You have generated your own key pair and have imported other people's public keys, so you are now able to exchange secure emails with them. But first, you must ensure that your account is correctly set up to use Enigmail capabilities.
- 1 Account settings
- 2 Signature and verification
- 3 Encryption and decryption
Open the account manager:
Postbox: choose Tools → Options, then click on Accounts.
Interlink: choose Edit → Account Settings.
Then click on OpenPGP Security within your account.
If you have multiple identities enabled, you can (and should) set these OpenPGP options for each identity. You will do this by selecting Manage Identities and then the identity you want to edit, which after the Enigmail installation will have a new OpenPGP Security tab with the same options as above.
When configuring the OpenPGP options for your email account, first make sure the option Enable OpenPGP support (Enigmail) for this identity is checked. This is necessary in order to send signed or encrypted email on behalf of this account, and to configure Enigmail. This does not disable signature verification and decryption, which is account-independent.
You need to let Enigmail know which key to use with this account. By choosing Use email address of this identity to identify OpenPGP key, Enigmail will automatically select the key pair which lists amongst its User IDs the email address associated with this account. Do not select this option if you have more than one key pair with the same User ID. The recommended and failsafe method is to explicitly specify a key pair by choosing Use specific OpenPGP key ID (0x1234ABCD). Click on Select Key... and select the desired key pair.
You can then set some default options when composing a message from this email account:
- Encrypt messages by default: always tries to encrypt your messages.
- Sign messages by default: always tries to signs your messages.
Starting with these defaults, the Per-Recipient Rules will be processed. If you're a new user there will be no Per-Recipient Rules yet.
Finally, you can specify some settings to Enigmail that will take effect after application of default and rules:
- Sign non-encrypted messages enables signing automatically if encryption is not active at the same time.
- Sign encrypted messages enables signing automatically if encryption is active at the same time.
These will be the default options, unless modified manually. If you change the identity while composing a message, signing/encryption will be activated or deactivated according to the above options for the chosen identity, unless you have modified the signing or encryption status manually.
Enabling the option Encrypt draft messages on saving will make sure that your email provider can't read your draft messages. If you store your draft messages locally, you can safely disable that option.
Finally, Attach my public key to messages automatically attaches your public key to any message you send.
You can click on the Autocrypt tab to set some advanced options.
Autocrypt is a standard that facilitates the exchange of keys between correspondents.
- Enable Autocrypt: this option enables the Autocrypt feature in general for the selected account. All of your sent messages will contain a hidden copy of your public key, and Enigmail will detect such hidden keys in incoming messages.
- Prefer encrypted mails from people you exchange email with: Autocrypt will by default not enable encryption for hidden keys found in messages. This is done such that you don't get a bad experience if you read your emails using web mail or on smartphones where you don't have your OpenPGP key. By enabling this option, you can tell your correspondents that you prefer to receive encrypted emails from them.
Signature and verification
Signing a message
You are now ready to write your first digitally signed email message. From Thunderbird, click on the Write button as you normally would do. You will notice that the Write window now contains an additional toolbar, with the icons of a pen (for signing the message) and a lock (for encrypting the message).
You can select the same options from the Enigmail menu. As you already know by now, you can send a message signed, encrypted, or both encrypted and signed. The pen icon and/or the lock icon light up to signal that the relevant option is on.
If you're opening a fresh Write window, the icons reflect the defaults for your account. As soon as you enter the recipients, the icon state will be refreshed, as Enigmail processes the Per-Recipient Rules and checks key availability in the background, and finally displays the result in the icon state.
The icons can also be modified manually: you can click directly on the pen and the lock icons to respectively toggle signature and encryption. They will contain an exclamation mark to remind you that you changed the state manually.
The possible icon states are:
Signing (the icon may be enabled/disabled according to defaults and rules, but also manually):
Encryption (the icon may be enabled/disabled according to defaults and rules, but also manually):
You can move the mouse pointer over the icons to show a tooltip explaining the current icon states.
The following image shows the composition of a signed message:
Activate signing by either activating the pen icon in the Enigmail Toolbar or by selecting Enigmail → Sign Message.
Then, click Send. The message will be signed with the key specified in the Account Settings for the account you're currently using, and which is shown in the From: drop-down menu.
You may be asked for your passphrase, which is necessary for all operations concerning your private key such as signing messages, decrypting messages, and revoking or modifying properties of your key pair. It is also possible to cache your passphrase for a chosen amount of minutes so you won't have to type it every time: this can be set from Enigmail → Preferences → Basic → Passphrase settings.
