Get The Best Email Encryption Software¶
Last updated: May 2022. For beginners & intermediate users. Some tech skills may be required.
Choose a secure email service. While you are scouting for the best privacy email provider, carefully assess aspects such as available features, email encryption technologies, or server locations — privacy legislation changes from country to country. This chapter provides an (incomplete) overview of popular, privacy respecting email providers: Tutanota vs Protonmail (and more). It also explains how to use a PGP encryption tool for emails.
What is Protonmail used for?¶
Protonmail claims to be the world's largest secure email service, protected by Swiss privacy laws. It's amongst others funded by US investors (Charles River Ventures) and the European Union. While Protonmail's apps are open source, the server-side is not.
At the time of writing, the basic single user account offered 500 MB storage for free. For 4 to 24 EUR/month, you get access to more users and storage, as well as a plethora of features: calendar, contact and email imports, bitcoin payments, VPN, and more.
Some words of advice on encryption
| Emails | Encryption |
|---|---|
| Sent between Protonmail users | Message body and attachments are end-to-end encrypted. Subject lines and recipient/sender addresses are not. |
| Sent from Protonmail users to other providers | Message body and attachments are only end-to-end encrypted if the user selects the Encrypt for Outside option. Otherwise, only TLS encryption is applied if the receiving mail server supports it (which also means that the receiving provider can read the message). In any case, subject lines and recipient/sender addresses are not end-to-end encrypted. |
| Received by Protonmail users from other providers | Message body and attachments are only encrypted with TLS, if the sender's mail server supports it. Subject lines and recipient/sender addresses are not end-to-end encrypted. |
Protonmail clients (incl. Protonmail bridge)¶
Besides webmail access, Protonmail offers mobile apps for Android and iOS. On desktop environments, Protonmail works with Thunderbird via a so-called Bridge application. This feature is however only available to paid accounts. Alternatively, ElectronMail is a free and open source desktop client for Protonmail. Mind however that ElectronMail is an unofficial app. More detailed instructions below.
Show me the step-by-step guide for Android
Simply download the Protonmail app from Google's Play Store or Aurora Store. It contains 0 trackers and requires 14 permissions. By comparison: for Gmail it's 1 tracker and 55 permissions; for Outlook it's 13 trackers and 49 permissions; and for Hotmail it's 4 trackers and 31 permissions.
Show me the step-by-step guide iOS
Simply download the Protonmail app from the App Store.
Show me the step-by-step guide for ElectronMail on Windows (no paid account needed)
| Instructions | Description |
|---|---|
| Download ElectronMail | Download and run the ElectronMail installer for Windows. |
| Create a master password | Open ElectronMail and provide a strong, unique master password to protect your emails. |
| Login | Provide your Protonmail credentials, including two-factor authentication if activated. |
| Domain | Choose a domain from the list. There is even an Onion option to use Tor. Then click on Close. |
Show me the step-by-step guide for Thunderbird on Windows (paid accounts only)
Install Thunderbird on Windows¶
Navigate to Thunderbird's download page and click on the Free Download button. Once the installer is downloaded, click on the Run button and follow the installation wizard.
Install Protonmail Bridge on Windows¶
Thunderbird integrates nicely with Protonmail, making sure emails stay encrypted when they enter and leave your computer. This is handled by the so-called Bridge application, a software available to paid users only. Download Protonmail Bridge for Windows. Once the installer is downloaded, click on the "Run" button and follow the installation wizard.
