In this chapter we’ll configure an email client that will allow you to encrypt your email regardless of your email provider. To save space and reduce unnecessary copy-pasting, this chapter includes a few links to the basic installation guides provided by service providers and software developers.
The choice of Thunderbird as the go-to email client in this discussion is dictated by its availability to pretty much every popular operating system and consistency in usage. The configuration is exactly the same on Windows, Linux or Mac OS.
One condition required for this set up to work is that your email provider allows you to read your email using IMAP and send using SMTP. Most email providers allow this by default, so no action is needed from your side. But there are some exceptions.
We might write a chapter related to connecting to Microsoft Exchange servers. However, those typically exist in companies, managed by the internal IT team. It’s better to ask them.
Gmail users should follow this guide to allow the IMAP connection:
Yahoo users could follow this:
Thunderbird, basic configuration
Thunderbird is a free and powerful email client. You can download it here:
or if you’re a Linux user, you can install it using your distribution’s repository.
Due to some legal issues, some distributions (like Debian) offer Thunderbird under the name Icedove.
When starting the program for the first time, the program will trigger your account configuration wizard. These days going through it may be as simple as typing in your email address and the password and the rest is automatically detected and configured for you. This is certainly the case for Gmail accounts – be it private or work accounts that exist under a different domain than @gmail.com, but are still effectively handled by Gmail.
If your account settings are not detected automatically, you need to google “IMAP configuration your email provider” or contact support. The information you need to find is:
- IMAP server name – you use this address to receive email
- IMAP login format – sometimes it’s just the username, sometimes email@example.com, sometimes username+email.domain. Most of the time it will be firstname.lastname@example.org.
- SMTP server name – you use this address to send email
- SMTP login format – usually the same as for IMAP
Click on Manual configuration and the following dialog box appears:
Remember Chapter I when we talked about existing encrypted channels o communication? At this moment you have to opportunity to make sure your channel is encrypted.
The column SSL, offering two drop downs is here for that, when you open them, four options appear:
- autodetect – Thunderbird will chose the best offered from the server – if possible, Thunderbird will choose an encrypted channel (one of two last in this list)
- NONE – clear, unencrypted, if at the end of configuration this is what is available for you, change your email provider
- STARTTLS – encrypted
- SSL/TLS – encrypted
The last two are good. They differ in the detailed implementation, time of publishing and the people behind their design, but from our point of view they are both good.
Once this is configured, Firefox verifies the connection. It may ask you to accept a security certificate. Agree, add exception if necessary and we’re done. This certificate is necessary for the encrypted channel to be established.
The dialog box will close and Thunderbird will go on downloading your email.
The first time you try to send an email, Thunderbird will show two pop up windows. One saying, that sending failed and one offering you (again) an opportunity to accept a security certificate. Accept the failure message, accept the certificate and send again. Thunderbird won’t ask you about it again and sending any following email will work.
You have to accept two certificates because in fact you have connected your Thunderbird to two separate services – IMAP and SMTP. These two do not have to reside on the same server, or continent, so Thunderbird treats the security-related information separately.
IMAP and POP. Most email services offer IMAP and POP connection for incoming email. IMAP is the kind of connection that keeps the server (your account) content and your Thunderbird synchronized. Namely, what you delete in Thunderbird, is deleted on the server. What you keep, is kept in both places. POP is (was originally) a connect-download-and-your-prolem-now protocol. Thunderbird would connect to the server and download your messages. Once downloaded the messaged would be deleted from the server. Only your local copy would exist. It’s convenient if you work with an email service offering limited disk space. I’m not sure what the latest version of the protocol offers, so I’ll stop now and ask the interested reader to google away.
Enigmail – the encryption toolkit
Someone has written this part already, please follow this guide.
Do not skip GnuPG installation. This is the actual encryption engine.
A note for Linux users. Your encryption engine is installed separately. Before installing Enigmail, you need to install gnupg2 and pgp-agent packages.
The installation of Enigmail should trigger the configuration of your encryption keys. If that does not happen open the Thunderbird menu and in the section Enigmail, select Key management. This will open a new window, where you need to find a menu entry called Generate and follow the wizard.
When generating keys you will be presented with an option to create a 2048 or 4096 bit keys. The 2048 bit option is typically sufficient for a non-paranoid user. However it’s worthwhile to note that longer keys are better. Althought their generation can take a very long time. It is dependent on your computer’s computational abilities and the computer’s activity at the time of generation.
You will be asked to create a password for your keys. This password is independent from the one you use to log in to your email account. It is generally advised not to set up the same one and to be inventive. Note that in view of email encryption discussed here, it would be a pity to ruin the whole set up with a password that is easy to guess. Be inventive., exercise your memory. In one of the following chapters we’ll discuss a bit brut-force attacks on passwords, so you have an understanding how really easy it is to get access to your data when you’re lazy.
We Are Ready… kinda-sorta
OK, so we’ve set up our email client and our email encryption environment. We’ve created our encryption/decryption keys and we’re ready to go.
Can we receive an encrypted email? Yes, we can. No one can send one to us yet. That’s a bit of a bugger.
Can we send an encrypted email? Yes, but to ourselves only. We do not have enough information to do more.
Will make this happen in a minute.
But for now you can do an exercise. Compose an email to yourself. Your Write window (either hit Ctrl-N or click Write button in Thunderbird main window to show it) has a new menu now called Enigmail. Hover the mouse pointer over the buttons to see what they offer.
You’ll see three options:
- attach public key
Select them all. The first option will trigger the email encryption. The second option creates a signature from your private key and attaches is to the email. The third option attaches your public key to the email.
When you click Send, you will be asked for your private key password. Thunderbird needs this password to access your private key and use it to calculate your signature.
Once you’ve sent it, the email will appear in your email list. Once opened you will see the email cipher (the encrypted version of the email), the information about a bad signature and in the menu, a few buttons to handle the email.
Why is the signature bad? When you created your encryption keys they have not yet been registered in one of the formal Internet authorities (another chapter). In such case, it is up to you to approve this signature and accept it as valid for any emails coming later from this sender. In this particular case you can do it right away, after all you’ve just sent an email to yourself. My guess is you trust the identity of this sender.
Your public key, that has been attached, will figure in the list of attachments. When you double-click on it, Thunderbird will offer you to save this key in your system. No need to do it now, it’s your key, and if you go to save it, Thunderbird will tell you this key is already in.
Click on the button to decrypt the email. Thunderbird should ask you for your private key password. Sometimes it won’t. You might want to dig in your Enigmail settings to find a Timeout option. This option allows you to tell Thunderbird how long it should remember your password. Say you’ve set it for 5 minutes. Once you entered your password to decrypt an email, or sign an outgoing one, you are able to repeat any of these two for next 5 minutes without typing the password in again.
Now We Are Ready
All checked, let’s bring our encryption system alive.
If you want your peers to encrypt email sent to you, send them an email that holds attached your signature and your public key, but don’t encrypt it. They need to read it easily first. It is their work now to accept your public key and store it in their repository or key-list. It is not necessary that they accept the signature.
Ask them to send back their public keys (and possibly signatures). Once you’ve accepted the keys, you’re good to go.
Remember, you can only encrypt an email to a person, whose public key is present in your system.
End of Chapter III