This tutorial explains how to set up Thunderbird to digitally sign, encrypt and decrypt messages in order to make them secure.
The email infrastructure that everyone uses is, by design, not secure. While most people connect to their email servers using a secure ("SSL") connection, some servers allow unsecured access. Furthermore, as the message moves through its transmission path from sender to recipient, the connections between each server are not necessarily secure. It is possible for third parties to intercept, read and alter email messages as they are transmitted.
When you digitally sign a message, you embed information in the message that validates your identity. When you encrypt a message, it appears to be "scrambled" and can only by read by a person who has the key to decrypting the message. Digitally signing a message ensures that the message originated from the stated sender. Encrypting ensures that the message has not been read or altered during transmission.
To encrypt messages, you can use the public-key cryptographic system. In this system, each participant has two separate keys: a public encryption key and a private decryption key. When someone wants send you an encrypted message, he or she uses your public key to generate the encryption algorithm. When you receive the message, you must use your private key to decrypt it.
The protocol used to encrypt emails is called PGP (Pretty Good Privacy). To use PGP within Thunderbird, you must first install:
These two applications also provide the capability to digitally sign messages.
To install GnuPG, download appropriate package from the GnuPG binaries page. Follow the installation instructions provided for your particular package. For more information on installing PGP on specific operating systems, refer to:
To install Enigmail:
Create your public/private keys as follows:
To receive encrypted messages from other people, you must first send them your public key:
To send encrypted messages to other people, you must receive and store their public key:
When you receive an encrypted message, Thunderbird will ask you to enter your secret passphrase to decrypt the message. To determine whether or not the incoming message has been signed or digitally encrypted you need to look at the information bar above the message body.
If Thunderbird recognizes the signature, a green bar (as shown below) appears above the message.
If the message has been encrypted and signed, the green bar also displays the text "Decrypted message".
If the message has been encrypted but not signed the bar would appear as shown below.
If you believe that your private key has been "compromised" (that is, someone else has had access to the file that contains your private key), you should revoke your current set of keys as soon as possible and create a new pair. To revoke your current set of keys:
Send the revocation certificate to the people you correspond with so that they know that your current key is no longer valid. This ensures that if someone tries to use your current key to impersonate you, the recipients will know that the key pair is not valid.