Encrypting everything online is becoming more important by the day. Email is no different. For Linux users, the process is actually very simple with three common open source tools; Mozilla Thunderbird, Enigmail, and GNU PGP(GPG.) Through the use of these three tools, you can send and receive encrypted messages easily, and protect yourself and the people you’re communicating with from attackers and privacy invasions.
Gathering The Pieces
The first thing that you will need in order to begin encrypting your emails is GPG. Since GPG is part of the GNU Project and is a common tool for generating encryption keys, it’s likely to be in any distro’s repositories. Use your package manager to install it.
$ sudo apt install gnupg2
# yum/dnf -y install gnupg2
Thunderbird is also very popular. It is easily among the top email clients on Linux. You will also be able to install it directly from the repositories without a hassle.
Debian Jessie and Earlier
# apt install icedove
$ sudo apt install thunderbird
# yum/dnf -y install thunderbird
Enigmail is an add-on for Thunderbird. It is available through the official Thunderbird add-on repositories. To install it, open up the menu in Thunderbird. It’s the three stacked lines on the upper right side of the screen. After you click it, a menu will open up. Towards the top, select “Add-ons.” It should have a green puzzle piece next to it. This will take you to the add-on repository. In the search box on the upper right of the page, type in, “Enigmail,” and press “Enter.” Enigmail should be the first item in the search results. Install it.
Set Up Your Key Pair
With everything in place, you can set up your key pair so that you can begin to encrypt your emails. Enigmail is the side of the triangle that makes this super easy. Enigmail is designed to make email encryption accessible through Thunderbird, so there isn’t any lengthy configuration or need to memorize commands. Just follow the prompts, and you’ll be set.
You should have been prompted to restart Thunderbird after installing Enigmail, but if you weren’t, do that now. Otherwise, it won’t be available.
On the very top menu of Thunderbird, find “Enigmail.” Click on it. Then click “Setup Wizard.” This is the easiest way to get set up with Enigmail. It will open up a new window with a series of options. The first one should already be selected. That one should read, “I prefer a standard configuration.” Leave it selected, and click “Next.”
The next window that you will be presented with will ask you to select which email address that you wish to create a key pair for and to select a password for your private key. Don’t go through all of this trouble to set up email encryption just to select password1234 as your “secure” passphrase. Make sure you use one that’s actually strong. Click “Next” to start the generation of your key. It will take time. Make sure do do a variety of different things while the key is generating. This will help to build entropy.
After the key has finished generating, you will see an option on the screen to create a revocation certificate. Click on it. You will be prompted to input the password that you set for your private key. Then, you will be asked where you want to store your revocation certificate. It’s a good idea to make sure that you will always have a copy of this certificate. Exactly how you do this is up to you. If you know that you
home directory is backed up by a cron job, you might want to create a directory in
home specifically for GPG related items and place it in that. DVDs and USB sticks that are only used for archival purposes are also a good option. Keeping multiple copies can work too, just make sure that you store it someplace that you won’t accidentally use or delete it.
Once your revocation certificate is safely stored away, you can click “Next” again. You will see one last screen telling that you successfully created your key. Click on “Finish.” You officially have a key pair for your email account!
Sending and Receiving GPG Encrypted Email
Before you can send or receive encrypted email, you need to exchange public keys with the people that you want to communicate with. That means that you can’t send encrypted email to someone who isn’t also using encryption. The easiest way to handle this with people that you know is to send them your key and ask for theirs in return.
When you write new emails in Thunderbird with Enigmail installed and your key set up, there will be an Enigmail menu at the top of the composition window. Write them an email explaining that you’re using email encryption and click the button on the Enigmail menu labeled, “Attach My Public Key.” You key will be included in your message.
Hopefully, the recipient of the email wants to continue emailing using encryption. In that case, they will send you their public key. If that happens, you’ll need to import it. To do so, right click on the key attached to their message. Select “Import OpenPGP Key.” Thunderbird will ask you again for confirmation, and import the key. You can now send and receive encrypted emails with this individual.
To compose a new encrypted email, click the write button to start composing a new email. On the top of the new message, you will find the Enigmail toolbar. Click on the lock icon to encrypt the message. Click the pen icon to sign it as well. You no longer need to attach your key, since the recipient already has it. You’re now able to compose the message like you normally would and send it.
Receiving encrypted email is very simple. When a message comes in, you can open it like you normally would. Before displaying the message, Thunderbird will request the password that you created for your private key. Enter it, and the message will be decrypted. You will have to decrypt the email every time you close and re-open Thunderbird.
You’re now ready to start using GPG encrypted email with Thunderbird. With the ever-increasing need to protect your privacy online, encrypted email is an invaluable tool.
Stay tuned for future guides concerning some of the deeper aspects of using encryption with Thunderbird.