This series is designed to help people to understand modern technology, and become more confident in using computing devices. It is not designed to educate experts.
The author is involved in tutoring older students at SeniorNet, a New Zealand wide organisation. SeniorNet hopes that students will feel more confident in using their computing devices as a result of the learning opportunities offered. This series of articles shares that hope.
You may wish to send confidential information to someone using email. The problem with email is that it is inherently insecure, and anyone getting your message en route may be able to read it. This means spy outfits (read “Governments”), hackers, and Internet Service Providers to name a few: anybody that can access the data stream. This means that traditional email can’t be used to convey private information.
Oh, yes it can! For years some email services have had this service available as an add on, and Thunderbird email has had it baked in since version 78, which was released on July 17, 2020. Since this release it has been easy to both encrypt your email and read encrypted email, but with the proviso that both parties are using Thunderbird, have set up encryption and swapped their public keys.
This service uses PGP (Pretty Good Privacy) which is available at no cost. There are other services such as S/MIME, but I’m not going to discuss these as they often come with costs attached. Users can’t use S/MIME signing and encryption with a personal account such as Outlook.com.
Public/private key email encryption has been available for years, but has been clunky and difficult to set up and use. The new version available in Thunderbird is easy to set up, and incredibly easy to use. But the only proviso is both parties need to use Thunderbird. I’ve yet to find how it can be used cross platform. But if you can persuade both parties to use Thunderbird, it can be done, FOR FREE!
You may wonder about a use case. I have a very personal one. I need to convey private documents to my sister who lives out of town. She uses Linux and Thunderbird, So it’s easy to set up and use. Job done.
Thunderbird email is available for Linux, Microsoft Windows (7 and above) and MacOS (10.12 and above). It is not available for any mobile devices unfortunately, so you need a “real” computer to use email encryption using Thunderbird.
The steps to set this up are straightforward. The following are actions to be taken by both parties.
1. Open Thunderbird.
2. Click on the email address you want to set up encryption on. Most people will only have one email address, but I have several.
3. Click on the link End to End Encryption.
4. Under OpenPGP click Add Key.
5. Choose Create a new OpenPGP key and click Continue.
6. In the pop-up that appears, change any of the defaults (if you wish; I just used the defaults as presented) and click Generate Key.
7. Confirm this action in the next pop-up window.
8. After some seconds you will receive a confirmation that the key has been produced.
9. Send an email to the other party in the proposed secure channel and digitally sign it (This option is located under the drop-down menu adjacent to the Encrypt icon in the top menu).
10. Once the email at 9 above is received, the other party needs to open the email. An attached file for the digital signature will be found. Here is an example, blurred for privacy.
11. Right click on this and choose the option Import OpenPGP Key.
12. In the next pop-up that appears choose Accepted (unverified) and click Import to import the key.
The set-up is complete once both parties have taken the steps above.
To send an encrypted email in either direction between the parties do these steps.
1. Start Thunderbird.
2. Enter the recipient’s email address in the “To” box. If they can receive encrypted emails you will see an encrypt button at the bottom of the email compose window.
3. Complete the email as normal.
4. Click the Encrypt button to encrypt the email (including attachments). The encrypt button will disappear.
5. Click Send. All done.
Important: The email will be sent unencrypted if you do not encrypt it (step 4. above).
To receive and decrypt the email the recipient needs do nothing. Thunderbird will identify the email as encrypted, locate the appropriate key and decrypt the message.
Key Security. It is ESSENTIAL that your private key is never disclosed to anyone. If your computer logs on at startup without a password, your private key is accessible to anyone who can get access to your computer. That’s not good.
To overcome this you either need to secure your login with a good password, or secure your Thunderbird with a master password.
I prefer the former of these; otherwise, you will need to enter a master password each time you want to access your emails. You could do both, and spend the rest of your life entering passwords instead of getting any real work done. Your choice.
If you decide to secure Thunderbird, that’s easy.
1. Open Thunderbird
2. Go to settings by either:
- Edit/Settings (on Linux; may differ on other operating systems)
- Hamburger menu towards top right/Settings
3. Privacy and Security tab on left menu
4. Scroll down to Passwords, tick Use a Primary Password box.
5. Enter a suitable password (twice) in the pop-up box.
6. Read and heed the stern warning under the Password Quality meter.
7. Click OK. Done. But don’t forget this password, otherwise you won’t have access to your emails.
I can’t advise you on how to set your system login password as each operating system will have its own instructions.
Backing up your keys. This is a wise move as the loss of keys could mean the loss of access to confidential emails. Here’s how to back up keys.
Public keys.
1. Open Thunderbird.
2. Click End to End Encryption link.
3. Click Open PGP Key Manager button.
4. Right click on the name of the key you wish to back up.
5. Choose Export Keys to file.
6. Navigate to a suitable destination, and click Save. Job done.
7. Print the key if you want a printed copy.
8. Transfer the key file to a suitable medium (CD, DVD or USB) if desired.
Private Keys.
1. Open Thunderbird.
2. Click on the hamburger menu towards top right of the window. (Mine looks different to stock because of personalisation).
3. Click Account Settings.
4. Click End-to-End Encryption in the left hand menu.
5. Click on the chevron as indicated below.
6. Click the More button.
7. Click Backup Secret Key To File
8. Navigate to a suitable destination, and click Save.
9. Print the key if you want a printed copy.
10. Transfer the key file to a suitable medium (CD, DVD or USB).
11. Delete the key from your computer
12. Securely store the key. I use a document safe. You could lodge it with your solicitor or bank (if they still offer this facility).
You can now send and receive encrypted emails. The encrypting and decrypting are both handled on computers controlled by parties in the transaction. Your Internet Service Provider (ISP) and email service (such as Gmail, Yahoo, Microsoft etc.) has no opportunity to snoop.
I have another article planned for those people who don’t use Thunderbird.