= OpenPGP in Thunderbird - HOWTO and FAQ = This document is intended for Thunderbird users who want to use encrypted or digitally signed email with the OpenPGP technology == What is OpenPGP and email encryption about? == Please see this separate article for a general introduction: https://support.mozilla.org/en-US/kb/introduction-to-e2e-encryption == Does Thunderbird support OpenPGP? == Older versions of Thunderbird (version 68 and before) did not include OpenPGP support. However, it was possible to add OpenPGP functionality by installing the Enigmail Add-on and GnuPG software. In Thunderbird 78 support for OpenPGP is built-in. The feature was enabled by default in version 78.2.1 == Does OpenPGP in Thunderbird 78 exactly as it was in Enigmail? == No, there are many differences. A major reason is, because the Thunderbird project wants to offer a fully integrated solution, we decided not to use GnuPG by default to avoid licensing issues. We have a separate document that explains the differences: https://wiki.mozilla.org/Thunderbird:OpenPGP:Migration-From-Enigmail == I have never used OpenPGP with Thunderbird before, what should I do to setup OpenPGP? == You need a personal key pair. Use Thunderbird's account settings, chose the email account that you want to use with OpenPGP and select the end-to-end encryption pane. Use the Add Key button to set your personal key. If you have already used OpenPGP with other software, select import, and import a backup of your key, which you have created with the other software. If you don't have a key yet, you can create a new one. After importing or creating it, while still in account settings, select the key you want to actively use with your email account. Note that using OpenPGP has consequences as explained in the general introduction. It's important that you make a backup of your key and store it in a secure location, separate from your regular computer. == I have previously used Enigmail, how do I migrate and configure? == You can upgrade your Thunderbird settings from an older version (such as 68.x) to version 78.x It is recommeded that you make a backup of your old Thunderbird profile before you use Thunderbird 78 for the first time, because once you have upgraded, your profile can no longer be used with Thunderbird 68. If for any reason you decide that you must continue to use Thunderbird 68 and Enigmail, a backup will allow you to go back easily. Enigmail is currently available in two versions, 2.1.x and 2.2.x. The difference is that Enigmail 2.1.x only works with Thunderbird 68 and older release versions, and provides the classic functionality. Enigmail version 2.2.x is a specially modified version, which only works with Thunderbird 78 and later version. Enigmail 2.2.x doesn't provide the traditional functionality, rather it exists to help you migrate your keys and settings to Thunderbird 78. If you start Thunderbird 78 with an existing profile, and the previous profile had Enigmail installed, then Thunderbird 78 will detect that the previous Enigmail 2.1.x Add-on is not compatible. It should automatically check for a newer version, it will find Enigmail 2.2.x and install it. Then Enigmail will automatically open a tab that greets you and explains that migration is possible, and offers you to start it. Previously Enigmail had used GnuPG to store and manage all keys and trust settings. If you click the button to start the migration, the Enigmail migration software will read your old keys from GnuPG one after the other. You must enter passwords to confirm the export of your keys, and to allow them to be unlocked for importing them into Thunderbird's new internal key storage. Thunderbird 78 uses different settings than Enigmail. With Enigmail, it was possible to enable OpenPGP for an email account, but let it automatically select which of your keys would be used. Thunderbird 78 combines these settings. To enable OpenPGP for an email account, it's necessary to explicitly specify which personal key to use. Consequently, if you had previously used the automatic selection, then the migration might not have select a key yet. After the migration, you should manually check the configuration of all your email accounts and identities, and if necessary, manually select the appropriate key. == Can I repeat the migration == If there is any problem with the migration, you may repeat it. For example the migration may fail if you experience a bug in Thunderbird, or you didn't remember the password for all of your personal keys, and did only a partial migration. To repeat the migration, you need to access a command from the top menu bar. If you're using Windows or Linux, and the top menu bar isn't visible, use a mouse right click in the top area of the Thunderbird main window, and enable the menu bar. Then use the Tools menu, which contains the command "Migrate Enigmail Settings". == I tried to import a file with public keys, and I get an error message that the file is too big == Please see the answer to the following question. == I previously used OpenPGP with GnuPG, but with different email software. How can I migrate my keys to Thunderbird 78? == For your personal keys (also called private or secret keys), you could use a command to export them to a file. To export keys managed by GnuPG, you could use the following command: gpg --export-secret-keys --armor > my-secret-keys.asc Then you can import them into Thunderbird. Either use the Add Key and Import functionality in Thunderbird account settings, end-to-end encryption. Or use the global menu bar to open the Tools menu which offers the OpenPGP Key Manager. Use File Import Secret Keys and select the file you have created above. You probably have only a small amount of personal keys, therefore this approach should work. You may use a similar approach for exporting the public keys of your correspondents and use the following command: gpg --export --armor > all-public-keys.asc However, if you have