How do I . . . encrypt Thunderbird e-mail with Enigmail?

Enigmail is an extension that should be added by anyone needing security in their email exchanges. It takes the less-than-user-friendly task of encryption and makes it simple enough for anyone to use. Jack Wallen explains how it works.

When doing business via e-mail there are often times when you will want your data encrypted. Whether it is sending crucial client information, exchanging databases, or dealing with any other sensitive issue, you will want to know your e-mail is being exchanged safely. The best way to do this is with encryption. With the Windows operating system there are numerous ways to enable encryption. One of my favorite is via GNU Privacy Guard (GnuPG). GnuPG is open source, reliable, and free, and it works well with the Thunderbird extension Engimail.

Enigmail is an extension that should be added by anyone needing security in their e-mail exchanges. It takes the less-than-user-friendly task of encryption and makes it simple enough for anyone to use.

With Windows you will have to install encryption software before you install Enigmail. As I stated earlier, my favorite is GnuPG. Once GnuPG is installed, you can go on with the installation of Enigmail.

This blog post is also available in PDF format in a free TechRepublic download.

Installing GnuPG

There is very little to say about the installation of GnuPG. Download the Windows binary version of GnuPG and save it on your hard drive. Once the file is downloaded, double-click the file to begin the installation process. As with most Windows applications, the GnuPG installation process is as simple as a few clicks. You will have to select your language and the location you want the application installed. Outside of that, just keep clicking Next.

When GnuPG is installed, you have to do nothing with that application because it can all be handled by Enigmail. And for new users, this is the best way to handle the task.

Installing Enigmail

If you have ever installed an extension on Thunderbird, you will know the routine. First download the extension file by right-clicking the Enigmail download link and selecting the Save Link As... option. Once the file is downloaded, open Thunderbird, and then click on the Tools menu and select Add Ons.

When the Add Ons window opens, click on the Install button, locate the Enigmail extension file you downloaded earlier, and click Open. When the installer countdown finishes, the Install button will be available to you and you can then proceed to install Enigmail. The final installation step is to restart Thunderbird so the add-on will be available. (You will notice a new menu entry in Thunderbird called OpenPGP.)

Generate your key pair

The first step in setting up Enigmail is generating your key pair. Click on the OpenPGP menu and select Key Management. This will open a new window (Figure A) where you can generate your key pair.

Figure A

This is where you add and manage all your keys.
Click on the Generate menu and select New Key Pair. This will open a new window where you will enter all the information you need for your new key (Figure B). There isn't much information to enter in this window.

Figure B

If you know you'll want to keep this key pair, click the Key Does Not Expire checkbox.

After you enter all the information, click the Generate Key button. The key generation can take some time, so don't worry if it seems to be going slowly. Once the key is generated, you will be asked if you want to create a revocation key. I would suggest doing this because it will allow you to revoke your key should your secret key get lost or finds its way into the wrong hands. For the revocation key, you will be asked to save an .asc file on your hard drive. Do this and save it in a safe place. You will also have to enter the pass phrase you created at the beginning of the key generation.

Now that your key pair is saved, you will see it listed in the key management window (Figure C).

Figure C

You can upload your key to a server by right-clicking your key and selecting Upload Public Keys to Server.

Now that your key pair is generated you are almost ready to start sending encrypted e-mail. But before you can, any recipients of encrypted e-mail must have your public key; otherwise they won't be able to decrypt the messages.

Getting your public keys

You can easily send your public key by e-mail. From the key manager window, select the key you want to use and right-click that key. A new menu will appear, and in that menu you will see an entry titled Send Public Keys By Email. Click it, and a Thunderbird compose window will open with your public key already attached. Send that e-mail to anyone who will receive one of your encrypted e-mails. Now you're ready.

Sending an encrypted message

Sending an encrypted e-mail is simple. Click on the New button to open the composer window. Write your e-mail as you would any e-mail, but don't send it yet. Before you send this e-mail, click on the OpenPGP menu and select Encrypt (or press Ctrl-Shift-P) and the message will be sent encrypted. When you press Send, you will be asked which key you want to use. Select the key and click OK. The e-mail is encrypted and sent off to the recipient.

You can set Enigmail to always encrypt and/or sign messages. Click the New button to open the e-mail composition window. Click on the OpenPGP menu and then click on the Default Composition Options. From this new window (Figure D) make sure Encrypt Messages by Default is selected if you always want to encrypt your e-mail or not selected if you do not.