Configure Protonmail Bridge on Windows¶
Open the freshly installed Protonmail Bridge application and follow the setup wizard:
| Steps | Description |
|---|---|
| 1 | Log into your Protonmail account. |
| 2 | Click on your account name and then the Mailbox configuration button. |
| 3 | A window with the title Protonmail Bridge Mailbox Configuration should pop up. It displays IMAP and SMTP settings, including a password, needed later on to configure Thunderbird. |
Configure Thunderbird on Windows¶
Now launch Thunderbird, navigate to Menu ‣ New ‣ Existing Email Account and follow the setup wizard:
| Setting | Description |
|---|---|
| Your name | Enter the name you want others to see. |
| Email address | Enter your Protonmail email address. |
| Password | Copy and paste the password from the Protonmail Bridge Mailbox Configuration window (do not enter your Protonmail password, it won't work). |
| Remember password | Check the Remember Password box to avoid re-entering the password each time you fire up Thunderbird. |
| Manual config | Click on the Manual config button, and fill out the IMAP and SMTP settings provided in the Protonmail Bridge Mailbox Configuration window (for Authentication, select Normal password). |
| Re-test | Click on the Re-test button to verify your connection settings. |
| Advanced config | Click on the Advanced config button. A new window appears. Just click on the OK button, do not modify any settings in this window. |
| Add Security Exception | Click on the Confirm Security Exception button in the pop-up window. This confirms that your computer (127.0.0.1) can run the Bridge app. You might have to confirm a second security exception later on, once you send your first email. |
Show me the 3-minute summary video for Thunderbird (paid accounts only)
Courtesy of Protonmail. Instructions should similarly apply to macOS or Linux.
Show me the step-by-step guide for ElectronMail on macOS (no paid account needed)
| Instructions | Description |
|---|---|
| Download ElectronMail | Download the ElectronMail disk image, open it and drag the ElectronMail icon on top of the Application folder. For easy access, open the Applications folder and drag the ElectronMail icon to your dock. |
| Create a master password | Open ElectronMail and provide a strong, unique master password to protect your emails. |
| Login | Provide your Protonmail credentials, including two-factor authentication if activated. |
| Domain | Choose a domain from the list. There is even an Onion option to use Tor. Then click on Close. |
Show me the step-by-step guide for Thunderbird on macOS (paid accounts only)
Install Thunderbird on macOS¶
Navigate to Thunderbird's download page and click on the Free Download button. Once the installer is downloaded, it should open by itself and mount a new volume containing the Thunderbird application. If not, open the downloaded Thunderbird .dmg file and drag the appearing Thunderbird icon on top of the Application folder. For easy access, open the Applications folder and drag the Thunderbird icon to your dock.
Install Protonmail Bridge on macOS¶
Thunderbird integrates nicely with Protonmail, making sure emails stay encrypted when they enter and leave your computer. This is handled by the so-called Bridge application, available to paid users only. Download Protonmail Bridge for macOS. Once the installer is downloaded, it should start by itself and mount a new volume containing the Protonmail application. If not, open the downloaded Protonmail Bridge .dmg file and drag the Protonmail icon on top of the Application folder. For easy access, open the Applications folder and drag the Protonmail Bridge icon to your dock.
Configure Protonmail Bridge on macOS¶
Open the freshly installed Protonmail Bridge application and follow the setup wizard:
| Steps | Description |
|---|---|
| 1 | Log into your Protonmail account. |
| 2 | Click on your account name and then the Mailbox configuration button. |
| 3 | A window with the title Protonmail Bridge Mailbox Configuration should pop up. It displays IMAP and SMTP settings, including a password, needed later on to configure Thunderbird. |
Configure Thunderbird on macOS¶
Now launch Thunderbird, navigate to Menu ‣ New ‣ Existing Email Account and follow the setup wizard:
| Setting | Description |
|---|---|
| Your name | Enter the name you want others to see. |
| Email address | Enter your Protonmail email address. |
| Password | Copy and paste the password from the Protonmail Bridge Mailbox Configuration window (do not enter your Protonmail password, it won't work). |
| Remember password | Check the Remember Password box to avoid re-entering the password each time you fire up Thunderbird. |
| Manual config | Click on the Manual config button, and fill out the IMAP and SMTP settings provided in the Protonmail Bridge Mailbox Configuration window (for Authentication, select Normal password). |
| Re-test | Click on the Re-test button to verify your connection settings. |
| Advanced config | Click on the Advanced config button. A new window appears. Just click on the OK button, do not modify any settings in this window. |
| Add Security Exception | Click on the Confirm Security Exception button in the pop-up window. This confirms that your computer (127.0.0.1) can run the Bridge app. You might have to confirm a second security exception later on, once you send your first email. |
Show me the 3-minute summary video for Thunderbird (paid accounts only)
Courtesy of Protonmail. Instructions should similarly apply to macOS or Linux.
