*About this Encrypted Email with Thunderbird* Page**
Support Status	stable
Difficulty	medium
Contributor	tempest ^[archive]
Support	Support

Mozilla Thunderbird Icon

Part of this wiki page on the topic of OpenPGP encryption is outdated. This is due to the enigmail extension recently becoming unavailable. OpenPGP encryption functionality is now built-in Thunderbird ^[archive]. Documentation is yet to be updated. Contributions are welcome.

Credits[edit]

Gratitude is expressed to tempest for permission to use this material for the Whonix ™ wiki documentation. ^[1] This material forms chapter 4.6 of A Beginner Friendly Comprehensive Guide to Installing and Using a Safer Anonymous Operating System, which can be found here ^[archive]. Minor editorial changes have been made to the source material, along with additional Qubes-Whonix ™ steps and wiki / external references where appropriate.

Introduction[edit]

Due to the complexity of software in the past, one of the most underutilized forms of protection for users is email encryption. However, it is now easier to take advantage of encrypted email via the use of Thunderbird (Mozilla's email client), which includes a graphical front-end for using the GnuPG ("GPG") encryption program.

Thunderbird in Whonix ™ comes with anonymity, privacy and security settings pre-configuration through the pre-installed anon-apps-config ^[archive] package. ^[2] ^[3]

Legacy notes for existing users:

TorBirdy extension: No longer required in Whonix ™. ^[2]
Enigmail extension: No longer available. OpenPGP encryption functionality is now built-in Thunderbird. ^[4]

It is estimated that within 10 to 15 years, Quantum Computers will break today's common asymmetric public-key cryptography algorithms used for web encryption (https), e-mail encryption (GnuPG...), SSH and other purposes. See Post-Quantum Cryptography (PQCrypto).

The following guide provides a higher security and privacy standard than relying upon online services such as ProtonMail or Lavabit, that promise "encrypted email" in transit or storage. Online systems can still be broken by an attacker capable of exploiting JavaScript flaws or undermining certificate authorities that provide encryption certificates for websites; see Webmail. Further, online providers can be hacked or coerced by adversaries to provide access for extended periods.

To minimize these risks and improve security, the following guide uses a suitable Desktop Email Client instead of webmail, paired with strong, end-to-end encryption that protects the contents so it can only be read by the intended recipient. Further, a strong encryption key-pair is created so the user has strict control over the private key, which is stored securely. Keep in mind this method does not make email infallible -- advanced adversaries can easily penetrate Internet-facing endpoints of targets with today's cutting-edge surveillance and offensive systems. Also, mistakes or poor security practices on behalf of the email recipient can inadvertently lead to disclosures of plaintext.

Tip: If possible, critical information that is of high value should not traverse computer networks at all, or even risk exposure to Internet-facing computers. ^[5] High-risk users might also consider combining the use of OneTime or a Physical One Time Pad with email encryption for even greater security, and creating an airgapped OpenPGP key pair rather than relying on Thunderbird as per these instructions.

Overview[edit]

The following guide provides steps to:

Install the Thunderbird email client.
Create an email account anonymously with a suitable provider via Tor Browser.
Store the login credentials in KeePassXC ^[archive] (optional). ^[6]
Setup the new email account: Thunderbird account settings, install necessary extensions (add-ons), and enforce connections to the email provider's Onion Service.
Create an OpenPGP encryption key pair and revocation certificate using the Thunderbird Setup Wizard.
Encrypt and store the revocation certificate securely.
Configure Thunderbird preferences for greater security and anonymity.
Configure additional OpenPGP preferences.
Key management: import GPG public keys.
Export the public key to a GPG key server (optional).
Prepare an email signature with the public GPG key ID and fingerprint (optional).
Compose and send a test encrypted email to danwin1210.me
Open an encrypted email received in Thunderbird.

Warnings[edit]

Due to email's design, it is a very insecure system where privacy and anonymity are concerned. Use it sparingly, and only with great discipline and caution.

Operational security is imperative to maintain the integrity of properly encrypted email. Consider the following scenarios which would allow an adversary access to the plaintext or other metadata that might help deanonymize a user:

Even if all email sent to a recipient is encrypted, if the recipient fails to encrypt the email response, then adversaries will be able to read the message and likely a quote of the original one sent.
The names of email recipients cannot be encrypted and are therefore visible to adversaries. The subject line and references email header will also be visible in the following configuration.
There are several different types of metadata ^[archive] that can be harvested from email, depending on how it is used. Therefore, users must be careful when relying on email for sensitive communications.

Glossary[edit]

Terms that are commonly used in reference to email encryption are outlined below.

Table: Email Encryption Terms ^[7]

Term	Description
Key Pair	A pair of asymmetric keys, commonly known as public and private keys.
Public Key	The half of a key pair that is distributed publicly and used for encrypting.
Private Key	The half of a key pair that is kept secret, and is used for decryption.
Key Server	A server or website used for the distribution and verification of public keys.
Integrity	A verification that the enclosed contents have not been tampered with in transit.
Confidentiality	A verification that the enclosed contents are unreadable, except for the intended recipient.
Authentication	A verification that the person who is sending / signing is who they say they are.
Non-repudiation	Assurance that nobody, including the author, can dispute the origin of the message itself.
Asymmetric Keys	Commonly referred to as a 'keypair'. It is two separate keys: one public, one private.
Symmetric Keys	Symmetric encryption depends on using a password to encrypt the single key used for both encryption and decryption.