Verifying a signed message
Now, if your mail client is set up so that a copy of outgoing emails is automatically saved in the Sent folder, it is possible to have a look at how the signed message looks like:
In this Message window, the pen icon on the right side of the message header bar indicates that the message is secured. A green icon indicates that the sender's key is valid. By clicking on the pen icon, you can get more information about the sender's key i.e. the key that was used to sign. This information is the User ID (the identity of the signer i.e. his name and email address) and the Key ID. You will also find the date and time of the signature. You can expand or shrink the status bar by clicking on the expand gadget on the top left.
On Interlink, there is a status bar. The green color of the bar indicates that the sender's key is valid. In fact, in this case the sender's key is my own key, which has ultimate validity in my own Enigmail environment. Accordingly, a picture of a pen is shown in the status line at the bottom and a sealed envelope is shown near the headers. You can have more details about the signing key (in this case, the fingerprint of the signing key) by selecting Details → Enigmail Security Info... or simply by clicking on the picture of the sealed envelope. Details → Copy Enigmail Security Info copies the security information to the Clipboard instead.
Now let's have a look at a signed message I received from Ludwig, assuming I have his public key:
The orange pen icon tells that something with that signature is missing. By clicking on the icon, you will find the reason. Typical reasons for an orange pen are:
- The key is not valid (untrusted, expired, revoked), or
- or the signature is not valid, i.e. the message was altered after the signature was created.
On Interlink you can use the Details menu you to operate directly on the sender's key:
- View Key properties shows all key details
- View OpenPGP PhotoID allows you to see the PhotoID, if any
- Sign Sender's Key... allows you to sign the sender's key
- Set Owner Trust of Sender's Key... allows you to set the Owner Trust for a sender's key.
These are shortcuts; you can do the same operations from Key Management as well.
What if I haven't had Ludwig's public key? In this case, the message displayed after clicking on the pen icon would appear as such:
The message is signed, but the signature cannot be verified.
In case of an invalid signature, nothing can be said about the integrity of the mail text. It may be unchanged or not, and you are advised to take it with caution. A good practice would be to ask the sender - by encrypted mail - for a statement about the contents.
Retrieving the key that signed the message
A nice feature of Enigmail is that it can import automatically the public key needed to verify a message. If you receive a message for which you don't have the sender's public key, simply click on the Import Public Key button, and Enigmail will offer to download from a keyserver the key that was used for signing:
Just click Ok and Enigmail will do that for you. The imported key will be added to your public keyring.
More often, you will receive someone's public key as an ASC file attached to the email message. In this case, importing the public key is just as easy: you only have to right-click on the attachment and choose Import OpenPGP Key.
Someone might also send you their public key embedded in the message text. In this case, copy the key (the part between PGP headers), open the Enigmail Key Management, and select Edit → Import Keys from Clipboard.
Column for encryption state in the message list
In the message reading window, you can display an additional column Enigmail, that displays whether a mail was correctly signed and/or encrypted.
|If a message is signed, the icon for a signed message is displayed
|If a message is encrypted, the icon for an encrypted message is displayed
|If a message is both, signed and encrypted, then both icons are displayed
Encryption and decryption
Now comes the interesting part: exchanging encrypted messages.
Encrypting a message
To encrypt a message, select the option Encrypt Message before sending, and make sure the lock icon in the Enigmail status bar is lit. It is common practice to also sign a message you're encrypting.
To send an encrypted message to someone, you need to have his public key. If you have it, the key is automatically selected: Enigmail searches your keyring and selects the public key that has a user ID that matches the recipient's address. (Note: If you have Per-Recipient Rules, these will be looked up first.)
This is done for each recipient. Recipient addresses are all those specified in the mail headers To:, Cc:, and Bcc:.
Additionally, the message is also automatically encrypted with your own public key, to allow you to read (from the Sent folder) the messages you sent.
As you see, this is pretty straightforward. But what happens if Enigmail is unable to select a public key for a recipient, for instance because you don't have it? In this case, Enigmail pops up the Key Selection window to ask you to select the key(s) by hand:
In the figure, I was trying to send an encrypted email to
As you learnt, a message can be encrypted with more than one public key. In fact, it is usually encrypted with at least two public keys: the recipient's and yours, to let you be able to read a copy of the message. In fact, you are able to read the encrypted messages you send only because Enigmail, by default, encrypts any outgoing message with the sender's public key too. Shouldn't Enigmail do that, the message would look gibberish to you -– even if you are the creator of the message.
