Using OpenPGP in Thunderbird

OpenPGP is an encryption standard most commonly used in emails.

For more about how OpenPGP works, see these links:

IBM's documentation on public-key cryptography

OpenPGP's website

Using OpenPGP in your communications ensures two things:

1. Nobody else can read your emails (if you keep your computer secure).
   This is useful when we're sharing personal data that shouldn't be seen by anyone else.
2. We can use "digital signatures" to know that our emails have been written by us, and that nobody else has tampered with them.

End-to-end encryption is becoming increasingly important. As of writing, a large-scale attack recently took advantage of the lack of encryption in communications.¹ ² ³ We personally use and recommend OpenPGP wherever possible.

¹ The Verge: "US officials recommend encrypted messaging to evade hackers in telecom networks"

² TechCrunch: "CISA, FBI urge Americans to use encrypted messaging apps to combat Chinese telco hackers"

³ TechRadar: "Should you ditch unencrypted messaging apps? Here's what experts say about the FBI's warning"

Thunderbird supports Windows, Mac, and Linux. It also recently supports Android, however the layout is different and is not covered by this guide.

You'll first need to acquire Thunderbird:

Thunderbird's website

After installing and running Thunderbird, it'll prompt you to "Set Up Your Existing Email Address." Enter the email address and password of your existing email account to add it. There might be additional authentication steps depending on your provider.

Once added, you should be taken to your inbox. You can use your email as you normally would from here, however we also need to set up OpenPGP.

From the inbox screen, right click your email address and press "Settings." Within your Account Settings should be a menu named "End-to-End Encryption."

In this menu, press "Add Key..." and use the "Create a new OpenPGP Key" option. It will prompt you for some additional settings; we use 1-year expiry and RSA 3072, but the defaults will work too.

After confirming key creation, Thunderbird should automatically select this key within the "End-to-End Encryption" menu. A "Publish" button will be next to the key. You'll want to publish your public key so others can send you encrypted emails.

Once this is done, we recommend enabling the following settings within the same "End-to-End Encryption" menu:

• "Enable encryption for new messages" - Automatically encrypts new emails and prompts you to find the recipient's key.
• "Sign unencrypted messages" - Automatically attaches a "digital signature" (.asc) to unencrypted emails upon sending.
• "Attach my public key when adding an OpenPGP digital signature" - Lets the recipient quickly add your public key to send you encrypted emails.
• "Send OpenPGP public key(s) in the email headers for compatibility with Autocrypt" - Similar purpose as last setting.
• "Encrypt the subject of OpenPGP messages" - Email subjects cannot be read by others.
• "Store draft messages in encrypted format" - Draft emails cannot be read by others.

You are still required to use your Invotek secure passphrase to send us confidential information, even when using OpenPGP.

If you have enabled "Enable encryption for new messages", composing a new email will result in a warning: "End-to-end encryption requires resolving key issues for $email." This is because Thunderbird does not have a key stored for that address.

If your recipient hasn't set up OpenPGP, they won't have any keys for you to import. You'll unfortunately have to use plaintext only by disabling "Encrypt" within the compose window.

If your recipient has set up OpenPGP, you can press "Resolve..." in the warning, and Thunderbird will prompt you to "Discover Public Keys Online..." which will find them automatically, or you can "Import Public Keys From File..." if they've given you the public key manually.

After this, you can now send encrypted emails to this recipient with no more set-up required. Congratulations!