Warning: Unless otherwise instructed to do so, manual installation of packages should be avoided, even trusted ones.^[8] To install software users should prefer the APT secure package manager. For more information on this, See: Installing Software Best Practices.

Install the Thunderbird Email Client[edit]

For users that would like to learn more about Thunderbird refer to the official support page ^[archive]. However, modifications should not be made to Thunderbird unless you know what you are doing.

The Thunderbird email client can be installed from the konsole using APT secure package manager.

In Whonix-Workstation ™ (whonix-ws-16 TemplateVM Qubes-Whonix ™) konsole, run.

sudo apt install thunderbird

sudo apt install thunderbird

Note: If the following output appears Thunderbird is already installed and no further action is needed.

Reading package lists... Done
Building dependency tree       
Reading state information... Done
thunderbird is already the newest version.

Create a New Email Account with Tor Browser[edit]

Choose an Appropriate Email Provider[edit]

First and foremost, there are multiple email providers that users can choose from. For the purpose of this tutorial, danwin1210.me is used as an example. This is not an endorsement for danwin1210.me, nor are they necessarily the most secure or private email provider available. Refer to the list of Onion Service Providers for possible alternatives.

At the time of writing, danwin1210.me is one of the few free and reliable email providers offering POP3 email access through an .onion address, which does not require additional verification details to register an account. You will have 25MB of disk space available for your emails. For more details regarding the features and offerings of danwin1210.me, visit http://danielas3rtn54uwmofdo3x2bsdifr47huasnmbgqzfrec5ubupvtpid.onion/mail/index.php ^[archive]. If used properly with GPG encryption, this onion email service will provide the user with strong anonymity and privacy.

If problems are experienced with danwin1210.me, refer to the list of providers by The Tor Project ^[archive], Whonix ™ or JonDonym ^[archive].

Never forget this is an Onion Service which means there is no way of determining who is running it. If GPG is not used to encrypt email and/or the recipient of email does not encrypt it either, it can be easily read by the email service provider, random computers on the internet that relay a sent email message, or anyone else who manages to gain access to the account!

Anonymous Registration[edit]

It is critical to create a new email account anonymously with Tor Browser. In Whonix-Workstation ™ (Qubes-Whonix ™: anon-whonix), launch Tor Browser via the icon on the toolbar (Non-Qubes-Whonix ™) or via the Qube Manager (or widget).

When Tor Browser opens, type.

http://danielas3rtn54uwmofdo3x2bsdifr47huasnmbgqzfrec5ubupvtpid.onion/mail/
postfixadmin/register.php

http://danielas3rtn54uwmofdo3x2bsdifr47huasnmbgqzfrec5ubupvtpid.onion/mail/
postfixadmin/register.php

Into the URL bar to navigate to the danwin1210.me Onion Service web page.

Figure: danwin1210.me Onion Service

If using another email provider, navigate to the respective registration page, create the new account, use KeePassXC to generate a password for it, ^[9] and continue from the Setup the New Email Account section.

Finalize Registration[edit]

1. Create an email account name and password for the mail provider.

When creating an account and password do not use identifying or familiar data in either! Also consider the principles for stronger passwords and the option of lengthy Diceware passphrases.

When the page opens, open up KeePassXC and create an account and password entry for your new email account. Alternatively, write it down at home and store it in a safe place.
When finished creating your password in KeePassXC, type the email name you wish to use in the field under "Username."
Copy the password you created in KeePassXC and paste it into the fields under "Password" and "Password (again)."
Check the box next to "I have read and agreed to the Privacy Policy."
Finally, click on the "Add Mailbox" button.

Figure: Email Registration

After the page reloads, a new email account name and password can be created.

2. Confirm successful creation of the anonymous account.

If the account was created, the page will reload and you will see a message informing you that "the mail box [YourEmail]@tt3j2x4k5ycaa5zt.onion has been added to the mailbox table" at the top of the page.

Figure: Account Confirmation

3. Close Tor Browser

Once the email account is created, Tor Browser can be closed.

Setup the New Email Account[edit]

1. Open Thunderbird.

Non-Qubes-Whonix: Click the blue "K" start button → Select "Mail Client"
Qubes-Whonix ™: Click the blue "Q" button → Click on anon-whonix → Select "Thunderbird"

Figure: Thunderbird Email Client (Non-Qubes-Whonix)

2. Set up the Email Account.

IMPORTANT NOTE: Never use Thunderbird to save the email account password! Thunderbird does not store passwords in an encrypted format. Therefore, if Whonix-Workstation ™ (anon-whonix) is compromised in the future, an attacker may be able to gain access to the email account if they view Thunderbird's unencrypted password storage file.

The first window that will appear upon running Thunderbird for the first time will prompt you to "Set Up an Existing Email Account." Follow these steps:

Type the alias that you wish to use in the field next to "Your name." This will appear next to your email address in emails you send to others.
Type the danwin1210.me email address you just created into the field next to "Email address." In the example below, it is "youranonemail@danwin1210.me" or "youranonemail@danielas3rtn54uwmofdo3x2bsdifr47huasnmbgqzfrec5ubupvtpid.onion"
Finally, uncheck "remember password" and click the "Continue" button.

