preferences -> General (scroll to bottom) -> Config Editor... (on the bottom right, accept risk) -> Search for "mail.identity.default.protectSubject" -> Double click on value column to change from true to false
If you don't have a GPG key already, do the following steps.
See the section "Advanced: Export/Import your private GPG key" later in this document if you want to migrate your GPG key from one setup to another.
- Click on the Thunderbird burger menu and select
End-To-End Encryptionon the left.
- Click on
Create a new OpenPGP Keyand click on
- Choose a key expiry between 1 and 3 years. Do not choose an infinitely valid key.
- Either use ECC as key type or use RSA with at least 4096 bits key size.
Generate Keyand confirm on the next page.
If your GPG key is about to expire soon or already expired, follow these steps:
- Click on the Thunderbird burger menu and select
Tools -> OpenPGP Key Manager.
- Select your own key (marked bold).
- Right-click on it and select
- Cick on the
Change Expiration Date-button and alter the expiry date.
Oktwice and close the OpenPGP Key Manager.
- Upload your changed public key to the keyservers (see below)
You can retrieve our keys from Web Key Directory (WKD) or the
Thunderbird Burger Menu -> Tools -> OpenPGP Key Manager -> Keyserver -> Discover Keys Online.
Or when you write a mail and you don't have a key for it, Thunderbird allows you to search for the key online.
We upload our keys to
First, save your public key in a file.
Thunderbird Burger Menu -> Tools -> OpenPGP Key Manager -> Select your own key (marked bold) -> Right-click and select `Export Keys To File` -> Save it to a location where you want
Now you should have a
.asc-file with your public key.
Follow the instructions in this card to publish it.
When you write a mail, click on the small arrow beneath Security and select "Require Encryption".
Encryption Technology should be OpenPGP (this should be the default).
Now send your mail as usual.
You will see an error, if you haven't imported your receivers key already.
Close the error message, select the receiver in the upcoming dialog and click on "Manage keys for selected recipient...". Then click on "Discover new or updated key" and accept the key. Close the dialogs with Ok.
Now you can click on send again and it should work.
The default in Thunderbird 78 and above is to use it's own GPG implementation.
This makes the installation easier especially on Windows and Mac, but also has some disadvantages.
Thunderbird doesn't use the GPG keyring anymore, so GPG at CLI is separated from GPG at Thunderbird.
Smartcards etc. also doesn't work and the private key is not encrypted unless you use a master password in Thunderbird.
But there exists a way in Thunderbird to use the system GPG implementation for private key operations (decrypting and signing).
NOTE: if you do this, you must manage your private key in the CLI.
To configure this, do the following:
- Get your GPG Key ID via this command: (It should consist of exactly 16 hexadecimal characters.)
gpg --with-colons --list-secret-keys |grep '^sec' |cut -d: -f5
- Allow the use of external GPG (on Ubuntu 20.04 this should be the default)
Thunderbird Burger Menu -> Preferences -> General (scroll to bottom) -> Editor Config (on the bottom right, accept risk) -> Search for "mail.openpgp.allow_external_gnupg" -> Double click on value column to change from false to true, if true ist not already set
- Configure Thunderbird to use the system GPG for private key operations
Thunderbird Burger Menu -> Account Settings -> End-To-End Encryption -> Add Key -> Select `Use you external key through GnuPG (e.g. from a smartcard)` -> Continue -> Enter your Key ID from above -> Save key ID
If you don't have to enter your GPG password after you followed the steps above at signing or decrypting mails, make sure your private key is not imported into Thunderbird, but is saved in the system GPG keyring.
If you need your private GPG key, you can do the following to export it into a file.
This is e.g. necessary if you migrate your system
Thunderbird Burger Menu -> Tools -> OpenPGP Key Manager -> File -> Backup Secret Key(s) To File -> Select a secure location (where only you can read) -> Choose a good password to protect your key
Never share your private key with anyone. Use always a secure location to store the secret key.
On the new installation:
Thunderbird Burger Menu -> Tools -> OpenPGP Key Manager -> File -> Import Secret Key(s) From File -> Select the backup file created previously -> Click on Continue and enter the password you secured your key file with -> Close all windows