Encrypting email with Thunderbird

Here we show you how to easily use OpenPGP with Enigmail to encrypt/decrypt/verify the authenticity mail you receive

Want to enhance your email security by learning how you can use OpenPGP with Thunderbird? With this short primer gets you started in no time encrypting and decrypting emails and verifying that emails you receive are from the people who you expect them to be.

Read up on email encryption to learn more about this fascinating topic.

Install Enigmail and Run the OpenPGP Setup Wizard

  1. If you haven’t done so already, generate an OpenPGP key pair
  2. Download Enigmail. Linux users – It’s best to download and install the extension to get the latest one, rather than using one provided by your package manager, which is likely outdated. Thunderbird will automatically install updates to Enigmail in the future.
  3. Navigate to ToolsAdd-ons
  4. Press the Install… button
  5. Navigate to the Enigmail .xpi file and select Open. Enigmail will then install.
  6. Restart Thunderbird if necessary
  7. Navigate to the new top-menu entry OpenPGPSetup Wizard
  8. Select Yes and hit Next
  9. Choose whether you want to setup OpenPGP for all identities or just for select identities, if you’ve created more than one identity in Thunderbird. If you have multiple identities, choosing to setup OpenPGP for all identities will use one key for all of them.
  10. Choose whether you want to sign all of your outgoing emails. Signing does not encrypt emails—it places your digital signature on all of your outgoing emails to allow others to verify that you sent the email. It is recommended not to sign all of your outgoing emails as it strongly links you to everything you send out via unencrypted email directly to yourself. It’s best just to encrypt your emails to everyone you know who supports encryption.
  11. Choose whether you want to encrypt all of your outgoing emails by default. This is not recommended as it is cumbersome if your recipient doesn’t support encryption. You can setup encryption rules later on, which will enable you to always send encrypted emails under conditions you determine.
  12. Choose to make some changes recommended by OpenPGP. These are all technical configuration changes in thunderbird that streamline the OpenPGP process and avoid configurations that cause breakages. These are all safe changes, though they do change functionality in some cases, most notably by disabling composing HTML messages.
  13. Either create a key if you haven’t done so already, or select an existing key to use. If you have multiple keys and/or multiple identities, you may have to make some manual changes later to associate the right key with the right identity.
  14. Review the proposed changes and hit Next
  15. If there are no errors, OpenPGP is ready to use. Hit Finish.

Setup OpenPGP Rules

In Thunderbird, the Enigmail extension provides the ability for you to setup rules which Thunderbird will use to automate who will or will not receive encrypted emails from you.

The rule system is pretty powerful and can create a wide array of possible options. This guide will create a rule to always send encrypted email to a specific email address (or multiple email addresses) and operates under the assumption that your emails are unencrypted by default. However, the rule system appears to be powerful enough that if the majority of your contacts use OpenPGP encryption, you can encrypt by default and create a rule that sends unencrypted emails to contacts you have that don’t support encryption.

  1. Navigate to OpenPGPEdit Per-Recipient Rules
  2. Click the Add button on the upper right.
  3. Enter the email address(es) at the top, separated by spaces if matching multiple email addresses, and is exactly if matching exact addresses or enter matching terms and choose the appropriate matching method. The available matching methods are: is exactly, Contains, Starts with, and Ends with
  4. Choose the Action to be applied upon matching the rule. For this example, choose Use the following OpenPGP keys: and press the Select Key(s)… button. In the box that pops up from that button, select the OpenPGP key for the person to whom you’re sending email. If you don’t have their public key, press the Download missing keys button, which will search the key servers for the email(s) you entered in the matching box.
  5. Change Encryption in the Defaults for … section to Always and leave Signing and PGP/MIME as Yes, if selected in Message Composition.
  6. Press the OK button when you’ve completed the configuration of the rule.

You are now ready to send OpenPGP (GPG) emails to any recipient via Thunderbird and to automatically enable encryption for the chosen recipient in the rule you just created.


We received this email about this help page:

Riseup Question: Encrypting email with Thunderbird, can anyone please specify how to select the cipher, so as to insure AES 256 SHA512, instead of the 3DES MD5 settings that come as the default in Thunderbird?

As you know MD5 and SHA1 (hash) have been broken and weak ciphers shouldn’t be used anymore. Thanks for your help or assistance. 

While I know how to do this for linux, I have no idea how to do this for windoze or mac os. It’d be good to add instructions for all three.