Figure: Email Account Set Up

3. Configure the danwin1210.me Hidden Server (Onion Service)

In the next window, you need to configure Thunderbird to connect to the hidden server of danwin1210.me. The fields you need to change are highlighted in red.

Type danielas3rtn54uwmofdo3x2bsdifr47huasnmbgqzfrec5ubupvtpid.onion in the field next to "Server Name."
Type the user name you chose earlier into the field next to "User Name."
Click the pull down window next to "Connect security" and choose "None."
Uncheck the box next to "Leave messages on server."
Check the box next to "Empty Trash on Exit" and continue to the next step.

Note: The lack of "connection security" simply means that Thunderbird will not use SSL or STARTTLS to encrypt your password when it is sent to the mail server. This does not matter in this instance because the mail server is a Tor Onion hidden service. All communications to Tor's ".onion" domains are encrypted. Therefore, your password is not transmitted insecurely.

Figure: Server Configuration

4. Configure Thunderbird folders.

Click on "Copies and Folders" in the left column. Each option to change is highlighted in red in the figure below:

In the pull down menu next to "Sent Folder on", select "Local Folders."
In the pull down menu next to "Archives Folder on", select "Local Folders."
In the pull down menu next to "Drafts Folder on", select "Local Folders."
In the pull down menu next to "Templates Folder on", select "Local Folders."
Check the box next to "Show confirmation dialog when messages are saved."

Figure: Folder Configuration

5. Empty Thunderbird trash on exit.

Click on "Local Folders" in the left column. Then, check the box next to "Empty trash on exit."

Figure: Empty Local Folders

6. Configure the outgoing server.

Click on "Outgoing Server (SMTP)" in the left column. Then, click on the "Edit" button.

Figure: Outgoing Server Configuration

In the next window that appears:

Type danielas3rtn54uwmofdo3x2bsdifr47huasnmbgqzfrec5ubupvtpid.onion (or alternative .onion) in the field next to "Server Name."
Click on the pulldown menu next to "Connection security" and select "None." ^[10]
Type the complete email address into the field next to "User Name."
Set the number in the field next to "Port" to "25."
Click the "OK" button.

Note: The lack of "connection security" simply means that Thunderbird will not use SSL or STARTTLS to encrypt your password when it is sent to the mail server. This does not matter in this instance because the mail server is a Tor Onion hidden service. All commonunications to Tor's ".onion" domains are encrypted. Therefore, your password is not transmitted insecurely.

Figure: Onionized Server Configuration

7. Confirm settings and exit.

After returning to the "Account Settings" window, click the "OK" button.

Figure: Confirm Settings

Create an OpenPGP Key Pair and Revocation Certificate[edit]

There are two methods for creating an OpenPGP key pair and revocation certificate -- using either the Thunderbird OpenPGP Setup Wizard, or manually creating them from the command line. The easier Thunderbird OpenPGP method is outlined below, but the manual creation of stronger keys from the command line is recommended for advanced users or those at high risk.

Launch OpenPGP Setup Wizard[edit]

TODO: document

Create an OpenPGP Key Pair[edit]

1. Access Thunderbird OpenPGP extended configuration options.

After the Thunderbird OpenPGP Setup Wizard starts, on the next screen click the circle next to "I prefer an extended configuration" and then click the "Next" button.

Figure: Extended Thunderbird OpenPGP Configuration

TODO: screenshot

2. Create a new key pair.

Next, a prompt will appear to either create a GPG keypair or use an existing one.

Click the circle next to "I want to create a new key pair for signing and encrypting my email" and then click the "Next" button.

Figure: Create a New Key Pair

TODO: screenshot

3. Create a strong passphrase for the key pair.

In the next window that appears, a prompt will appear to create a passphrase for the GPG private key.

This passphrase should be long and random! You will need this passphrase to sign messages with GPG or to decrypt messages sent to you.

With a strong passphrase, if the machine is ever compromised and someone steals the GPG secret key, this provides an extra layer of protection to prevent the attacker from being able to easily decrypt emails sent to you, or to impersonate you by signing emails with the GPG key.

Type an appropriately secure and random passphrase into the fields under "Passphrase" and "Please confirm your passphrase by typing it again."
Then, click on the "Next" button.
Optionally create a new entry in KeePassXC to store the GPG passphrase and manually enter the passphrase into the new entry. Then, save the KeePassXC database. This will be useful if the GPG passphrase is forgotten. ^[11]

Figure: New Key Pair Dialog

TODO: screenshot

4. Wait for the key pair creation process to finish.

A window will appear that shows the progress of your key creation. Move your mouse or browse the web in order to speed up the process if needed.

Figure: New Key Pair Creation

TODO: screenshot

5. Finalize the procedure.

A notice will appear once the process has finished.

Figure: Successful Key Pair Creation

TODO: screenshot

Click the "Close" button and you will see that the progress bar for your key pair generation has reached it's end point. Click the "Next" button.

Figure: Complete the Procedure

TODO: screenshot

Create and Store a Revocation Certificate[edit]

1. Create a revocation certificate.

After Thunderbird has finished creating the new GPG key pair, click the "Create Revocation Certificate" button.