Figure D

If you have more than one e-mail account on Thunderbird, you can enable or disable Enigmail on a per-account basis in this window.

Decrypting an e-mail

First and foremost you must have a user's public key saved before you can decrypt their message. If the user sends you their key via e-mail and you save it to your hard drive, you can import it into the Key Management tool by clicking the File menu and then clicking Import Keys from File. Once you have their key in your manager you are set.

By default Enigmail will automatically decrypt e-mail that matches a saved public key. You can disable this by clicking on the OpenPGP menu and deselecting the Automatically Decrypt/Verify Messages entry.

Final thoughts

If you are looking for a solid, easy-to-use, encryption tool for Thunderbird e-mail, look no further than the Enigmail add-on. You will not find a solution that is as easy for new users but that is also as feature-rich for users already familiar with encryption.

TechRepublic's Windows Vista and Windows 7 Report newsletter, delivered every Friday, offers tips, news, and scuttlebutt on Vista and Windows 7, including a look at new features in the latest version of the Windows OS. Automatically sign up today!


Jack Wallen is an award-winning writer for TechRepublic and He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website


How do you transfer email from one laptop using Thunderbird to another using Thunderbird also?


While most of the User Comments on the Mozilla Review are positive, there is also this one: Addon to avoid absolutely It's a terrible add-on. It publishes your public key but, without saying it, it publishes also your e-mail address, so that the world all spammers can use it. It "not possible" to get delisted. And you're not warned. Moreover you'll be ask for a password for each and every mail you want to send. Rated 1 out of 5 stars by Henri on July 22, 2009 I am not, and do not know 'Henri'; but I also don't know if what he's talking about is valid... However, thanks, Jack, you do regularly come up with the most interesting stuff!:]


If I have to resort to this, then I am doing something seriously wrong to begin with. So are you.


When you send your key by email, there is a chance it can be intercepted, as you know. Does the OpenPGP system recognize this risk? Is there any safer way to provide this key to the recipient? Perhaps, a person could snail-mail the key on a small camera-type flash drive?

Mark W. Kaelin
Mark W. Kaelin

Are you encrypting all of your email? Most of your email? Any of your email? Don't you think you should?


You can if you wish post the Public key, or telephone it through or even tell the person next time you see them. The real issue is, *never* release your Private key to anyone else.


Maybe I'm misinformed about this, but the way I understand the Public Key/Private Key scheme: If I wanted a really secure interchange, we would each have a public/private pair, and exchange our public keys with each other (or make them available via a PKI service). Then I would use my counterpart's Public key to encrypt a message I was sending. My counterpart would use their private key to decrypt.


The purpose of using PKI is that the public key is just that, public. Anybody can use a person's public key to encrypt a message. Once encrypted, only the intended receipient can decrypt it (using their private key). There is never a need for a trusted channel through which to send the encryption key. The process being described in the article could just as well use a single symmetric key, since it requires you do distribute the key through a "secret" channel. Symmetric key encryption is better than plain text, but does not take advantage of the security and self-authentication available through PKI.


Each person must generate their own pair of keys. The Private key, must never leave your possession and if it is compromised, you should use your revocation certificate to void it. In any event, DO NOT continue to use that key pair. The Public key, is passed to whoever you wish to communicate with, using encrypted email. Some people are happy to publish their Public key on their web site, or on a key server. Keep in mind, this key pair acts in unison. One cannot work without the other. That's what makes it so secure. Clearly if you wanted to pass your Public key to someone, you would send it in a separate message, prior to sending the encrypted message. Or by other means. To send an encrypted email, you encrypt it using your own Private key (but this is transparent to the user using Enigmail). The recipient, then decrypts it using *your* Public key. If the recipient then wishes to communicate with you using encrypted email, he/she must pass their Public key to you. This gives you the means to decrypt *their* encrypted email. You can't decrypt *their* email, with *your* key. It wont work! In truth, it is this part of the process that is most difficult to get your head around. But in reality, once you have it sorted, it's really easy and I would encourage all IT pro's to understand and use encrypted communications. Frankly, there's been far too many disasters with unencrypted data and encrypted email is a start to encourage more widespread use of encryption as a whole. Edited for minor error.

Editor's Picks