In recent years, companies have been implementing various levels of encryption within their apps and services. ProtonMail offers encryption between its mail users, WhatsApp has encryption turned on by default, and Facebook Messenger lets you flip to more secure chats if you would like. While not the most straightforward to set up, Mozilla has tightly integrated PGP into its e-mail client Thunderbird, so you can encrypt e-mails, no matter your provider.
In this guide, I’ll go over:
- How to set up your encryption keys
- How to add your contact’s keys
- How to share your own keys
- How to upload your keys to a keyserver, so they can be found easily
- How to backup your keys
How to set up your encryption keys
To start this guide, you’ll need to download Thunderbird (if you don’t already have it) and then you’ll need to log in to your e-mail account. Once you have added your e-mail address, you’ll want to press the e-mail address in the Folders side panel, then right-click it and open Settings. Look for End-To-End Encryption in the side panel and press that.
Under the OpenPGP subheading, if you have not set up a key yet, it should say Thunderbird doesn’t have a personal OpenPGP key for , to the side of that press Add Key…. Thunderbird will allow you to create a new key or import an existing one, for the sake of this guide, we will select create a new key but if you have one already, import it.
Next, you should see the Generate OpenPGP Key menu, ensure the Identity matches your e-mail, choose your expiry, and alter the advanced settings if you want, though, they are fine left as they are. Once you’re happy with your settings, press Generate then Confirm. You should now see a green confirmation box that the key was successfully created, and the new key will be automatically selected as your account’s associated key. Just below, you’ll see OpenPGP Key Manager go there next.
How to add your contact’s keys
In the key manager, you’ll see your newly minted encryption keys. If you selected the wrong settings while making them, you can right-click and revoke then delete your keys, then repeat the steps above to make a new key. Under File in the key manager, you can also import public keys for your contacts who you wish to correspond with encryption enabled. You’ll need their keys saved to your computer, so ask them to e-email their keys to you.
How to share your own keys
To send your public key to a contact, head back into the OpenPGP Key Manager and right-click your key. You should then see an option to send your public key by e-mail, pressing this will open up a new compose window with your key attached. To import this, your recipient just needs to open their key manager, press File and import the public key from the file.
Interestingly, if your contacts use ProtonMail, they can go to their contacts menu, press your e-mail then press the settings cog. From there, there’s an option to see advanced PGP settings, and they can import your public PGP key. To add their keys go to the key manager in Thunderbird the press Keyserver > Discover Keys Online and search their ProtonMail address, their public key for that account should then appear.
How to upload your keys to a keyserver, so they can be found easily
Finally, if you want your public key to be searchable in a keyserver, you’ll want to export your public key from the Key Manager and head to keys.openpgp.org. Look for the upload button, then upload your public key. This allows people to find your public key with just your e-email address, making it easier to send encrypted e-mails.
Backing up your keys
Finally, you need to know how to back up your secret keys in case you would like to decrypt e-mails on another computer or if you need to reinstall your operating system on your existing computer. Simply open the OpenPGP Key Manager, click the key you want to back up, and press File. You should see Backup Secret Key(s) To File you will have to give the secret key a filename and enter a password, which you'll need to restore the key in the future. It'll take a short time to export the secret key, but it'll let you know when it's done.
To import a secret key in the future, select File in the OpenPGP Key Manager and then press Import Secret Key(s) From File and select the file to import. Tap in your password, and you should be ready to go.
If you ever lose your secret key, you will never be able to decrypt messages encrypted with your public key so be sure to keep it safe.
While setting up end-to-end encrypted e-mail is still not as simple as sending encrypted WhatsApp messages, Mozilla has improved the situation in recent years because these tools are baked into Thunderbird. In the past, you needed to use an add-on called EnigMail to offer these features. Hopefully, setting up this feature gets a bit easier so that more people can use it.