Figure: Create a Revocation Certificate

TODO: screenshot

2. Enter the passphrase.

A prompt will now appear to enter the passphrase created in the last step. Paste the GPG passphrase from KeePassXC (or enter it manually) into the "Passphrase" field and click the "OK" button.

Figure: Enter the GPG Passphrase

TODO: screenshot

3. Choose the location for the revocation certificate.

The next window will ask where the GPG revocation certificate should be stored.

Click on "Home" in the left column. Next, replace the spaces and parentheses signs with periods in the default filename for the GPG revocation certificate. The spaces and parentheses signs in the default name can make a step later in this guide trickier. Finally, click the "Save" button.

Figure: Store the Revocation Certificate

TODO: screenshot

4. Confirm the certificate was created.

Next, a message will inform that the GPG revocation certificate was successfully created. Click the "OK" button.

Figure: Certificate Creation Confirmation

TODO: screenshot

Go back to the Thunderbird OpenPGP Setup Wizard window and click the "Next" button.

Figure: Continue to Thunderbird OpenPGP Final Steps

TODO: screenshot

6. Upload the public key to a keyserver.

The next window will prompt to upload the public key to a keyserver. Click the box next to "Upload to the global OpenPGP keyservers" and then click the "Next" button.

Figure: Upload Public Key

TODO: screenshot

7. Finalize the Thunderbird OpenPGP procedure.

The next window will inform you that OpenPGP is now ready to use. Click the "Finish" button.

Figure: Finalize OpenPGP Procedure

TODO: screenshot

Encrypt the Revocation Certificate[edit]

The revocation certificate will now be encrypted and stored in the persistent storage directory. The GPG revocation certificate can be used to revoke the public encryption key that is added to key servers, even if access to the GPG secret key is lost or the password is forgotten.

If an attacker accesses the GPG revocation certificate, they can revoke the keys. Encrypting the GPG revocation certificate with a passphrase that is easily remembered will protect against this action.

1. Open up a Konsole / Terminal session to get a command prompt.

Non-Qubes-Whonix: Click the "K" start button → Click "Terminal"
Qubes-Whonix ™: Click the "Q" taskbar button → anon-whonix → Konsole

Figure: Open a Terminal (Non-Qubes-Whonix)

2. Create a storage location.

When the terminal window opens, create a directory in the persistent storage folder to store the encrypted GPG revocation key. Run the following commands.

mkdir storage
mkdir storage/gpg-revoke

mkdir storage
mkdir storage/gpg-revoke

3. Encrypt the revocation certificate.

In the command below, replace "RevocationCertificateFileName" with the actual name of the revocation certificate. Type.

gpg --cipher-algo AES256 --symmetric RevocationCertificateFileName

gpg --cipher-algo AES256 --symmetric RevocationCertificateFileName

A prompt will appear to "Enter passphrase." Choose a strong passphrase and enter it into the passphrase field, then click the "OK" button. Also consider creating a new entry in KeePassXC to store the GPG revocation certificate passphrase (manually enter the passphrase into the new entry, then save the KeePassXC database). ^[12]

Figure: Passphrase Prompt

TODO: screenshot

A prompt will appear, asking for the passphrase to be re-entered. Type it again into the passphrase field and click the "OK" button.

Figure: Passphrase Confirmation

TODO: screenshot

This passphrase should be strong and unique! Do not re-use passphrases for multiple functions, activities or accounts. If the revocation certificate ever needs to be used, then this passphrase is first used to decrypt it.

Note: If an error appears that states.

gpg: error creating passphrase: invalid passphrase

Then a typo was made somewhere in the last two steps - start over from the beginning of this section.

4. Move the revocation certificate.

If no error messages appear and the user is returned to the command prompt, type.

mv *.gpg storage/gpg-revoke

mv *.gpg storage/gpg-revoke

And press Enter.

5. Test decryption of the revocation key.

In the future, if the revocation key is ever needed, decrypt it by typing.

gpg -o RevocationCertificateFilename.asc -d \~/storage/gpg-revoke/RevocationCertificateFilename.gpg

gpg -o RevocationCertificateFilename.asc -d \~/storage/gpg-revoke/RevocationCertificateFilename.gpg

6. Shred the unencrypted revocation certificate that is sitting in the home folder.

sudo shred --remove RevocationCertificateFileName

sudo shred --remove RevocationCertificateFileName

Type exit to close the terminal and return to Thunderbird.

Final Thunderbird Preferences and Settings[edit]

General Thunderbird Preferences[edit]

1. Set the Menu Bar.

Return to the main Thunderbird window.
Click on the button with the 3 horizontal lines ("hamburger icon") toward the upper-right corner of the Thunderbird window.
Hover the mouse pointer over "Preferences."
When the next context menu appears, check the box next to "Menu Bar."

Figure: Thunderbird Menu Bar

2. Access Thunderbird preferences.

In the menu bar, click on "Edit" and then click "Preferences."

Figure: Thunderbird Preferences

3. Disable search and indexing functions.

In the window that appears, click the "Advanced" tab.
Uncheck the box next to "Enable Global Search and Indexer" (this will save disk space).
Click on the "Return Receipts" button.