Show me the step-by-step guide for ElectronMail on Ubuntu Linux (no paid account needed)
| Instructions | Description |
|---|---|
| Download ElectronMail | Download the latest ElectronMail .deb package. The file should be named something like electron-mail-X-XX-X-linux-amd64.deb. For the purpose of this tutorial, let's suppose the file was downloaded to the folder /home/gofoss/Downloads. Make sure to adjust these file paths according to your own setup. Now open the terminal with the Ctrl+Alt+T shortcut or click on the Applications button on the top left and search for Terminal. Finally, run the following commands:cd /home/gofoss/Downloads sudo dpkg -i electron-mail-X-XX-X-linux-amd64.deb |
| Create a master password | Open ElectronMail and provide a strong, unique master password to protect your emails. |
| Login | Provide your Protonmail credentials, including two-factor authentication if activated. |
| Domain | Choose a domain from the list. There is even an Onion option to use Tor. Then click on Close. |
Show me the step-by-step guide for Thunderbird on Ubuntu Linux (paid accounts only)
Install Thunderbird on Linux¶
If you run a Linux distribution such as Ubuntu, open the terminal with the shortcut CTRL + ALT + T, or click on the Applications button on the top left and search for Terminal. Run the following command to install Thunderbird:
sudo apt install thunderbird
Install Protonmail Bridge Linux¶
Thunderbird integrates nicely with Protonmail, making sure emails stay encrypted when they enter and leave your computer. This is handled by the so-called Bridge application, available to paid users only. Download Protonmail Bridge Linux. The file should be called something similar to protonmail-bridge_X.X.X-X_amd64.deb. Let's assume it has been downloaded to the folder /home/gofoss/Downloads. Open the terminal with the shortcut CTRL + ALT + T, or click on the Applications button on the top left and search for Terminal. Then run the following commands (don't forget to adjust the filename and download folder path accordingly):
sudo apt install gdebi
cd /home/gofoss/Downloads
sudo gdebi protonmail-bridge_X.X.X-X_amd64.deb
Configure Protonmail Bridge Linux¶
Open the Bridge application with the terminal command protonmail-bridge, or click on the Applications button on the top left, and search for ProtonMail Bridge. Follow the setup wizard:
| Steps | Description |
|---|---|
| 1 | Log into your Protonmail account. |
| 2 | Click on your account name and then the Mailbox configuration button. |
| 3 | A window with the title Protonmail Bridge Mailbox Configuration should pop up. It displays the Protonmail server settings, including IMAP, SMTP and a password needed later on to configure Thunderbird. |
Configure Thunderbird on Linux¶
Now launch Thunderbird, navigate to Menu ‣ New ‣ Existing Email Account and follow the setup wizard:
| Setting | Description |
|---|---|
| Your name | Enter the name you want others to see. |
| Email address | Enter your Protonmail email address. |
| Password | Copy and paste the password from the Protonmail Bridge Mailbox Configuration window (do not enter your Protonmail password, it won't work). |
| Remember password | Check the Remember Password box to avoid re-entering the password each time you fire up Thunderbird. |
| Manual config | Click on the Manual config button, and fill out the IMAP and Protonmail SMTP settings provided in the Protonmail Bridge Mailbox Configuration window (for Authentication, select Normal password). |
| Re-test | Click on the Re-test button to verify your connection settings. |
| Advanced config | Click on the Advanced config button. A new window appears. Just click on the OK button, do not modify any settings in this window. |
| Add Security Exception | Click on the Confirm Security Exception button in the pop-up window. This confirms that your computer (127.0.0.1) can run the Bridge app. You might have to confirm a second security exception later on, once you send your first email. |
Show me the 3-minute summary video for Thunderbird (paid accounts only)
Courtesy of Protonmail. Instructions should similarly apply to macOS or Linux.
