Using GPG/PGP with Ubuntu and Thunderbird

Here is how to set up GPG encryption for emails in Thunderbird on Ubuntu.

Creating a key pair

  • Before starting, create a new entry in KeePass for your GPG key and create a new password. See the Security Guidelines for password policies.

  • Start generating a key by running the following command in your terminal

    gpg --full-gen-key
    • Select the default key type (RSA/RSA)
    • Choose at least 4096 bits for key length.
    • Make your key valid for 5-10 years; do not choose an infinitely valid key.
    • Fill in the remaining info but don't confirm, yet.
    • Copy your password from KeePass to the clipboard, confirm in the Terminal and then paste your password into the popup dialog.

  • You may check which keys you will be exporting for your e-mail address (we use user@example.com here, change accordingly). If you have old/expired keys in there, delete them.

    gpg --list-keys user@example.com

  • Export your public key to the current folder, in which the terminal is operating (remember to use your e-mail address as an argument for the --export switch):

    gpg -a --output firstname.lastname.asc --export user@example.com

  • Distribute your public key part using a secure medium to prevent Man-in-the-middle attacks.

Importing foreign public keys

  • Use Gnome's integration (open the context menu on a key file)
  • or call gpg --import someone.asc

Thunderbird >= 78

Thunderbird version <78

  • Enigmail Show archive.org snapshot allows using GPG/PGP transparently.
    • To install, run sudo apt-get install enigmail on Ubuntu.
    • As a makandra employee, this has been preinstalled for you.
  • Configure Enigmail
    • Add keyserver.ubuntu.com as primary key server.
    • Publish your key to at least keyserver.ubuntu.com.
      • In Thunderbird, you can use menu "Enigmail" → "Key Management". Right-click on your key and chose "Upload public keys to keyserver".
      • In a terminal, you can use gpg --keyserver keyserver.ubuntu.com --send-keys user@example.com (optionally repeat for other hosts)
    • You may download the public keys of your colleagues (if you don't, you can download missing keys later): Menu "Enigmail" → "Key Management" → Menu "Keyserver" → "Search for keys" → Search for "makandra.de" → Ok → Pick any fitting results and press "Ok"
    • Make sure to disable automatic encryption for all outgoing e-mails. You can opt in to send encrypted e-mails.

About key expiry

Eventually, your key will expire. In that case, you can extend your key's expiry and push an update to the key servers.
We have a separate card on how to do this.

Transferring keys to a secondary machine

If you use a notebook in addition to your desktop PC, you will want to transfer your key pair.
We have a card for that as well.

wiki.ubuntuusers.de
Arne Hartherz Over 13 years ago
This website uses short-lived cookies to improve usability.
or learn more