Figure: Disable Global Search and Indexer

4. Disable the return receipt function.

In the next window that appears, mark the circle next to "Never send a return receipt." Then, click the "OK" button.

Figure: Disable Return Receipts

5. Disable the crash reporter.

After returning to the "Thunderbird Preferences" window, click the "Data Choices" tab. Then, uncheck the box next to "Enable Crash Reporter."

Figure: Disable Crash Reporter

6. Disable website history.

Next, click the "Privacy" button. Then, uncheck the box next to "Remember websites and links I've visited" and click the "close" button.

Figure: Modify Privacy Settings

Additional Settings[edit]

Some further changes are required that were unaddressed by Thunderbird OpenPGP Setup Wizard.

1. Modify OpenPGP settings.

On the main Thunderbird window, click on Edit → Account Settings

Figure: Thunderbird Account Settings

In the window that appears:

Click on "OpenPGP Security" in the left column.
Check the boxes next to "Encrypt messages by default" and "Sign encrypted messages."
Uncheck the box next to "Use PGP/MIME by default."
Click the "Thunderbird OpenPGP Preferences" button.

Figure: OpenPGP Options

2. Enforce manual encryption.

In the "Sending" tab of the "Thunderbird OpenPGP Preferences" window, click the circle next to "Manual encryption settings." Then click the circle next to "Always" under "Confirm before sending" and click the "OK" button.

Figure: Set Manual Encryption Settings

TODO: screenshot

After returning to the "OpenPGP Options" window, click the "OK" button.

Figure: Settings Confirmation

Thunderbird OpenPGP Key Management[edit]

Secret Keys[edit]

Thunderbird got more complicated since version 78 when Thunderbird built-in OpenPGP and deprecated enigmail. It has now its own key management independent from system installed gpg.

The user might have success enabling external (system) gpg as per:

https://wiki.mozilla.org/Thunderbird:OpenPGP:Smartcards#Allow_the_use_of_external_GnuPG ^[archive]

Otherwise you'd need to import your secret key into Thunderbird.

Thunderbird -> Tools -> OpenPGP Key Manager -> File -> Import Secret Keys From File

Search for and Import GPG Keys[edit]

1. Navigate to the key management section of Thunderbird.

In the menu bar, Click on OpenPGP → Key management

Figure: Thunderbird OpenPGP Key Management

TODO: screenshot

2. Search for keys with a keyserver.

In the Key Management window that opens, your key is in bold. Click on Keyserver → Search for Keys

Figure: Key Search

TODO: screenshot

The next window that appears enables a search for GPG keys hosted on public GPG key servers. It is possible to search for GPG keys by email address, a short key ID or an individual's public GPG fingerprint.

This step starts a search for the key belong to anonguide@danwin1210.me based on its public GPG fingerprint. Paste.

81934E7B83E89CFD8C25F3D67FBD040886EC5FE0

81934E7B83E89CFD8C25F3D67FBD040886EC5FE0

In the field next to "Search for key" and click the "OK" button.

Figure: Fingerprint Key Search

TODO: screenshot

Always search with the long fingerprint of a GPG key in the key manager -- short or even long key IDs can be forged. ^[13]. The results are more secure and work more often. Everyone who shares a public GPG key should share a long fingerprint.

3. Import the desired key(s).

In the next window that appears, an entry for "anonguide@vfemail.net" with a Key ID starting with "81934E7B" should be displayed with a check mark next to it. Click the "OK" button to import the key.

Figure: Key Importation

TODO: screenshot

A window should appear stating that the key for "anonguide@danwin1210.me" was successfully imported.

When importing the key, it is not a problem that the email address is different from the "anonguide@vfemail.net" one listed above. Multiple email addresses can be used with a GPG public key.

"Anonguide@vfemail.net" is simply an older email address associated with the key. The important aspect to note is the fingerprint, which should appear as:

8193 4E7B 83E8 9CFD 8C25
F3D6 7FBD 0408 86EC 5FE0

Click the "OK" button to continue.

If the fingerprint is different than what is shown above, delete the key for the "anonguide" email address in the key manager and start over from the beginning of this section.

Figure: Key Importation Confirmation

TODO: screenshot

Important: It is critical to verify any GPG public key that is added to the keyring with a fingerprint provided by the person you intend to communicate with.

Always remember that anyone can add a GPG public key to a key server and claim to belong to a certain email account. Consider the following attack vector:

An attacker is monitoring an email account through surveillance.
An encryption key is mistakenly used that was created to falsely correspond to the intended recipient of communications.
The attacker is now able to read the user's email.

Add User ID to Key Properties[edit]

In this section an additional account is added to your GPG key. This is necessary due to the fact that the "danwin1210.me" email service also allows emails to be sent to and from its .onion domain, which is a good feature. Therefore, these steps add your email address with the .onion domain to the same GPG key. This makes it easier for software used by others to automatically select your GPG public key when sending an email to one of your addresses.

1. Open the "Key Properties" window.

Double-click on the key entry for the danwin1210.me email address to open the "Key Properties" window.

Figure: Select your Key

TODO: screenshot

2. Select the "Manage User IDs" option.

When the "Key Properties" window opens, click on the pull down menu entitled "Select action" and then click on "Manage User IDs."