many keys, you might experience a problem because of a current limitation in Thunderbird. Currently, Thunderbird cannot import a large set of keys in a single step. An attempt to import a file that is bigger than 5 MB will be rejected. You have two options to work around this limitation. The first option is to use a graphical key manager for GnuPG and export your keys into separate files. For example, if all public keys in total have a size of 17 MB, you'd have to create 4 files, and select a quarter of public keys for each exported file. This is cumbersome. Alternatively, you could try to use the Enigmail version 2.2.x migration Add-on for importing public keys into Thunderbird, even if you haven't used Enigmail before. To do so, use Thunderbird 78 and search for the Enigmail Add-on. You'll be offered to install version 2.2.x. Once installed, you can manually access the command "Migrate Enigmail Settings" from Thunderbird's top menu bar, in the Tools submenu. Note that this may fail, depending on how you have set up GnuPG software on your computer, so it cannot be guaranteed that this approach works. If you have correctly set up GnuPG software on your computer that the Enigmail migration Add-on can find, then it will import all public keys one by one from GnuPG into Thunderbird, without being affected by the mentioned sized limit. == Enigmail reports that migration of my private key has failed == This could mean that you were trying to import a key that isn't yet supported by RNP. Another possible reason is an incomplete setup of GnuPG software on your computer, especially if you weren't prompted to enter a password to export your private key. (This shouldn't apply if you have recently successfully used Enigmail on your computer.) A good way to ensure that you have correctly installed GnuPG is to use the following procedure: Install Thunderbird 68 into a separate directory, then run Thunderbird 68 with parameter -P and run it with a separate profile. (You don't need to configure an email account, you may cancel that suggestion.) Then install Enigmail into your Thunderbird 68 profile, and execute the Enigmail setup wizard, which will help you to setup GnuPG software correctly. If this didn't help, you could check the Enigmail FAQ: https://enigmail.net/index.php/en/faq-en?view=topic&id=14 == Enigmail reports that migration of my private key has failed == This could mean that you were trying to import a key that isn't yet supported by RNP. Another possible reason is an incomplete setup of GnuPG software on your computer, especially if you weren't prompted to enter a password to export your private key. (This shouldn't apply if you have recently successfully used Enigmail on your computer.) A good way to ensure that you have correctly installed GnuPG is to use the following procedure: Install Thunderbird 68 into a separate directory, then run Thunderbird 68 with parameter -P and run it with a separate profile. (You don't need to configure an email account, you may cancel that suggestion.) Then install Enigmail into your Thunderbird 68 profile, and execute the Enigmail setup wizard, which will help you to setup GnuPG software correctly. If this didn't help, you could check the Enigmail FAQ: https://enigmail.net/index.php/en/faq-en?view=topic&id=14 == What types of OpenPGP keys are supported? == Not all keys that are supported by GnuPG can be used with Thunderbird 78, in particular some keys that use an advanced structure. You cannot use secret keys that are incomplete, for example, when using an offline primary key. Also, you cannot use secret keys that contain "stub" keys, that tell GnuPG that a key is located on a smartcard. The RNP software that we use for processing keys may not yet support certain keys. If you find that your key doesn't work, please report it, and ideally please include a copy of the key that doesn't work. However, be careful and don't send us your secret keys. We currently don't allow the use of keys that rely on the use of the MD5 hash algorithm. == If my secret key isn't supported by Thunderbird, are there alternative options? == Yes, for secret keys, Thunderbird 78 allows you to optionally use GnuPG software. This allows you to use GnuPG for digitally signing and decryption. Note that public key operations encryption and signature verification are always handled using Thunderbird's internal code, and the public key acceptance settings configured within Thunderbird. This mechanism was originally intended to support smartcards or hardware tokens that store a secret key, however, it's not restricted to hardware. You may also use it to use keys that are stored in files on your computer. This mechanism requires you to install and configure the required GnuPG software yourself, because it cannot be distributed together with Thunderbird. Therefore this mechanism isn't enabled by default. To learn how to use it, refer to the question about smartcards. == Can I use an OpenPGP smartcard or a hardware token with Thunderbird 78? == Yes, we offer an optional mechanism. It requires that you install GnuPG and all required software yourself. Please refer to this document which explains it in detail: https://wiki.mozilla.org/Thunderbird:OpenPGP:Smartcards == How do I send an encrypted or digitally signed email == Ensure you have configured your personal key for your email account or identity. When you write an email, use the Options menu, or the menu found on the security button, and enable the protection you would like to use. == What's necessary to send an encrypted message. == You must have your personal key configured, and you must have an accepted public key for each of the email's correspondents. To avoid that you accidentally use a correspondent's key without knowing if it's the correct key or not, you are required to confirm the use of public keys. You have the choice to accept a key without verifying it, in this case you aren't protected against Monster In The Middle attacks (MITM). When sending an email, if you don't have an accepted key for at least one recipient, sending will be blocked, and information about the availability of correspondent's keys will be shown. To send the email, you need to obtain keys for each of the correspondents. If you aren't able to do so, you cannot send encrypted. You have the choice to either not send an email at all, or to disable encryption and send the message without protection. == What does key acceptance mean? == Technically, anyone is able to create an OpenPGP key in anyone's name, using any email address they want. Nobody is able to limit or prevent that. This means, whenever you receive a correspondent's public key, you risk that it's a false key, and an attempt to trick you. Unless you have verified your correspondent's key, you might not be having a confidential conversation, but rather you might be the victim of a Monster-In-The-Middle attack (MITM). It's your decision if you care about this attack vector, and you might want to decide individually based on the correspondent. If you accept a key, it means you are willing to use that key for sending encrypted messages to that corresponent. If you receive an email from a correspondent, your acceptance decision controls how the digital signature will be displayed. Only signatures from acecpted keys will be shown as valid. == Why do I have to mark my own secret key as accepted, as a personal key? == This is about a theoretical attack. Thunderbird treats personal keys differently, it grants full trust to those keys, and we skip the usual acceptance question (verified, unverified, etc.). In theory, an attacker might create a key in the name of one of your contacts, send the secret key to you, and trick you to import it. By requiring you to confirm that a secret key is your own key, you will probably notice that it isn't a key in your name, and you will probably reject its use as your personal key. This stops the attack. This setting is similar to GnuPG's model of setting key as having "ownertrust ultimate". == Why is encryption autoamtically enabled when I reply to an encrypted message == When replying, the default is to quote (include) the information that was in the message that you reply to. Your correspondent might have good reasons to encrypt their message, so you should be very careful when including the original text in a new message you send. At least, you should continue to use encryption. If you are unable to encrypt, and if you consider to reply without encryption, you should probably remove all the quoted text from the email you are writing. == How do i get the keys of my correspondents? == If your correspondent sends you an email with their public key attached, or as a regular attachment, or contained in a hidden email header according to the Autocrypt standard, then Thunderbird will offer you to import the key. You may try to discover keys online by email address, by clicking on an email address in an email message you are reading, and using the command "discover key" shown in the popup menu. Currently, it will search for published keys using the WKD protocol, and it will search for keys in the keys.openpgp.org keyserver. The same mechanism can be used from the OpenPGP Key Manager, using the Keyserver, "Discover Keys Online" command, which allows you to search by any email address or key ID or fingerprint. Also, the same discovery mechanism can be used when having attempted to send an encrypted email, and reviewing the missing key information. If a key has been published on the Internet, you may download the key and use OpenPGP key manager to import the downloaded file. Or you may try to import by downloading from a given URL. Enigmail used to offer searching on non-verifying keyservers. At this time Thunderbird doesn't offer that, because of the various issues that were detected with those keyservers in the recent past. If you need to obtain a key from a keyserver that isn't currently support by Thunderbird 78, then you must other software to obtain it, then save it to a file, then you can use OpenPGP Key Manager to import the public key file == Does Thunderbird support opportunistic or automatic encryption? == No. At this time, Thunderbird requires the user to take control and decide when encryption should be used or not be used, by enabling the appropriate options when composing an email. == I used the Enigmail configuration to trust all usable keys. Does Thunderbird support that? == No. For each correspondent's public key that you want or need to use, Thunderbird 78 requires that you accept the key at least once. == Why does Thunderbird automatically enable the digital signature when I enable encryption? == Encryption by itself only offers confidentially, but it doesn't provide on who sent the message. In theory, someone could send you an encrypted message, but fake the sender of the email, giving you a false impression. Because encryption gives the impression about an email being secure, but an email that isn't digitally signed cannot really be assumed to be secure, it's recommended to also digitally sign emails. At this time we don't offer an option to prevent digital signing from being enabled automatically. We might consider to offer this as a default configuration in the future. At this time, if you don't want to send a digital signature, you must manually disable this option prior to sending on each encrypted email that you send. == Why does Thunderbird automatically send my public key whenever I digitally sign an email? == When sending a digital signature, you imply that you want the recipient to be able to verify that the digital signature is correct. A digital signature cannot be verified if the correspondent public key is unavailable. To ensure that your recipients will always be able to verify your signature, it's best to always include your public key. At this time, we don't provide a configuration option to automatically exclude your public key when digitally signing, rather it is necessary that you manually disable it prior to sending. == My public key is very big, because I have many signatures on it. It's too big to include it with every signed message. == Because of limitations, we currently aren't able to automatically minimize your key. If you want to avoid that your big key is sent with each digitally signed message, you could use other software, like gnupg, to edit and minimize your key. Ensure you have a reliable backup of your secret key. Then export your key. Use other software to minimize it. Then delete your secret in Thunderbird, and import the minimized key, and ensure you restore your account configuration to use that key. A future version of Thunderbird will attempt to automatically minimize the key when appropriate, but this depends on future functionality in the RNP library. == I used an advanced configuration with GnuPG to use a group of recipients and define the keys to be used. == At this time, Thunderbird 78 doesn't support this feature. We hope to support it in the future. The enhancement is tracked at https://bugzilla.mozilla.org/show_bug.cgi?id=1644085 == Does Thunderbird support per recipient rules or filter rules to automatically decrypt emails? == No, not at this time. == Can I disable the encryption of the email subject == No, not at this time. == Does Thunderbird support the Web Of Trust? == No. Thunderbird will not automatically trust or accept keys that were signed by others. Also at this time, if you indicate that you have verified a correspondent's key, Thunderbird will not add your signature to it. This might change in a future version of Thunderbird. When using the Enigmail migration utility to migrate public keys to Thunderbird, it should detect keys that already have been signed by your personal key, and should have automatically marked the corresponding keys as accepted keys, so you don't need to start from scratch. == How does Thunderbird store which keys are accepted. == This information is stored in file openpgp.sqlite in the Thunderbird profile directory. ==Where does Thunderbird store OpenPGP keys == It stores them in the Thunderbird profile directory. == I need to use both GnuPG and Thunderbird in parallel, can I synchronize my keys? == No. At this time, Thunderbird uses its own copy of keys, and doesn't support synchronizing keys with GnuPG. The exception is the mechanism offered for smartcards, which could be used to use the personal keys managed by GnuPG. == How is my personal key protected? == At the time you import your personal key into Thunderbird, we unlock it, and protect it with a different password, that is automatically (randomly) created. The same automatic password will be used for all OpenPGP secret keys managed by Thunderbird. You should use the Thunderbird feature to set a Master Password. Unless you set a master password, your OpenPGP keys in your profile directory are unprotected. They can be stolen by copying all files, in particular files key4.db and == Do you support Autocrypt? == Thunderbird doesn't support the Autocrypt philosophy that encryption should be fully automatic. However, Thunderbird attempts to provide some compatbility with email clients that support Autocrypt, only. When sending an email and using the option to attach your OpenPGP public key, and your key is sufficiently simply to be compatible with Autocrypt, then Thunderbird will add the appropriate header in the outgoing email, which can allow your correspondent to learn about your public key. When receiving email that contains a correspondent's public key in an autocrypt header, Thunderbird allows you to import the key. At this time, Thunderbird doesn't support the "Gossip" feature. == I have previously used the Junior Mode, what do I do now? == Enigmail had offered two very different modes of operation. A classic mode and a "junior mode" which was implemented by software from the pEp software company. Thunderbird does not provide the junior mode, the solution that Thunderbird provides is more similar to Enigmail's classic mode of operation. == I'm using Enigmail 2.2.x to perform a migration but the import appears stuck == Maybe the software has run into a problem. Please refer to the section about obtaining more information on failure. == Where can I ask questions about, or report problems with Thunderbird's OpenPGP feature? == If your problem isn't covered on this page or in the linked documents, please refer to section "Discussion" on the following page for ways to contact us: https://wiki.mozilla.org/Thunderbird:OpenPGP#Discussion == How can I check if the problem I have has already been reported? == Please refer to section "Open issues and TODO list" here: https://wiki.mozilla.org/Thunderbird:OpenPGP#Open_issues_and_TODO_list == I'm running into a problem and I'd like to try to analyze myself == More information can be found here in section "Debugging / Tracing": https://wiki.mozilla.org/Thunderbird:OpenPGP#Debugging_.2F_Tracing == My Thunderbird was upgraded to version 78 but I'd prefer to stay with Thunderbird 68 and Enigmail == As soon as you have started Thunderbird 78 with a profile, you cannot easily go back to 68, because the profile has been migrated, and Thunderbird 68 will refuse to use it, and will not start. If you have a backup of your profile, you can try to restore it, then you should be able to start Thunderbird 68 again. If you don't have a backup, you could create Thunderbird 68 with a fresh profile and configure Thunderbird again. The use of the Thunderbird startup parameter --allow-downgrade is not recommended, because you will lose some configuration settings and may get unexpected behavior. == I've received an encrypted email with a hidden recipient (key ID 0x00000000) and Thunderbird cannot decrypt it == This isn't supported yet. The addition of the feature is tracked here: https://github.com/rnpgp/rnp/issues/1275

OpenPGP in Thunderbird - HOWTO and FAQ

This document is intended for Thunderbird users who want to use encrypted or digitally signed email with the OpenPGP technology

What is OpenPGP and email encryption about?

Please see this separate article for a general introduction: https://support.mozilla.org/en-US/kb/introduction-to-e2e-encryption

Does Thunderbird support OpenPGP?

Older versions of Thunderbird (version 68 and before) did not include OpenPGP support. However, it was possible to add OpenPGP functionality by installing the Enigmail Add-on and GnuPG software. In Thunderbird 78 support for OpenPGP is built-in. The feature was enabled by default in version 78.2.1

Does OpenPGP in Thunderbird 78 exactly as it was in Enigmail?

No, there are many differences. A major reason is, because the Thunderbird project wants to offer a fully integrated solution, we decided not to use GnuPG by default to avoid licensing issues. We have a separate document that explains the differences: https://wiki.mozilla.org/Thunderbird:OpenPGP:Migration-From-Enigmail

I have never used OpenPGP with Thunderbird before, what should I do to setup OpenPGP?

You need a personal key pair. Use Thunderbird's account settings, chose the email account that you want to use with OpenPGP and select the end-to-end encryption pane. Use the Add Key button to set your personal key. If you have already used OpenPGP with other software, select import, and import a backup of your key, which you have created with the other software. If you don't have a key yet, you can create a new one. After importing or creating it, while still in account settings, select the key you want to actively use with your email account. Note that using OpenPGP has consequences as explained in the general introduction. It's important that you make a backup of your key and store it in a secure location, separate from your regular computer.

I have previously used Enigmail, how do I migrate and configure?

You can upgrade your Thunderbird settings from an older version (such as 68.x) to version 78.x It is recommeded that you make a backup of your old Thunderbird profile before you use Thunderbird 78 for the first time, because once you have upgraded, your profile can no longer be used with Thunderbird 68. If for any reason you decide that you must continue to use Thunderbird 68 and Enigmail, a backup will allow you to go back easily.

Enigmail is currently available in two versions, 2.1.x and 2.2.x. The difference is that Enigmail 2.1.x only works with Thunderbird 68 and older release versions, and provides the classic functionality. Enigmail version 2.2.x is a specially modified version, which only works with Thunderbird 78 and later version. Enigmail 2.2.x doesn't provide the traditional functionality, rather it exists to help you migrate your keys and settings to Thunderbird 78.

If you start Thunderbird 78 with an existing profile, and the previous profile had Enigmail installed, then Thunderbird 78 will detect that the previous Enigmail 2.1.x Add-on is not compatible. It should automatically check for a newer version, it will find Enigmail 2.2.x and install it. Then Enigmail will automatically open a tab that greets you and explains that migration is possible, and offers you to start it.

Previously Enigmail had used GnuPG to store and manage all keys and trust settings. If you click the button to start the migration, the Enigmail migration software will read your old keys from GnuPG one after the other. You must enter passwords to confirm the export of your keys, and to allow them to be unlocked for importing them into Thunderbird's new internal key storage. Thunderbird 78 uses different settings than Enigmail.

With Enigmail, it was possible to enable OpenPGP for an email account, but let it automatically select which of your keys would be used. Thunderbird 78 combines these settings. To enable OpenPGP for an email account, it's necessary to explicitly specify which personal key to use.

Consequently, if you had previously used the automatic selection, then the migration might not have select a key yet. After the migration, you should manually check the configuration of all your email accounts and identities, and if necessary, manually select the appropriate key.

Can I repeat the migration

If there is any problem with the migration, you may repeat it. For example the migration may fail if you experience a bug in Thunderbird, or you didn't remember the password for all of your personal keys, and did only a partial migration. To repeat the migration, you need to access a command from the top menu bar. If you're using Windows or Linux, and the top menu bar isn't visible, use a mouse right click in the top area of the Thunderbird main window, and enable the menu bar. Then use the Tools menu, which contains the command "Migrate Enigmail Settings".

I tried to import a file with public keys, and I get an error message that the file is too big

Please see the answer to the following question.

I previously used OpenPGP with GnuPG, but with different email software. How can I migrate my keys to Thunderbird 78?

For your personal keys (also called private or secret keys), you could use a command to export them to a file. To export keys managed by GnuPG, you could use the following command:

gpg --export-secret-keys --armor > my-secret-keys.asc

Then you can import them into Thunderbird. Either use the Add Key and Import functionality in Thunderbird account settings, end-to-end encryption. Or use the global menu bar to open the Tools menu which offers the OpenPGP Key Manager. Use File Import Secret Keys and select the file you have created above. You probably have only a small amount of personal keys, therefore this approach should work.