To be more precise, OpenPGP uses hybrid encryption. First it generates a random session key, and encrypts the message with the session key using a symmetric algorithm; then, for each intended recipient, it encrypts the session key with the recipient's public key and adds each encrypted session key to the encrypted message. It then internally builds an OpenPGP block, which includes a header containing the key IDs and user IDs of any public key the message has been encrypted with. Each recipient then receives the same OpenPGP block. As a consequence, it is not possible to send to multiple recipients a message that is encrypted for some recipients and unencrypted for others. The message is sent out either encrypted or unencrypted for the whole list of recipients.
That being stated, you should not send encrypted messages to Bcc: recipients, because from the OpenPGP block each recipient is able to tell the identities of the others – hence defeating the purpose of the Bcc: field. While Enigmail is able to do some workaround to hide the Bcc: recipients from the header, as a side effect this could block users of other products (e.g. PGP Corp.) from being able to decrypt the message.
Decrypting an encrypted message
This is a message that John Random Hacker sent encrypted to me:
The the lock in the headers bar indicates that the message was correctly decrypted. On Interlink, there is an additional grey Enigmail status bar saying "Decrypted message".
The previous message was encrypted but not signed. Here's how a message that is both signed and encrypted appears to you:
In addition to the lock icon, there is now also a pen icon.
On Interlink the Enigmail status bar is green and the text says: "Decrypted message: Good signature". This means that the signature verifies correctly.
Permanent decryption of messages
You can either manually store decrypted messages, or you can set up filter rules that will automatically decrypt incoming mails and save them in unencrypted form.
To manually decrypt one or several messages, right click on the selected messages, and use the menu option Decrypt to folder. Then choose the folder where to save the decrypted message.
To set up filter rules that work automatically on received or sent mails, click on the menu Tools → Message Filters ... . The following window will open:
Click on New to create a new message filter:
In Filter name you can freely chose a name so that you can distinguish it from other filters.
You can leave the Apply filter when: as it is set by default.
In the next section of the dialog you enter the conditions under when the filter shall trigger. Here you must enter only one condition: that "From, To, Cc or BCC" contains your email address. This will apply this filter on every mail you receive under that address.
Up to now, this is like setting up a Thunderbird standard message filter.
Enigmail provides for two action types, which can be selected using the drop-down menus under Perform these actions: Decrypt permanently (Enigmail) or Create decrypted Copy (Enigmail).
The first option decrypts the message and moves it in the folder selected using the drop-down menu on the right side. Clicking Ok, Enigmail shows a warning:
This is because if there is any failure during decryption (e.g. messages that are encrypted in odd ways such as S/MIME & OpenPGP combined), the message will be lost or corrupted. It is therefore better to select Create decrypted Copy (Enigmail) and test the behaviour for some days or weeks. If anything goes wrong, you still have the original message and can decrypt it manually. If it works flawless, you can later change it to Decrypt permanently (Enigmail).
Encryption and mail headers
One important point concerns mail header security. Mail headers cannot be encrypted, nor included in the signature computation. This includes the Subject mail header. However, there is a standard that moves the subject into the encrypted message and replaces the clear subject with "...". Once you read the message, the original subject is placed back to the original value.
Practice with Edward, the friendly OpenPGP email robot
If you want to do some signature and encryption tests yourself, then you'll find a very patient correspondent in Edward, "The Friendly OpenPGP Email Robot". Edward can be contacted at
I sent a simple cleartext mail (unsigned, unencrypted) to Edward, and here's how he replied to it:
Edward tells me that there was no public key attached to my message, so he doesn't know what to do with it. Let's try to encrypt an email to Edward instead:
I enabled encryption and signing by clicking on the lock icon. Additionally, I need to provide Edward with my own key, otherwise Edward can't send me an encrypted email. I do this by using the function Attach My Public Key from the Enigmail menu:
Now I hit the Send button. Enigmail does not yet have Edward's public key. Encryption is therefore not possible, and Enigmail asks me what to now.
I click on the button Download Missing Keys. This brings up a dialog we have seen earlier. After clicking on OK, Enigmail finds the following key:
Click on OK to import the key into your keyring. Enigmail confirms the import of the key:
Now, we're almost good for sending the message. Click on the button Refresh Key List, to update the list of the displayed keys, and you'll see that Edward's key is now available. Select it, then hit then Send button
If I now look in my Sent folder there is my message, automatically decrypted as I open it.
The next figure shows my own message, correctly decrypted:
A short time later, I receive Edward's reply: