Using GPG/PGP with Ubuntu and Thunderbird

Updated . Posted . Visible to the public.

Here is how to set up GPG encryption for emails in Thunderbird on Ubuntu.

Creating a key pair

  • Before starting, create a new entry in KeePass for your GPG key and create a new password. See the Security Guidelines for password policies.

  • Start generating a key by running the following command in your terminal

    gpg --full-gen-key
    
    • Select the default key type (RSA/RSA)
    • Choose at least 4096 bits for key length.
    • Make your key valid for 5-10 years; do not choose an infinitely valid key.
    • Fill in the remaining info but don't confirm, yet.
    • Copy your password from KeePass to the clipboard, confirm in the Terminal and then paste your password into the popup dialog.
  • You may check which keys you will be exporting for your e-mail address (we use user@example.com here, change accordingly). If you have old/expired keys in there, delete them.

    gpg --list-keys user@example.com
    
  • Export your public key to the current folder, in which the terminal is operating (remember to use your e-mail address as an argument for the --export switch):

    gpg -a --output firstname.lastname.asc --export user@example.com
    
  • Distribute your public key part using a secure medium to prevent Man-in-the-middle attacks.

Importing foreign public keys

  • Use Gnome's integration (open the context menu on a key file)
  • or call gpg --import someone.asc

Thunderbird >= 78

Thunderbird version <78

  • Enigmail allows using GPG/PGP transparently.
    • To install, run sudo apt-get install enigmail on Ubuntu.
    • As a makandra employee, this has been preinstalled for you.
  • Configure Enigmail
    • Add keyserver.ubuntu.com as primary key server.
    • Publish your key to at least keyserver.ubuntu.com.
      • In Thunderbird, you can use menu "Enigmail" → "Key Management". Right-click on your key and chose "Upload public keys to keyserver".
      • In a terminal, you can use gpg --keyserver keyserver.ubuntu.com --send-keys user@example.com (optionally repeat for other hosts)
    • You may download the public keys of your colleagues (if you don't, you can download missing keys later): Menu "Enigmail" → "Key Management" → Menu "Keyserver" → "Search for keys" → Search for "makandra.de" → Ok → Pick any fitting results and press "Ok"
    • Make sure to disable automatic encryption for all outgoing e-mails. You can opt in to send encrypted e-mails.

About key expiry

Eventually, your key will expire. In that case, you can extend your key's expiry and push an update to the key servers.
We have a separate card on how to do this.

Transferring keys to a secondary machine

If you use a notebook in addition to your desktop PC, you will want to transfer your key pair.
We have a card for that as well.

Arne Hartherz
Last edit
Jonas Schiele
Keywords
linux, create, generate, keygen
License
Source code in this card is licensed under the MIT License.
Posted by Arne Hartherz to makandra orga (2011-01-10 11:25)