You may use a similar approach for exporting the public keys of your correspondents and use the following command:

gpg --export --armor > all-public-keys.asc

However, if you have many keys, you might experience a problem because of a current limitation in Thunderbird. Currently, Thunderbird cannot import a large set of keys in a single step. An attempt to import a file that is bigger than 5 MB will be rejected.

You have two options to work around this limitation. The first option is to use a graphical key manager for GnuPG and export your keys into separate files. For example, if all public keys in total have a size of 17 MB, you'd have to create 4 files, and select a quarter of public keys for each exported file. This is cumbersome. Alternatively, you could try to use the Enigmail version 2.2.x migration Add-on for importing public keys into Thunderbird, even if you haven't used Enigmail before.

To do so, use Thunderbird 78 and search for the Enigmail Add-on. You'll be offered to install version 2.2.x. Once installed, you can manually access the command "Migrate Enigmail Settings" from Thunderbird's top menu bar, in the Tools submenu. Note that this may fail, depending on how you have set up GnuPG software on your computer, so it cannot be guaranteed that this approach works.

If you have correctly set up GnuPG software on your computer that the Enigmail migration Add-on can find, then it will import all public keys one by one from GnuPG into Thunderbird, without being affected by the mentioned sized limit.

Enigmail reports that migration of my private key has failed

This could mean that you were trying to import a key that isn't yet supported by RNP. Another possible reason is an incomplete setup of GnuPG software on your computer, especially if you weren't prompted to enter a password to export your private key. (This shouldn't apply if you have recently successfully used Enigmail on your computer.) A good way to ensure that you have correctly installed GnuPG is to use the following procedure: Install Thunderbird 68 into a separate directory, then run Thunderbird 68 with parameter -P and run it with a separate profile. (You don't need to configure an email account, you may cancel that suggestion.) Then install Enigmail into your Thunderbird 68 profile, and execute the Enigmail setup wizard, which will help you to setup GnuPG software correctly. If this didn't help, you could check the Enigmail FAQ: https://enigmail.net/index.php/en/faq-en?view=topic&id=14

Enigmail reports that migration of my private key has failed

This could mean that you were trying to import a key that isn't yet supported by RNP. Another possible reason is an incomplete setup of GnuPG software on your computer, especially if you weren't prompted to enter a password to export your private key. (This shouldn't apply if you have recently successfully used Enigmail on your computer.) A good way to ensure that you have correctly installed GnuPG is to use the following procedure: Install Thunderbird 68 into a separate directory, then run Thunderbird 68 with parameter -P and run it with a separate profile. (You don't need to configure an email account, you may cancel that suggestion.) Then install Enigmail into your Thunderbird 68 profile, and execute the Enigmail setup wizard, which will help you to setup GnuPG software correctly. If this didn't help, you could check the Enigmail FAQ: https://enigmail.net/index.php/en/faq-en?view=topic&id=14

What types of OpenPGP keys are supported?

Not all keys that are supported by GnuPG can be used with Thunderbird 78, in particular some keys that use an advanced structure. You cannot use secret keys that are incomplete, for example, when using an offline primary key. Also, you cannot use secret keys that contain "stub" keys, that tell GnuPG that a key is located on a smartcard. The RNP software that we use for processing keys may not yet support certain keys. If you find that your key doesn't work, please report it, and ideally please include a copy of the key that doesn't work. However, be careful and don't send us your secret keys. We currently don't allow the use of keys that rely on the use of the MD5 hash algorithm.

If my secret key isn't supported by Thunderbird, are there alternative options?

Yes, for secret keys, Thunderbird 78 allows you to optionally use GnuPG software. This allows you to use GnuPG for digitally signing and decryption. Note that public key operations encryption and signature verification are always handled using Thunderbird's internal code, and the public key acceptance settings configured within Thunderbird. This mechanism was originally intended to support smartcards or hardware tokens that store a secret key, however, it's not restricted to hardware. You may also use it to use keys that are stored in files on your computer. This mechanism requires you to install and configure the required GnuPG software yourself, because it cannot be distributed together with Thunderbird. Therefore this mechanism isn't enabled by default. To learn how to use it, refer to the question about smartcards.

Can I use an OpenPGP smartcard or a hardware token with Thunderbird 78?

Yes, we offer an optional mechanism. It requires that you install GnuPG and all required software yourself. Please refer to this document which explains it in detail: https://wiki.mozilla.org/Thunderbird:OpenPGP:Smartcards

How do I send an encrypted or digitally signed email

Ensure you have configured your personal key for your email account or identity. When you write an email, use the Options menu, or the menu found on the security button, and enable the protection you would like to use.

What's necessary to send an encrypted message.