Tutanota review¶
Tutanota is a freemium hosted secure email service, registered in Germany. Everything is end-to-end encrypted. Tutanota uses its own encryption standard, and does not support PGP. While Tutanota's apps are open source, the server-side is not.
At the time of writing, the basic account offered 1 GB storage for free. For approximately 1 to 6 EUR/month, you get access to more users and storage, as well as a plethora of features: custom domains, unlimited search, multiple calendars, inbox rules, whitelabel, calendar sharing, etc. Email imports and anonymous payment are currently not supported.
Tutanota clients¶
Besides webmail access on the Tutanota login page, Tutanota offers mobile apps for Android and iOS. For desktop environments, Tutanota developed its own dedicated client. More detailed instructions below.
Show me the step-by-step guide for Android
Simply download the Tutanota app from Google's Play Store or Aurora Store. Tutanota is also available on F-Droid. Alternatively, visit Tutanota's download page or Github repository to download and install the .apk file. The app contains 0 trackers and requires 9 permissions. By comparison: for Gmail it's 1 tracker and 55 permissions; for Outlook it's 13 trackers and 49 permissions; and for Hotmail it's 4 trackers and 31 permissions.
Show me the step-by-step guide for iOS
Simply download the Tutanota app from the App Store.
Show me the step-by-step guide for Windows
Simply download the installer, then click on the Run button and follow the installation wizard.
Show me the step-by-step guide for macOS
Simply download the installer, which should open by itself and mount a new volume containing the Tutanota application. If not, open the downloaded Tutanota .dmg file and drag the appearing Tutanota icon on top of the Application folder. For easy access, open the Applications folder and drag the Tutanota icon to your dock.
Show me the step-by-step guide for Linux (Ubuntu)
Simply download the installer, which should be called something like tutanota-desktop-linux.AppImage. Let's assume it was downloaded to the folder /home/gofoss/Downloads. Open the terminal with the CTRL + ALT + T shortcut, or click on the Applications button on the top left and search for Terminal. Then run the following commands (don't forget to adjust the filename and download folder path accordingly):
cd /home/gofoss/Downloads
chmod +x tutanota-desktop-linux.AppImage
Show me how to pin Tutanota to the Ubuntu dock
It's not straight forward, but Tutanota's launcher can be added to Ubuntu's application menu and pinned to the dock. Open the terminal with the CTRL + ALT + T shortcut, or click on the Applications button on the top left and search for Terminal. Run the following command:
sudo gedit /usr/share/applications/tutanota.desktop
Paste the following content into the newly created file. Make sure to point the Exec path towards the folder containing the downloaded AppImage:
#!/usr/bin/env xdg-open
[Desktop Entry]
Version=1.0
Type=Application
Terminal=false
Exec=/home/gofoss/Downloads/tutanota-desktop-linux.AppImage
Name=Tutanota
Make the file executable:
sudo chmod +x /usr/share/applications/tutanota.desktop
Log off and back into your Ubuntu session. You should now be able to launch Tutanota from the application menu, and pin it to the dock.
Other providers¶
| Info | Description |
|---|---|
| Website | disroot. org |
| Pricing | Basic account is free (1 GB storage); extra storage for 0.15 EUR per GB per month. |
| Features | Platform providing online services based on principles of freedom, privacy, federation and decentralization. Located in the Netherlands. Accepts bitcoin and faircoin. Full disk encryption & email encryption. Mobile app. |
| Anti-features | Can potentially decrypt user data, as emails are reportedly stored in plain text. |
| Info | Description |
|---|---|
| Website | mailbox. org |
| Pricing | 1 EUR/month, 2 GB storage. |
| Features | German open source email provider, with servers located in Berlin. Offers security features such as encryption at rest, PGP, DANE, SPF and DKIM, as well as two-factor authentication, full text search, calendars, address books and task lists, CalDAV and CardDAV synchronisation. |
| Anti-features | No mobile client, need for third party clients. |
| Info | Description |
|---|---|
| Website | posteo.de |
| Pricing | 1 EUR/month, 2 GB storage. |
| Features | German open source email provider, self-financed, encryption at rest, two-factor authentication, calendars and address books, CalDAV and CardDAV synchronisation. |
| Anti-features | No spam folder, no trial or free version. |
| Info | Description |
|---|---|
| Website | kolabnow.com |
| Pricing | 5 USD/month, 2 GB storage. |
| Features | Swiss open source email provider, text search and tagging, filters, address books, calendars, CalDAV and CardDAV synchronisation. |
| Anti-features | No built-in end-to-end encryption, not encryption at rest. |
Transitioning towards encrypted emails¶
The transition to a new email account can take some time, similar to changing messanging apps. You'll probably want to keep your old accounts alive for a while to make sure you don't miss out on anything. Just forward any incoming message to the new account. For more instructions on how to forward emails refer to the documentation pages of Gmail, Outlook, iCloud, Yahoo and so on.
Use the transition period to scan your old email accounts for any active subscriptions and update your new personal email address!
Don't forget to communicate the new email address to your personal and professional contacts, bank, insurance, tax office, and so on. You might also want to set up an auto-reply message on your old account to keep folks informed about the change of address.
Over time, less and less emails will land in your old inbox. Eventually, it will become inactive. That's when you should consider terminating your old email account.
How to use PGP Encryption for Emails¶
Don't know anyone using Protonmail or Tutanota? Or simply don't like those service providers? Encrypt your emails the old-fashioned way, with OpenPGP! This encryption protocol is free, open source and compatible with a large variety of clients. In the section below, we'll explain how to set up OpenPGP on your phone or computer, how to use a PGP key generator, how to backup your PGP keys, and how to encrypt and decode your emails.
Show me the step-by-step guide for Android
Install K-9 Mail & OpenKeychain¶
| Step | Description |
|---|---|
| K-9 Mail | K-9 Mail is one of several Android email clients which supports OpenPGP. Simply install it from the Play Store or F-Droid. |
| OpenKeychain | OpenKeychain is a free and open source app which integrates with K-9 Mail to provide end-to-end encryption capabilities. Simply install it from the Play Store or F-Droid. |
Manage PGP keys with OpenKeychain¶
What is a PGP key? To be able to send or read encrypted emails, you need a unique key pair for your email address:
- Public key: people use your public key to encrypt emails they send to you. You can share your public key with anyone.
- Private key: it's used to decode encrypted emails other people send to you. Keep your private key to yourself, never share it with anyone, and don't keep an unprotected private key file!
