Qhathanisa Izibukezo

This article explains why Thunderbird may report that it cannot encrypt an email that you attempt to send.

<!-- This article is used as context-help, opened when clicking a learn-more link from inside Thunderbird's OpenPGP Key Assistant. Please keep the primary focus of the article. See also https://bugzilla.mozilla.org/show_bug.cgi?id=1773720 --> If you attempt to send an email with enabled End-To-End Encryption, Thunderbird may report that it cannot encrypt the message. Several preparations are necessary for sending an encrypted email, some steps need to be done by yourself, and some steps need to be done by your correspondents. == Prepare your own setup == Each person who wants to participate in encrypted email conversations must ensure that they own proper cryptographic keys for themselves. This article assumes that you have already completed the steps to [https://support.mozilla.org/kb/thunderbird-help-setup-account-e2ee configure your own email account to use End-To-End Encryption]. Your correspondents also must complete those steps in Thunderbird, or equivalent steps if your correspondents use software other than Thunderbird. If you don't yet understand how email encryption technology works in general, you might want to read the article [https://support.mozilla.org/kb/introduction-to-e2e-encryption Introduction to End-to-end encryption in Thunderbird] Thunderbird stores all the secret keys that you have created or imported from your own backup, and it also stores all the public keys of other people that you have imported. You may review the list of keys using Thunderbird's OpenPGP Key Manager. == Obtaining public keys or certificates of your correspondents == To encrypt an email you send, you must have a copy of the OpenPGP public key or S/MIME certificate of each email recipient. Note that Thunderbird cannot send email with mixed technology. If you send an encryption email with the OpenPGP technology, then you must have OpenPGP public keys for all recipients. If you send an encrypted email with the S/MIME technology, you must have S/MIME certificates for all recipients. === Obtaining OpenPGP public keys of correspondents === The following mechanisms can be used to obtain an OpenPGP public key: * Your correspondent sends an email to you, and they attach their public key to that email. When viewing such an email, if you click the OpenPGP label shown in the header area, Thunderbird will offer you to import the key. * Your correspondent sends an email to you, which includes an Autocrypt header containing their public key. When viewing such an email, if you click the OpenPGP label shown in the header area, Thunderbird will offer you to import the key. * Your correspondent has published their public key on a web server. Your correspondent may give you a link to their public key. Or you might use a web search and find the key yourself. In both causes you download the public key to a local file, and then use Thunderbird's OpenPGP Key Manager to import the file containing the public key. * Your correspondent has published their public key on a server that uses the WKD protocol. When attempting to send an encrypted email, but you don't have a public key for an email address yet, Thunderbird may offer you to perform an online discovery, which is able to find public keys published using the WKD protocol. * Your correspondent has published their public key on a keyserver that Thunderbird supports, such as the keys.openpgp.org server. When attempting to send an encrypted email, but you don't have a public key for an email address yet, Thunderbird may offer you to perform an online discovery, which is able to find public keys published on that keyserver. * Your correspondent has published their public key in a keyserver that Thunderbird isn't yet able to query automatically. If your correspondent tells you which keyserver contains their key, you might be able to use a web browser to visit that keyserver, search for their public key, download it to a file, and then import that file using Thunderbird's OpenPGP Key Manager. If you and Thunderbird cannot find the key automatically, it's usually easiest to send a simple email (without encryption) to your correspondent, and ask them to send an email to you that contains your public key. With Thunderbird versions 78 and 91, if you received an email with a correspondent's key, it was necessary to interact with that email to import the key, either by using the right click menu on an attachment and asking to import it, or by clicking the OpenPGP label, which may report that the email contains a public key and may offer to import it. With Thunderbird versions 102 and newer, Thunderbird will automtically collect keys it sees in a cache for later use. When composing an email, and the correpondent's public key is not yet imported, then Thunderbird may be able to automatically offer you to use public keys that Thunderbird has collected from emails. === Obtaining S/MIME certificates of correspondents === The standard way of distributing a person's certificate is to send a digitally signed email. If you have received a signed email from your correspondent, click the email to view it. If Thunderbird considers the email's signature and the sender's certificate valid, it will be automatically imported, and it will be available when you attempt to encrypt an email to that correspondent using the S/MIME technology. If you don't have a signed email from your correspondent yet, you could ask them to send a digitally signed email to you. Note that certificates issued by CAs may have a short validity period. Certificates are no longer usable after the validity period has passed. Once that happens, you need to ask your correspondent to send you a fresh digitally signed email. Your correspondent might be required to obtain a new certificate, if they haven't yet, before they will be able to send you a new digitally signed email with a valid certificate. Organizations that operate an LDAP server may configure their server to store S/MIME certificates. If an LDAP server is configured, Thunderbird may automatically query the LDAP server if it needs to obtain an S/MIME certificate. == Technical Validity == ... == Accepting == ...