You must have your personal key configured, and you must have an accepted public key for each of the email's correspondents. To avoid that you accidentally use a correspondent's key without knowing if it's the correct key or not, you are required to confirm the use of public keys. You have the choice to accept a key without verifying it, in this case you aren't protected against Monster In The Middle attacks (MITM). When sending an email, if you don't have an accepted key for at least one recipient, sending will be blocked, and information about the availability of correspondent's keys will be shown. To send the email, you need to obtain keys for each of the correspondents. If you aren't able to do so, you cannot send encrypted. You have the choice to either not send an email at all, or to disable encryption and send the message without protection.

What does key acceptance mean?

Technically, anyone is able to create an OpenPGP key in anyone's name, using any email address they want. Nobody is able to limit or prevent that. This means, whenever you receive a correspondent's public key, you risk that it's a false key, and an attempt to trick you. Unless you have verified your correspondent's key, you might not be having a confidential conversation, but rather you might be the victim of a Monster-In-The-Middle attack (MITM). It's your decision if you care about this attack vector, and you might want to decide individually based on the correspondent. If you accept a key, it means you are willing to use that key for sending encrypted messages to that corresponent. If you receive an email from a correspondent, your acceptance decision controls how the digital signature will be displayed. Only signatures from acecpted keys will be shown as valid.

Why do I have to mark my own secret key as accepted, as a personal key?

This is about a theoretical attack. Thunderbird treats personal keys differently, it grants full trust to those keys, and we skip the usual acceptance question (verified, unverified, etc.). In theory, an attacker might create a key in the name of one of your contacts, send the secret key to you, and trick you to import it. By requiring you to confirm that a secret key is your own key, you will probably notice that it isn't a key in your name, and you will probably reject its use as your personal key. This stops the attack. This setting is similar to GnuPG's model of setting key as having "ownertrust ultimate".

Why is encryption autoamtically enabled when I reply to an encrypted message

When replying, the default is to quote (include) the information that was in the message that you reply to. Your correspondent might have good reasons to encrypt their message, so you should be very careful when including the original text in a new message you send. At least, you should continue to use encryption. If you are unable to encrypt, and if you consider to reply without encryption, you should probably remove all the quoted text from the email you are writing.

How do i get the keys of my correspondents?

If your correspondent sends you an email with their public key attached, or as a regular attachment, or contained in a hidden email header according to the Autocrypt standard, then Thunderbird will offer you to import the key. You may try to discover keys online by email address, by clicking on an email address in an email message you are reading, and using the command "discover key" shown in the popup menu. Currently, it will search for published keys using the WKD protocol, and it will search for keys in the keys.openpgp.org keyserver. The same mechanism can be used from the OpenPGP Key Manager, using the Keyserver, "Discover Keys Online" command, which allows you to search by any email address or key ID or fingerprint. Also, the same discovery mechanism can be used when having attempted to send an encrypted email, and reviewing the missing key information. If a key has been published on the Internet, you may download the key and use OpenPGP key manager to import the downloaded file. Or you may try to import by downloading from a given URL. Enigmail used to offer searching on non-verifying keyservers. At this time Thunderbird doesn't offer that, because of the various issues that were detected with those keyservers in the recent past. If you need to obtain a key from a keyserver that isn't currently support by Thunderbird 78, then you must other software to obtain it, then save it to a file, then you can use OpenPGP Key Manager to import the public key file

Does Thunderbird support opportunistic or automatic encryption?

No. At this time, Thunderbird requires the user to take control and decide when encryption should be used or not be used, by enabling the appropriate options when composing an email.

I used the Enigmail configuration to trust all usable keys. Does Thunderbird support that?

No. For each correspondent's public key that you want or need to use, Thunderbird 78 requires that you accept the key at least once.

Why does Thunderbird automatically enable the digital signature when I enable encryption?

Encryption by itself only offers confidentially, but it doesn't provide on who sent the message. In theory, someone could send you an encrypted message, but fake the sender of the email, giving you a false impression. Because encryption gives the impression about an email being secure, but an email that isn't digitally signed cannot really be assumed to be secure, it's recommended to also digitally sign emails. At this time we don't offer an option to prevent digital signing from being enabled automatically. We might consider to offer this as a default configuration in the future. At this time, if you don't want to send a digital signature, you must manually disable this option prior to sending on each encrypted email that you send.

Why does Thunderbird automatically send my public key whenever I digitally sign an email?

When sending a digital signature, you imply that you want the recipient to be able to verify that the digital signature is correct. A digital signature cannot be verified if the correspondent public key is unavailable. To ensure that your recipients will always be able to verify your signature, it's best to always include your public key. At this time, we don't provide a configuration option to automatically exclude your public key when digitally signing, rather it is necessary that you manually disable it prior to sending.

My public key is very big, because I have many signatures on it. It's too big to include it with every signed message.