| Step | Description |
|---|---|
| Import existing PGP keys | • If there is already a key pair for your email address, don't generate a new one • Launch OpenKeychain • Tap on Menu ‣ Manage my keys ‣ Import key from file • If required, enter the backup code and/or key password |
| Generate new PGP keys | • If no key pair exists for your email address, create a new one • Launch OpenKeychain • Tap on Menu ‣ Manage my keys ‣ Create my key • Associate a name & email address • Tap on Menu ‣ Change key configuration • Provide a strong, unique password • Uncheck Publish on keyservers • Tap on Create key |
| Back up PGP key pair | • If you loose your keys, you loose access to all your emails • If you just created a new key pair, make sure to store a backup • Launch OpenKeychain • Tap on your key • Select Menu ‣ Backup key • Provide the key password • Save the 45-character backup code, it's required to restore the keys! • Also save the backup file to your phone's storage or better, somewhere safe |
| Share public keys | Before you can exchange encrypted emails with your contacts, you need to share your respective public keys with each other. Below some common methods to share public keys. Send your public key to your contacts: • Launch OpenKeychain • Tap on your key • Tap on the Share symbol & send your key • Your contacts can import your key with their preferred app Upload your public key to a keyserver: • Launch OpenKeychain • Tap on your key • Tap on Menu ‣ Advanced ‣ Share ‣ Publish on keyserver • Your contacts can now download the PGP public key from the PGP keyservers • Optionally, add the download link & key fingerprint to your email signature Import your contact's public keys: • Ask your contacts to send you their public key by email, messenger, etc. • Launch OpenKeychain • Tap on Menu ‣ Manage my keys ‣ Import key from file Import your contact's public keys from a keyserver: • Launch OpenKeychain • Tap on + ‣ Key search • Search for your contact's email address, name or fingerprint • Tap on Import |
Encrypt emails with K-9 Mail¶
| Step | Description |
|---|---|
| Set up account & encryption | • Open the K-9 Mail app • Add your account: provide your email address & password • Configure IMAP/POP3/SMTP settings, if not detected automatically • Select Menu ‣ Settings ‣ Account ‣ End-to-end-encryption ‣ Enable OpenPGP support • Select Menu ‣ Settings ‣ Account ‣ End-to-end-encryption ‣ Configure end-to-end key • Select your key |
| Encrypt emails | • Open the K-9 Mail app • From the Inbox view, tap on the Pen icon • Compose your message & enter your contact's email address • If you previously imported the public key(s) of your contact(s), a Padlock icon should show on the top of the composition screen • When you tap on it, it should turn green, indicating that encryption is enabled • Tap on Send Caution: the email subject is transmitted unencrypted! |
| Decode emails | • K-9 Mail/OpenKeychain automatically decodes messages which use your public key encryption • This requires the password of your private key • A Padlock symbol should show on the top of the decoded message |
Try it out!¶
Edward is a program developed by the Free Software Foundation to test email encryption. Here is how it works:
- First, you share your public key with Edward
- Edward uses your public key to send you an encrypted email
- Only you are able to decode this email, using your private key
- Next, you retrieve Edward's public key to send an encrypted and signed email
- Edward is the only one able to decode your message, using its private key
- Edward will reply, confirming that your previous email was both encrypted and signed
| Step | Description |
|---|---|
| Send public key to Edward | • Launch OpenKeychain • Tap on your key • Tap on the Share symbol • Select K-9 Mail & compose an email to edward-en@fsf.org • Add a subject and a short message • Tap on Menu & make sure encryption is Disabled • Hit Send |
| Decode Edward's message | • Open K-9 Mail & wait for Edward to reply • Edward's email answer should be encrypted using your public key • Enter your private key's password to decode the mail • Make sure an orange Padlock symbol shows on the top of the message |
| Import Edward's public key | • Tap on the orange Padlock symbol • Tap on Search key • Tap on Import • The Padlock symbol should have turned green |
| Send Edward encrypted & signed email | • Tap on Reply • Compose a short response to edward-en@fsf.org • Tap on Menu & make sure encryption is Enabled • Hit Send |
| Decode Edward's message | • Wait for Edward to reply • Make sure the green Padlock symbol still shows • Edward's message should confirm that it could decode your message and verify your signature |
Show me the step-by-step guide for Windows, macOS & Linux (Ubuntu)
Install Thunderbird 78 (or newer)¶
| OS | Description |
|---|---|
| Windows | Navigate to Thunderbird's download page and click on the Free Download button. Once the installer is downloaded, click on the Run button and follow the installation wizard. |
| macOS | Navigate to Thunderbird's download page and click on the Free Download button. Once the installer is downloaded, it should open by itself and mount a new volume containing the Thunderbird application. If not, open the downloaded Thunderbird .dmg file and drag the appearing Thunderbird icon on top of the Application folder. For easy access, open the Applications folder and drag the Thunderbird icon to your dock. |
| Linux (Ubuntu) | If you run a Linux distribution such as Ubuntu, open the terminal with the shortcut CTRL + ALT + T, or click on the Applications button on the top left and search for Terminal. Run the following command to install Thunderbird: sudo apt install thunderbird |
Configure Thunderbird¶
Launch Thunderbird, navigate to Menu ‣ New ‣ Existing Mail Account and follow the setup wizard:
| Setting | Description |
|---|---|
| Name | Enter the name you want others to see. |
| Email address | Enter your email address. |
| Password | Enter your email password. |
| Remember password | Check the Remember Password box to avoid re-entering the password each time you fire up Thunderbird. |
| Automatic vs. manual configuration | Once you've filled in your credentials, hit the Continue button. Thunderbird will try to automatically configure IMAP/POP3/SMTP settings. If that's unsuccessful, configure those settings manually (refer to your email provider). |
Manage PGP keys with Thunderbird¶
Public key vs private key – to be able to send or read encrypted emails, you need a unique key pair for your email address:
- Public key: people use your public key to encrypt emails they send to you. You can share your public key with anyone.
- Private key: it's used to decode encrypted emails other people send to you. Keep your private key to yourself, never share it with anyone. It is required that your private key files are not accessible by others!
| Step | Description |
|---|---|
| Import existing PGP keys | Import backup key: • If there is already a key pair for your email address, don't generate a new one • Launch Thunderbird • Go to Menu ‣ Account Settings ‣ End-To-End Encryption ‣ Add Key • Select Import an existing OpenPGP Key & hit Continue • Click on Select File to Import & navigate to the key file • If required, enter the backup code and/or key password Import encrypted backup key: • Some backups are encrypted (e.g. OpenKeychain) • They can't be directly imported into Thunderbird • Open a terminal • Decrypt PGP file: gpg --decrypt backup_YYYY-MM-DD.sec.pgp | gpg --import • If required, enter the backup code and/or key password • Display the list of keys: gpg --list-keys • Note down the UID of the key to import • Store the key in the right format (replace UID accordingly): gpg --export-secret-keys UID > decrypted_backup_key.asc • If required, enter the key password • Launch Thunderbird • Go to Menu ‣ Account Settings ‣ End-To-End Encryption ‣ Add Key • Select Import an existing OpenPGP Key & hit Continue • Click on Select File to Import & navigate to the .asc file • If required, enter the password for opening PGP file |
| Generate PGP key | • If no key pair exists for your email address, create a new one • Launch Thunderbird • Go to Menu ‣ Account Settings ‣ End-To-End Encryption ‣ Add Key • Select Create a new OpenPGP Key & hit Continue • Select the relevant email address • Set expiration time between 1-3 years (can be extended at any time) • Choose Key type: RSA & Key size: 4096 • Click on Generate key ‣ Confirm |
| Back up PGP key pair | • If you loose your keys, you loose access to all your emails • If you just created a new key pair, make sure to store a backup Backup the private key: • Launch Thunderbird • Go to Menu ‣ Tools ‣ OpenPGP Key Manager • Click on the relevant key • Select File ‣ Backup Secret Key(s) To File • Provide a strong, unique backup code • Keep the backup code somewhere safe, it's required to restore the private key! • Save the .asc backup file of your private key to your computer's storage or better, somewhere safe GPG export public key: • Launch Thunderbird • Go to Menu ‣ Tools ‣ OpenPGP Key Manager • Right-click on the relevant key • Select Export Key(s) To File • Save the .asc backup file of your public key to your computer's storage or better, somewhere safe |