Figure: User ID Management

TODO: screenshot

3. Add a User ID.

In the next window that appears, click the "Add" button.

Figure: Add User ID

TODO: screenshot

4. Complete the User ID fields.

In the field next to "Name," use the same name you chose when setting up the email account.
Next to the "email" field, add the username you chose followed by "@tt3j2x4k5ycaa5zt.onion"
In the example below, replace "youranonemail" with your user name.
Type youranonemail@tt3j2x4k5ycaa5zt.onion in the field next to "Email." Then, click the "OK" button.

Figure: User ID Fields

TODO: screenshot

5. Enter the GPG passphrase.

A prompt will appear to enter the GPG passphrase. Either copy and paste the GPG passphrase from KeePassXC, or manually enter it then click the "OK" button.

Figure: GPG Passphrase Prompt

TODO: screenshot

The next window should inform that the User ID was added successfully. Click the "Close" button.

Figure: GPG Passphrase Success

TODO: screenshot

6. Change the Primary User ID.

After returning to the "Change Primary User ID" window, click on the entry with the "danwin1210.me" domain. Then, click the "Set primary" button.

Figure: Primary User ID Setting

TODO: screenshot

The next window should inform that the Primary User ID was changed successfully. Click the "Close" button.

Figure: Primary User ID Successful Change

TODO: screenshot

7. Finalize the procedure.

After returning to the "Change Primary User ID" window, click the "Close Window" button.

Figure: Procedure Finalization

TODO: screenshot

Import Public Keys from Websites[edit]

On occasion, the GPG public key of an intended email recipient is not located on a key server, but a public key block is hosted on a website.

To import these keys into Thunderbird:

Copy the public key from the website to the clipboard.
Navigate to the OpenPGP key management program: OpenPGP → Key Management
Import the keys: Edit → Import Keys from Clipboard

Alternative Key Server Methods[edit]

There are two alternatives for interacting with key servers:

KGpg: To fetch contacts' GPG keys from the key server, open KGpg and navigate to Key Server Dialog. Search for relevant email addresses and import the keys.
GPG command line: Searching, fetching and importing keys from key servers from the command line ^[archive] is relatively simple.

Note: Previously, OpenPGP's keyserver interaction features did not work out of the box. ^[14] ^[15] With these instructions, it should no longer be necessary to apply manual settings following a restart of Thunderbird in order to interact with key servers. ^[16] ^[17] ^[18] ^[19]

Export the Public Key to a GPG Server[edit]

1. Copy the GPG key fingerprint.

This is necessary to check the key is successfully exported at a later step and to set up a GPG key signature block. Use the mouse to highlight the text next to "Fingerprint." Then, right-click the highlighted text and click "copy."

Figure: GPG Key Fingerprint

TODO: screenshot

After copying the GPG fingerprint, click the "Close" button.

Figure: Key Properties Window Closure

TODO: screenshot

2. Select the key to be uploaded.

Right-click on the entry for the email address and click "Upload Public Keys to Keyserver."

Figure: Upload Public Keys

TODO: screenshot

A progress meter will then appear. If the upload is successful, no confirmation message will be received.

Figure: Upload Progress Meter

TODO: screenshot

3. Confirm the key was successfully uploaded.

To check that the GPG public key was successfully exported to the keyserver, do a search for your own key the same way you searched for the key belonging to "anonguide@danwin1210.me" in an earlier step.

Simply paste the public GPG fingerprint into the search field and remove the spaces between the letters and numbers.

4. Close the OpenPGP Key Management window.

Click the "X" in the upper right corner of the window.

Public GPG Key Signature Block[edit]

The following steps configure Thunderbird to inform people about the public GPG key by embedding it in the email signature.

1. Navigate to account settings.

After returning to the main Thunderbird window, click on Edit → Account Settings

Figure: Further Account Settings

TODO: screenshot

2. Create an email PGP signature block.

A signature is now created that will be included in all outgoing mail, which contains both the GPG public key ID and the GPG public key fingerprint. In the next window that appears:

Click in the text field located underneath "Signature text."
Paste the contents of the clipboard on to two separate lines in the text field.
On the first line:
- Type "GPG Public Key:" before the fingerprint that was just pasted.
- Delete all but the last 16 characters of the fingerprint from this line. ^[20]
- Type "0x" (that is the numeral zero) directly in front of the remaining characters. ^[21]
On the second line, type "Fingerprint:" in front of the characters pasted there. This will help enable people who download the GPG public key to verify that it is they key you wish them to use. When finished, click the "OK" button.

Figure: PGP Email Signature Block

TODO: screenshot

Using Thunderbird with the System GnuPG Keyring[edit]

It is still possible to use Thunderbird 78+ with the system keyring using about:config tweaks.^[22]

Some (yet to be tested) advantages of such a setup are storing of the private keys on external storage and ability to use Qubes split-key feature once again.^[23]

Compose and Send Encrypted Email[edit]

The first section will test the correct sending of the first encrypted email to anonguide@danwin1210.me with Thunderbird.

