How do I . . . encrypt Thunderbird e-mail with Enigmail?

Enigmail is an extension that should be added by anyone needing security in their email exchanges. It takes the less-than-user-friendly task of encryption and makes it simple enough for anyone to use. Jack Wallen explains how it works.

When doing business via e-mail there are often times when you will want your data encrypted. Whether it is sending crucial client information, exchanging databases, or dealing with any other sensitive issue, you will want to know your e-mail is being exchanged safely. The best way to do this is with encryption. With the Windows operating system there are numerous ways to enable encryption. One of my favorite is via GNU Privacy Guard (GnuPG). GnuPG is open source, reliable, and free, and it works well with the Thunderbird extension Engimail.

Enigmail is an extension that should be added by anyone needing security in their e-mail exchanges. It takes the less-than-user-friendly task of encryption and makes it simple enough for anyone to use.

With Windows you will have to install encryption software before you install Enigmail. As I stated earlier, my favorite is GnuPG. Once GnuPG is installed, you can go on with the installation of Enigmail.

This blog post is also available in PDF format in a free TechRepublic download.

Installing GnuPG

There is very little to say about the installation of GnuPG. Download the Windows binary version of GnuPG and save it on your hard drive. Once the file is downloaded, double-click the file to begin the installation process. As with most Windows applications, the GnuPG installation process is as simple as a few clicks. You will have to select your language and the location you want the application installed. Outside of that, just keep clicking Next.

When GnuPG is installed, you have to do nothing with that application because it can all be handled by Enigmail. And for new users, this is the best way to handle the task.

Installing Enigmail

If you have ever installed an extension on Thunderbird, you will know the routine. First download the extension file by right-clicking the Enigmail download link and selecting the Save Link As... option. Once the file is downloaded, open Thunderbird, and then click on the Tools menu and select Add Ons.

When the Add Ons window opens, click on the Install button, locate the Enigmail extension file you downloaded earlier, and click Open. When the installer countdown finishes, the Install button will be available to you and you can then proceed to install Enigmail. The final installation step is to restart Thunderbird so the add-on will be available. (You will notice a new menu entry in Thunderbird called OpenPGP.)

Generate your key pair

The first step in setting up Enigmail is generating your key pair. Click on the OpenPGP menu and select Key Management. This will open a new window (Figure A) where you can generate your key pair.

Figure A

This is where you add and manage all your keys.
Click on the Generate menu and select New Key Pair. This will open a new window where you will enter all the information you need for your new key (Figure B). There isn't much information to enter in this window.

Figure B

If you know you'll want to keep this key pair, click the Key Does Not Expire checkbox.

After you enter all the information, click the Generate Key button. The key generation can take some time, so don't worry if it seems to be going slowly. Once the key is generated, you will be asked if you want to create a revocation key. I would suggest doing this because it will allow you to revoke your key should your secret key get lost or finds its way into the wrong hands. For the revocation key, you will be asked to save an .asc file on your hard drive. Do this and save it in a safe place. You will also have to enter the pass phrase you created at the beginning of the key generation.

Now that your key pair is saved, you will see it listed in the key management window (Figure C).

Figure C

You can upload your key to a server by right-clicking your key and selecting Upload Public Keys to Server.

Now that your key pair is generated you are almost ready to start sending encrypted e-mail. But before you can, any recipients of encrypted e-mail must have your public key; otherwise they won't be able to decrypt the messages.

Getting your public keys

You can easily send your public key by e-mail. From the key manager window, select the key you want to use and right-click that key. A new menu will appear, and in that menu you will see an entry titled Send Public Keys By Email. Click it, and a Thunderbird compose window will open with your public key already attached. Send that e-mail to anyone who will receive one of your encrypted e-mails. Now you're ready.

Sending an encrypted message

Sending an encrypted e-mail is simple. Click on the New button to open the composer window. Write your e-mail as you would any e-mail, but don't send it yet. Before you send this e-mail, click on the OpenPGP menu and select Encrypt (or press Ctrl-Shift-P) and the message will be sent encrypted. When you press Send, you will be asked which key you want to use. Select the key and click OK. The e-mail is encrypted and sent off to the recipient.

You can set Enigmail to always encrypt and/or sign messages. Click the New button to open the e-mail composition window. Click on the OpenPGP menu and then click on the Default Composition Options. From this new window (Figure D) make sure Encrypt Messages by Default is selected if you always want to encrypt your e-mail or not selected if you do not.

Figure D

If you have more than one e-mail account on Thunderbird, you can enable or disable Enigmail on a per-account basis in this window.

Decrypting an e-mail

First and foremost you must have a user's public key saved before you can decrypt their message. If the user sends you their key via e-mail and you save it to your hard drive, you can import it into the Key Management tool by clicking the File menu and then clicking Import Keys from File. Once you have their key in your manager you are set.

By default Enigmail will automatically decrypt e-mail that matches a saved public key. You can disable this by clicking on the OpenPGP menu and deselecting the Automatically Decrypt/Verify Messages entry.

Final thoughts

If you are looking for a solid, easy-to-use, encryption tool for Thunderbird e-mail, look no further than the Enigmail add-on. You will not find a solution that is as easy for new users but that is also as feature-rich for users already familiar with encryption.

TechRepublic's Windows Vista and Windows 7 Report newsletter, delivered every Friday, offers tips, news, and scuttlebutt on Vista and Windows 7, including a look at new features in the latest version of the Windows OS. Automatically sign up today!


Jack Wallen is an award-winning writer for TechRepublic and He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website

Editor's Picks