Encrypting mail in Thunderbird
Enigmail has three basic modes: sign, encrypt, and sign and encrypt simultaneously. When you sign an email, the add-on will use your private key to sign the text.
If the recipient uses Enigmail or a similar solution, they will be able to detect manipulation easily. At the same time, the signature lets you verify that an email really is from the person who claims to have sent it. However, this mode does not encrypt messages; they are sent in the clear.
In encrypt mode, Enigmail will not sign the message, but it will encrypt the message with the recipient's public key to make sure that only the intended recipient can read the message. Of course, encryption does not let the recipient verify the identity of the sender.
For the best of both worlds, you would want to let Enigmail encrypt the message with the recipient's public key while signing it with your own private key. This mode is a must for confidential messages.
To test your setup, try sending a message to yourself. In Thunderbird, compose a new message: Enter your own email address as the recipient, add a subject line, and add body text. To encrypt and sign the message at the same time, which hopefully is the configuration you have chosen, select OpenPGP | Encrypt message and send the message. At this time, you will be prompted to enter your passphrase.
In a few seconds, you should receive a message. If your password is still in memory (five-minute limit), Enigmail automatically will decrypt; if not, it will prompt you for your password. Thunderbird will tell you that the message was correctly signed and decrypted and that the signer's key has been correctly identified. An email that is not correctly encrypted is useless to the recipient.
To encrypt a message for another recipient, the procedure is basically the same as in the previous example: Compose an email in the normal way and select the corresponding menu item to tell Enigmail to encrypt, or sign, or both. A correspondent might send you an encrypted message, too. But where does the key enter into this?
To sign the message, you do not need the recipient's key. In the worst case, the recipient might not use GnuPG-compatible encryption and will wonder what the signature in the message means, but this will not prevent them reading the message. However, this does not apply to encryption.
To read an encrypted message, the recipient needs GnuPG or a compatible solution, and you must know the recipient's public key.
To exchange encrypted messages with a contact, both of you need each other's public keys.
Previously, I looked at two critical identifying characteristics of a key: its ID (this is 90690901 for the 2,048-bit version in the example), and its fingerprint (AF84 9339 … in the example). Among the various approaches, you can exchange keys personally (i.e., by email or USB stick.)
To send a public key by email, create a message and click Attach my public key in the OpenPGP menu, which tells Thunderbird to add an attachment with your key to the mail. Then send the email with a text explaining the attachment to the recipient.
In addition to this, there are key servers that do nothing but keep public keys that anybody can retrieve. Publishing your own public key on a key server makes sense.
To do so, open the OpenPGP menu in the Thunderbird mail view and select Key Management…. This takes you to the Key Manager dialog, which shows you a list of keys (your key ring) – your own key and keys belonging to people with whom you exchange messages. Right click your own key and select Upload public keys to key server….
In the dialog that appears, press OK to confirm the default key server – most key servers replicate their data anyway – then OK again to tell Enigmail to upload the key to the key server.
Downloading third-party keys is just as easy. If you receive a signed message but do not have a local copy of the matching key, Enigmail will tell you that the key is missing. To retrieve the key from a key server, you can click the letter icon on the right of the window. Also, you can search for a key manually via OpenPGP | Key Management… | Key server | Find key… and store the key locally. Search for the user's name, the key ID, or the email address.
If you receive a key as an email attachment – that is, if somebody you correspond with sends you a key – right click the attachment and select Import OpenPGP key. After both of you have done this, you can exchange encrypted messages. But how do you make sure that the key is from the person the sender claims to be? The fingerprint I previously referred to gives you this ability. In the Key Manager (menu OpenPGP | Key Management…) you can double click a key to display its properties.
The fingerprint lets you verify a key's identity. If you want to be certain that the key really is from the person who claims to have sent it, you should use some other method to contact them. Phone the key owner, for example, and compare fingerprints on the phone. If the fingerprints match, you can safely assume that you have the right key and the right person. Now there really is nothing to stop you from exchanging encrypted messages.
Buy this article as PDF
New flaw in an old encryption scheme leaves the experts scrambling to disable SSL 3
Lennart Poettering wants to change the way Linux developers talk to each other.
Enterprise giant frees itself from ink and home PCs (and visa versa).
Mozilla’s product think tank sinks silently into history.
TODO group will focus on open source tools in large-scale environments.
New tool will look like GParted but support a wider range of storage technologies.
New public key pinning feature will help prevent man-in-the-middle attacks.
Carnegie Mellon researchers say 3 million pages could fall down the phishing hole in the next year.
The US government rolls new best-practice rules for protecting SSH.