The second section outlines using KGpg instead of Thunderbird OpenPGP. This is for users who require a higher level of security for importing private keys and creating ciphertext which can be sent via Thunderbird. ^[24] ^[25] ^[26] ^[27]

Using OpenPGP[edit]

1. Compose a new email message.

TODO: document

Figure: Compose a New Email

TODO: document

Since the danwin1210.me email service is hosted on the .onion Tor server "tt3j2x4k5ycaa5zt.onion," you are going to send an email to the .onion domain. This keeps the transit of the email inside the Tor network, which is safer than transporting it in the clear. If an email provider of someone you want to send an email to uses a .onion domain, always use that domain in the To field if possible.

In the To field, type.

anonguide@tt3j2x4k5ycaa5zt.onion

anonguide@tt3j2x4k5ycaa5zt.onion

In the To field, type.

key test

key test

Next, type an innocuous message into the message body. Do not go into great detail; a large amount of text is unnecessary.

The point of this email is to test the encryption key and to become familiar with a common encrypted email exchange. Take note of the padlock and pencil icons located towards the upper-left side of the window next to the "Spelling" button. These icons should be marked as active with a green check mark, a gray square around them with the padlock closed, which means your message will be signed and encrypted (if you have a corresponding public key). To the far right of these icons, a status message also informs that the message will be signed and encrypted.

In this configuration, the subject field is never encrypted, even when the message and attachments are encrypted. Therefore, be wary of any information entered into in the subject field.

2. Send the email message.

When the message is ready, click the "Send" button.

Figure: Send an Encrypted Email

TODO: document

You may next be prompted to enter the GPG passphrase (if this window does not appear, skip to the next step). This makes it possible for the message sent to be signed. When a message is signed, this provides a mechanism for the email recipient to be confident that the sender actually wrote the email, and not an impostor. Type the passphrase and click the "OK" button.

Figure: GPG Passphrase Prompt

TODO: document

After typing in the passphrase, a confirmation window will appear asking if a signed and encrypted email should be sent to anonguide@tt3j2x4k5ycaa5zt.onion. Take note of the body of the email message under that window. This text should be clearly visible:

-----BEGIN PGP MESSAGE-----

Followed by a series of random characters. This proves the email has been encrypted and it is safe to click the "Send Message" button. However, if the original text of the message is visible, then it is not encrypted and the "Cancel" button should be clicked.

Figure: Email Encryption Confirmation

TODO: document

3. Enter the password for your email account.

A prompt will appear to enter the password for the danwin1210.me account. This will happen each time Thunderbird is started and the first email is sent, since the password is not stored by the program. However, once the password is entered, Thunderbird will remember it for the session. The same process applies to receiving email.

When asked to enter the password, copy it from KeePassXC (or refer to your physical record), paste it into the password field and click the "OK" button.

Figure: Passphrase Prompt

TODO: document

Do not use Thunderbird's Password Manager to store the password! Thunderbird does not encrypt stored passwords by default. Thus, if an attacker compromises the machine and manages to access the Thunderbird folder, they will gain the password to the email account.

After returning to the main Thunderbird window, a new "Sent" folder should appear in the Local Folders on the left side of the window, indicating the email to anonguide@danwin1210.me was sent.

Figure: Thunderbird Sent Folder

TODO: document

Using KGpg[edit]

Open KGpg and select the recipient key. If selecting more than one key, press CTRL while clicking.
Navigate to: File → Open Editor and write the message.
Encrypt the message to ciphertext by clicking on the Encrypt lock icon. Choose your private key in the prompt that appears and click OK.
Copy the ciphertext into Thunderbird and send it as per normal procedures. Do not include subject lines since they are not encrypted.

Download and Read Encrypted Email[edit]

In the near future, you will want to check if anyone has sent email messages or if a response was received to the test email composed in the previous section.

1. Check for new email messages.

From the main Thunderbird window, click the "Get Messages" icon to check for any new email messages on the server and download them.

Figure: New Email Check

2. Enter the password.

A prompt will appear to enter the password for the email account. After entering the password, Thunderbird will remember it for the session. When asked to enter the password, type it into the password field (or copy and paste it from KeePassXC) and click the "OK" button.

Figure: Passphrase Prompt

3. Read new (encrypted) email messages.

When new emails are received, a counter will appear next to "Inbox" in the left column. Click on "Inbox" to go to the list of new emails, then click the email that you wish to read.

Figure: Thunderbird Inbox

If the message received was encrypted with your public key, the GPG passphrase is needed to decrypt it. If a window like the one in the image below appears, type the GPG passphrase and click the "OK" button.

Figure: GPG Passphrase Prompt

The email will now display in the lower portion of the Thunderbird window. From here, you have the option of replying, forwarding, deleting and so on. If a message is read that was sent from anonguide@tt3j2x4k5ycaa5zt.onion with an Thunderbird OpenPGP message stating "Good signature from AnonGuide <anonguide@tt3j2x4k5ycaa5zt.onion>," the encryption configuration is working correctly.

Figure: Successful Email Decryption

Final Warnings[edit]

If all steps have been successfully completed then you now have an anonymous email account paired with strong encryption.

It should be emphasized this wiki entry is not a substitute for an all-inclusive tutorial on the safest way to use GPG/PGP encryption, however it provides a solid foundation for fundamental practices. Numerous advanced resources and expert opinions exist on the Internet, and these can provide additional tips that might better address a user's perceived threat model and circumstances. ^[28] At a minimum, it is recommended to review the Safe Email Principles section, along with additional learning resources.

