See this item in the FAQ and the following one about master password:

https://support.mozilla.org/en-US/kb/openpgp-thunderbird-howto-and-faq#w_where-does-thunderbird-store-openpgp-keys

In the old Enigmail, it used to ask for the passphrase regularly, which I found safer.

Thunderbird OpenPGP does protect private keys, but it does it differently than Enigmail/GPG. It's the same mechanism that has been used in the past to protect private keys for S/MIME certificates, and for SSL/TLS client side certificates.

Thunderbird uses an automatically created, random password to protect all the OpenPGP secret keys.

An encrypted version of that password is stored in file encrypted-openpgp-passphrase.txt in the Thunderbird profile directory.

The password is encrypted using the Thunderbird Master Password feature. It uses a symmetric key that lives in file key4.db.

By default, file key4.db is unprotected. If you setup a Thunderbird master password, then the keys in file key4.db are password protected, and you will have to unlock it once each time you start Thunderbird, the first time any key from that database is required.

So in Thunderbird 78.2.2, is there a way to avoid the saving of the passphrase, or to define how long the passphrase should be saved (e.g. 15 min, session...)?

You can still use use GPG for secret key operations only, i.e. for signing and decryption. See https://wiki.mozilla.org/Thunderbird:OpenPGP:Smartcards

Note, even though the article is about using smartcards, it also works when the keys managed by GnuPG are stored in the standard software keyring files.

I'd prefer that Thunderbird adds a second 'MasterPassword' just for the Mail-Encryption Keys with configureable Interval (0-30 Minutes) how often there is being asked for it like Enigmail did before. The "SmartCard" Way is possible but not really great.

Keeping PGP Private Key Passwords in memory per session is reasonable but saving them for automatic decryption along with account passwords is NOT!

There is a big difference in expected privacy and security levels between an account password and a PGP Private Key Password!

PGP passwords should not reside on disk anywhere! By rights, they should also be explicitly purged from memory upon exiting Thunderbird.

The current 78 version of Thunderbird breaks too many PGP security measures in its zeal to be easy to use.

I've switched back to 68 and Enigmail for now.

I'll see what the future brings. "Interlink" seems to be a Thunderbird clone that supports Enigmail but I haven't tried it yet.

openpgp in thunderbird 78 is a security disaster. It seems that experienced linux users who have been using enigmail with gnupg for years have been completely bypassed with this design decision. Thunderbird 78 will certainly be a relief for Windows users and beginners in encryption issues. But security wise snake oil. By default the passphrase is simply stored without any request if you don't use a master password. Per recipient rules are not possible. Also the use of a smartcard for encryption is not possible. I also switched back to thunderbird 68 and will use it with apparmor as long as possible. Maybe someone will develop a fork, which is suitable for Linux users again. Or I use another mail client.

Perhaps you have not been informed

• The author of Engimail was very much involved in the implementation of OpenPGP
• The library used for encryption does not yet support smartcard - but that is expected to change
• Because of time constraints to deliver OpenPGP in version 78, what you see today is just the first iteration - so compromises were made and there is missing functionality - so there is more to come