| Share public keys | Before you can exchange encrypted emails with your contacts, you need to share your respective public keys with each other. Below some common methods to share public keys. Send your public key to your contacts: • Launch Thunderbird • Go to Menu ‣ Tools ‣ OpenPGP Key Manager • Right-click on the relevant key • Select Send Public Key(s) By Email • Your contacts can import your key with their preferred app Upload your public key to a keyserver: • Launch Thunderbird • Go to Menu ‣ Tools ‣ OpenPGP Key Manager • Right-click on the relevant key • Select Export Key(s) To File • Browse to the OpenPGP Key Repository • Select the exported public key file & click on Upload • Your contacts can now download the public key from the keyserver • Optionally, add the download link & key fingerprint to your email signature Import your contact's public keys: • Ask your contacts to send you their public key by email, messenger, etc. • Launch Thunderbird • If you received a public key in an email, click on the OpenPGP button to import it • If you downloaded a public key file to your computer, go to Menu ‣ Tools ‣ OpenPGP Key Manager and click on File ‣ Import Public Key(s) From File Import your contact's public keys from a keyserver: • Launch Thunderbird • Go to Menu ‣ Tools ‣ OpenPGP Key Manager • Click on Keyserver • Search for your contact's email address, name or fingerprint • Click on OK |
Encrypt emails with Thunderbird¶
| Step | Description |
|---|---|
| Set up encryption | • Launch Thunderbird • Go to Menu ‣ Account Settings ‣ End-To-End Encryption • Make sure the right key is associated with your email address |
| Encrypt emails | • Launch Thunderbird • From the Inbox view, click on the Write button • Compose your message & enter your contact's email address • Click on the drop-down icon next to the Security button • Select Require Encryption • An OpenPGP icon should be displayed in the window footer • Click on the Security button • If you previously imported the public key(s) of your contact(s), it should show OK next to your contact's email address • Click on Send when ready |
| Decode emails | • Thunderbird automatically decodes messages which have been encrypted using your public key • This requires the password of your private key • An OpenPGP Padlock symbol with a green check mark should show on the top of the decoded message |
Try it out!¶
Edward is a program developed by the Free Software Foundation to test email encryption. Here is how it works:
- First, you share your public key with Edward
- Edward uses your public key to send you an encrypted email
- Only you are able to decode this email, using your private key encryption
- Next, you ask Edward for its public key
- Use Edward's public key to send an encrypted and signed email
- Edward is the only one able to decode your message, using its private key
- Edward will reply, confirming that your previous email was both encrypted and signed
| Step | Description |
|---|---|
| Send public key to Edward | • Launch Thunderbird • Go to Menu ‣ Tools ‣ OpenPGP Key Manager • Right-click on the relevant key • Select Send Public Key(s) By Email • Address the email to edward-en@fsf.org • Add a subject and a short message • Click on the drop-down icon next to the Security button • Make sure Do Not Encrypt is selected • Hit Send |
| Decode Edward's message | • Wait for Edward to reply • Edward's email answer should be encrypted using your public key • Make sure an OpenPGP Padlock symbol with a green check mark shows on the top of the message |
| Import Edward's public key | • In Edward's reply, click on the email address edward-en@fsf.org • Select Discover OpenPGP Key • Select Accepted (unverified) • Click OK |
| Send Edward encrypted & signed email | • Click on Reply • Compose a short response to edward-en@fsf.org • Click on the drop-down icon next to the PGP Security button • Make sure Require Encryption is selected • Click on the Security button • It should show OK next to Edward's email address • Hit Send |
| Decode Edward's message | • Wait for Edward to reply • Make sure the OpenPGP Padlock symbol with the green check mark still shows • Edward's message should confirm that it could decode your message and verify pgp signature |
Support¶
For further details or questions, refer to:
-
Protonmail's support or Thunderbird's documentation. Also feel free to ask the Protonmail or Thunderbird communities for help.