Finally, always heed the following warnings regarding email:

Email is a very insecure means of communication where anonymity is concerned. A lot of metadata is leaked with email, so it should be used sparingly and only when strictly necessary.
Do not contact people you know in real life at non-anonymous email addresses with the email account that was created here. Always separate real world identities from online identities used with Whonix ™.
Be circumspect about sharing personal information in email! Encrypted email does not protect against the email recipient storing personal emails in an unencrypted format. Nor does encryption protect against an email recipient maliciously using personal information in order to exploit you.
Never include sensitive information in an email subject line, even if the email is encrypted! Subject headers in email are not encrypted in this configuration, despite the fact the rest of the message is.
If an email is sent to a recipient without encryption, assume it can be read by anyone!
Utilize the Tor Onion Service (.onion domain) whenever it is made available by the email provider. After first confirming the domain is controlled by the email provider, it will afford greater protection than a clearnet address.

License[edit]

This wiki entry is based on chapter 4.6 of A Beginner Friendly Comprehensive Guide to Installing and Using a Safer Anonymous Operating System, which can be found here ^[archive]. This material has been used with the author's permission. ^[1]

Footnotes[edit]

↑ ^1.0 ^1.1 http://forums.whonix.org/t/tor-project-support-of-whonix/5030 ^[archive]
↑ ^2.0 ^2.1 https://forums.whonix.org/t/torbirdy-replacement/8782 ^[archive]
↑ https://github.com/Whonix/anon-apps-config/tree/master/etc/thunderbird ^[archive]
↑ https://forums.whonix.org/t/thunderbird-78-deprecates-enigmail/10166 ^[archive]
↑ Similarly, that same information should not be stored on electronic media in the first place, if that is feasible in the circumstances.
↑ Installed by default in Whonix ™ 15.
↑ Source:
torproject.org Gnu Privacy Guard / GnuPG ^[archive]
license ^[archive]:
Content on this site is Copyright The Tor Project, Inc.. Reproduction of content is permitted under a Creative Commons Attribution 3.0 United States License ^[archive]. All use under such license must be accompanied by a clear and prominent attribution that identifies The Tor Project, Inc. as the owner and originator of such content. The Tor Project Inc. reserves the right to change licenses and permissions at any time in its sole discretion.
↑ This is because packages are often unsigned, and users may forget to update the software in a timely fashion.
↑ Or create random Diceware passphrases of sufficient length.
↑ Depending on the service provider in use, they may or may not enable TLS/STARTTLS connection security for their Onion domain. The reason is because it is redundant, as end-to-end Tor encryption provides security properties for authenticating to the server.
↑ This is optional because some users may not place trust in the integrity of KeePassXC or other password managers, and they remain an attractive target for hackers.
↑ This will be useful in case the passphrase is ever forgotten.
↑ Due to the threat of collisions, see: https://superuser.com/questions/769452/what-is-a-openpgp-gnupg-key-id ^[archive]
↑ As it has been made fail closed by TorBirdy developers ^[archive], otherwise there could be a DNS leak in setups not using Whonix ™.
↑ A previous proposal on how to make keyservers in Enigmail in Whonix ™ work out of the box: do not use keyserver-options in Whonix ™ ^[archive]
↑ Upstream bug report: Can't set custom http-proxy on GnuPG-settings, lost after restart ^[archive].
↑ There is no need for this setting in Whonix ™ since Enigmail calls GPG, everything is already torified, and gpg is stream isolated by a uwt wrapper.
↑ Forum discussion: https://forums.whonix.org/t/gpg-keyservers-from-within-whonix-workstation ^[archive]
↑ Previous instructions: Thunderbird → Enigmail (from menu bar) → Preferences → Display Expert Settings and Menus → Advanced → Additional Parameters → remove the following part --keyserver-options http-proxy=http://127.0.0.1:8118 ^[archive] → OK
↑ In the example below, the fingerprint consists of 10 groups of 4 characters. Delete the first six groups, then delete the spaces in between the remaining groups of characters.
↑ In the example below, that results in 0x1C593D788F0E5176. The end result of what is created here is the GPG public key ID. People can enter that into various GPG key servers to find the public key and send you encrypted messages.
↑ https://blog.nicohood.de/use-thunderbird-78-with-system-gnupg-keyring ^[archive]
↑ https://forums.whonix.org/t/thunderbird-78-deprecates-enigmail/10166/22 ^[archive]
↑ Avoiding Thunderbird OpenPGP bypasses any unexpected behavior with message encryption. For instance, in one case bugs in email clients and Enigmail lead to the auto-saving of drafts as plaintext.
↑ https://tails.boum.org/security/claws_mail_leaks_plaintext_to_imap/index.en.html ^[archive]
↑ http://sourceforge.net/p/enigmail/bugs/502 ^[archive]
↑ Persons in critical situations may prefer to encrypt emails in such a way to mitigate the risk of leaks.
↑ For instance, users at high risk might generate a strong airgapped OpenPGP key pair on the command line for greater security, rather than rely on Enigmail.
↑ KGpg Homepage ^[archive], KGpg wiki with screenshot ^[archive]