Posted almost 11 years ago. Visible to the public. Linked content. Deprecated.

Using GPG/PGP with Ubuntu and Thunderbird

GPG handling has changed in modern Thunderbird versions.

When transmitting sensitive information, we never want to send unencrypted e-mails, but use GPG/PGP encryption.

Creating a key pair

  • Before starting, create a new entry in KeePass for your GPG key and create a new password. See the Security Guidelines for password policies.

  • Start generating a key by running the following command in your terminal

    Copy
    gpg --full-gen-key
    • Select the default key type (RSA/RSA)
    • Choose at least 4096 bits for key length.
    • Make your key valid for 5-10 years; do not choose an infinitely valid key.
    • Fill in the remaining info but don't confirm, yet.
    • Copy your password from KeePass to the clipboard, confirm in the Terminal and then paste your password into the popup dialog.
  • You may check which keys you will be exporting for your e-mail address (we use user@example.com here, change accordingly). If you have old/expired keys in there, delete them.

    Copy
    gpg --list-keys user@example.com
  • Export your key (remember to use your e-mail address as an argument for the --export switch):

    Copy
    gpg -a --output your.name.asc --export user@example.com
  • Distribute your public key part using a secure medium to prevent Man-in-the-middle attacks.

Importing foreign public keys

  • Use Gnome's integration (open the context menu on a key file)
  • or call gpg --import someone.asc

Thunderbird integration

  • Enigmail Archive allows using GPG/PGP transparently.
    • To install, run sudo apt-get install enigmail on Ubuntu.
    • As a makandra employee, this has been preinstalled for you.
  • Configure Enigmail
    • Add keyserver.ubuntu.com as primary key server.
    • Publish your key to at least keyserver.ubuntu.com.
      • In Thunderbird, you can use menu "Enigmail" → "Key Management". Right-click on your key and chose "Upload public keys to keyserver".
      • In a terminal, you can use gpg --keyserver keyserver.ubuntu.com --send-keys user@example.com (optionally repeat for other hosts)
    • You may download the public keys of your colleagues (if you don't, you can download missing keys later): Menu "Enigmail" → "Key Management" → Menu "Keyserver" → "Search for keys" → Search for "makandra.de" → Ok → Pick any fitting results and press "Ok"
    • Make sure to disable automatic encryption for all outgoing e-mails. You can opt in to send encrypted e-mails.

About key expiry

Eventually, your key will expire. In that case, you can extend your key's expiry and push an update to the key servers.
We have a separate card on how to do this.

Transferring keys to a secondary machine

If you use a notebook in addition to your desktop PC, you will want to transfer your key pair.
We have a card for that as well.

Owner of this card:

Avatar
Arne Hartherz
Last edit:
6 days ago
by Henning Koch
Keywords:
linux, create, generate, keygen
Posted by Arne Hartherz to makandra orga
This website uses short-lived cookies to improve usability.
Accept or learn more