Setting up email encryption
This tutorial will walk through GPG and Enigmail setup and cover encryption and signing of messages in Thunderbird.
The first thing to install is the GnuPG. If you are running Linux you probably already have it installed. If you don't have it already go to the GnuPG website and follow the correct download link for your operating system. The following steps will illustrate the Windows version of GnuPG.
Download and run the Gpg4win installer.
You can accept the default values for many of the following screens.
Make sure to enable GPA here. If you're using this guide to set up GnuPG you don't need to install Kleopatra. Claws-Mail is an alternative to Thunderbird that you can use if you want but this guide will not cover it.
These defaults should be adequate.
There is no need to set up certificates at this time so check the box to skip that configuration.
Now that GnuPG is installed open Thunderbird and go to the Add-ons menu.
Search for Enigmail
Install the add-on.
Generating a keypair
Use the Setup Wizard in the OpenPGP menu to create a keypair and configure Thunderbird to use it.
Confirm that you want to use the wizard.
Signing all emails is a good practice which does not require that your recipients have encryption keys. Choose 'Yes' here.
For most people encryption should be disabled by default and enabled as required. Choose 'No'.
Allow Enigmail to adjust Thunderbird's settings to their optimal values.
If Thunderbird can not find the GnuPG program you may be prompted to enter its location manually. Unless you changed the default installation directory it will be located in c:\Program Files\GNU\GnuPG\ on Windows.
Now tell Enigmail to create a keypair.
Choose a long, but memorable passphrase.
Click 'Next' to create your keys.
Create the revocation now because if you ever need it in the future and don't do it now you'll invariably forget to create one until it's too late.
For now, save the certificate somewhere memorable.
You need to enter your passphrase to create the certificate.
This is good advice, but don't use a floppy disk. Use something more modern, like a USB stick.
You are now ready to sign and decrypt messages in Thunderbird.
Open up The GNU Privacy Assistant (GPA) and you should see the keypair you created before. In order for other people to send you encrypted emails or verify your signature on your outgoing mail they need to have a copy of your public key. Sending your key to a service called a "key server" is a good way to do this.
You should use Tor when accessing a keyserver over the Internet to avoid compromising your anonymity.
There is no reason to be shy. Your public key is more useful if more people have it.
Now those who wish to send you secure email can query
keys.gnupg.netfor your email address and obtain your public key to encrypt with.
You'll also need to export a copy of your public key on your hard drive for subsequent steps.
Save it in a memorable location.
This is an optional step to help establish the key as part of your Freenet identity. Open up your node interface and go to the 'Upload a file' page.
The file you'll be uploading is small enough that you can insert it through the browser. Choose the public key file you just exported from GPA.
You can choose either type of key but the random, safe (SSK) option is safest.
Once the node tells you the key copy that link to the clipboard so you can publish the location of your public key on Sone.
Go to your Sone profile setup and add a 'Public key' field. Paste the link from before into the field and remove everything before SSK@ or CHK@.
Save your profile and you'll now have a new field that Sone automagically turns into a link.
The reason to publish your GPG key here is so that you can communicate with people over different channels and prove that you are the same person instead of an imposer. Anyone who sees a message from you signed by the same key published on your Sone profile will know for certain that they are talking to the same person.
For the next step you need another person's public key. This fine individual is also publishing a public key so let's click on the Public key link to download his.
Freenet is extremely cautious about what it will display. Any content which has the slightest potential to compromise your anonymity will trigger this screen.
To proceed click on the link in the lower-left corner which will open the file as plain text
This is what a public key actually looks like.
Save this file to a memorable location.
Now return to GPA and click on the 'Import' button.
Choose the file you just saved.
Now you've successfully imported a public key.
Now that GnuPG knows about the public key you just imported you can now use it to send an encrypted message.
In the message composition window you should notice a new OpenPGP button in the toolbar (ignore the S/MIME menu). Clicking here will allow you to sign and/or encrypt an outgoing message.
You need the passphrase you used when you originally created the key to sign or decrypt messages.
This is what an encrypted email looks like. Anyone who intercepts the message in transit will not be able to see the contents unless they possess the correct private key.
Once you have a public key for someone there's no reason not to encrypt all emails you send them. Fortunately Thunderbird can allow you to set up rules to do this automatically.
From the address book entry for a contact choose 'Create OpenPGP Rule from Address' from the context menu.
The default values require you to manually specify encryption. To change this, first select 'Use the following OpenPGP keys:' and click on the 'Select Key(s)' button.
Choose the contact's public key. If you don't have their public key yet you can try downloading it from the keyserver by clicking on 'Download missing keys'. This is one reason why you should upload your own.
Now that you've told Enigmail which key to use for encryption tell it to always sign and encrypt messages you send them. It's usually good to also send them messages as PGP/MIME but there are a few lame email clients which don't support PGP/MIME, like Outlook. Anyone using Thunderbird or Claws-mail can receive PGP/MIME so if you know that's what your contact uses enable that option as well.
One thing you should note is that Enigmail needs to be enabled for every account you use in Thunderbird. If you go to the 'Account Settings' you'll see that all your ccounts now have a 'OpenPGP Security' section.
Click on the top checkbox to enable Enigmail for any account which are not already set up. If the email address of the account is already associated with your public key you cn leave the next setting alone. Otherwise, or just to be safe, change to 'Use specific OpenPGP Key' and select it's ID.
This section will walk through how to publish your public key so that other people can find it, as well as importing another person's key and configuring Thunderbird to alway send them encrypted messages.
That's it for the basic setup. This is only scratching the surface of what a PKI entails but you should have enough under control now to get started.
Go forth and encrypt your emails.