Because of limitations, we currently aren't able to automatically minimize your key. If you want to avoid that your big key is sent with each digitally signed message, you could use other software, like gnupg, to edit and minimize your key. Ensure you have a reliable backup of your secret key. Then export your key. Use other software to minimize it. Then delete your secret in Thunderbird, and import the minimized key, and ensure you restore your account configuration to use that key. A future version of Thunderbird will attempt to automatically minimize the key when appropriate, but this depends on future functionality in the RNP library.

I used an advanced configuration with GnuPG to use a group of recipients and define the keys to be used.

At this time, Thunderbird 78 doesn't support this feature. We hope to support it in the future. The enhancement is tracked at https://bugzilla.mozilla.org/show_bug.cgi?id=1644085

Does Thunderbird support per recipient rules or filter rules to automatically decrypt emails?

No, not at this time.

Can I disable the encryption of the email subject

No, not at this time.

Does Thunderbird support the Web Of Trust?

No. Thunderbird will not automatically trust or accept keys that were signed by others. Also at this time, if you indicate that you have verified a correspondent's key, Thunderbird will not add your signature to it. This might change in a future version of Thunderbird. When using the Enigmail migration utility to migrate public keys to Thunderbird, it should detect keys that already have been signed by your personal key, and should have automatically marked the corresponding keys as accepted keys, so you don't need to start from scratch.

How does Thunderbird store which keys are accepted.

This information is stored in file openpgp.sqlite in the Thunderbird profile directory.

Where does Thunderbird store OpenPGP keys

It stores them in the Thunderbird profile directory.

I need to use both GnuPG and Thunderbird in parallel, can I synchronize my keys?

No. At this time, Thunderbird uses its own copy of keys, and doesn't support synchronizing keys with GnuPG. The exception is the mechanism offered for smartcards, which could be used to use the personal keys managed by GnuPG.

How is my personal key protected?

At the time you import your personal key into Thunderbird, we unlock it, and protect it with a different password, that is automatically (randomly) created. The same automatic password will be used for all OpenPGP secret keys managed by Thunderbird. You should use the Thunderbird feature to set a Master Password. Unless you set a master password, your OpenPGP keys in your profile directory are unprotected. They can be stolen by copying all files, in particular files key4.db and

Do you support Autocrypt?

Thunderbird doesn't support the Autocrypt philosophy that encryption should be fully automatic. However, Thunderbird attempts to provide some compatbility with email clients that support Autocrypt, only. When sending an email and using the option to attach your OpenPGP public key, and your key is sufficiently simply to be compatible with Autocrypt, then Thunderbird will add the appropriate header in the outgoing email, which can allow your correspondent to learn about your public key. When receiving email that contains a correspondent's public key in an autocrypt header, Thunderbird allows you to import the key. At this time, Thunderbird doesn't support the "Gossip" feature.

I have previously used the Junior Mode, what do I do now?

Enigmail had offered two very different modes of operation. A classic mode and a "junior mode" which was implemented by software from the pEp software company. Thunderbird does not provide the junior mode, the solution that Thunderbird provides is more similar to Enigmail's classic mode of operation.

I'm using Enigmail 2.2.x to perform a migration but the import appears stuck

Maybe the software has run into a problem. Please refer to the section about obtaining more information on failure.

Where can I ask questions about, or report problems with Thunderbird's OpenPGP feature?

If your problem isn't covered on this page or in the linked documents, please refer to section "Discussion" on the following page for ways to contact us: https://wiki.mozilla.org/Thunderbird:OpenPGP#Discussion

How can I check if the problem I have has already been reported?

Please refer to section "Open issues and TODO list" here: https://wiki.mozilla.org/Thunderbird:OpenPGP#Open_issues_and_TODO_list

I'm running into a problem and I'd like to try to analyze myself

More information can be found here in section "Debugging / Tracing": https://wiki.mozilla.org/Thunderbird:OpenPGP#Debugging_.2F_Tracing

My Thunderbird was upgraded to version 78 but I'd prefer to stay with Thunderbird 68 and Enigmail

As soon as you have started Thunderbird 78 with a profile, you cannot easily go back to 68, because the profile has been migrated, and Thunderbird 68 will refuse to use it, and will not start. If you have a backup of your profile, you can try to restore it, then you should be able to start Thunderbird 68 again. If you don't have a backup, you could create Thunderbird 68 with a fresh profile and configure Thunderbird again. The use of the Thunderbird startup parameter --allow-downgrade is not recommended, because you will lose some configuration settings and may get unexpected behavior.

I've received an encrypted email with a hidden recipient (key ID 0x00000000) and Thunderbird cannot decrypt it

This isn't supported yet. The addition of the feature is tracked here: https://github.com/rnpgp/rnp/issues/1275