Encrypt and sign your email with Thunderbird

This course will become read-only in the near future. Tell us at community.p2pu.org if that is a problem.

Task Navigation 

Send and Receive Public Keys


Add keys to your keyring and send your public key [25 mins]

Our task is to send and receive encrypted and signed email. To do this we will need to exchange public keys with the person that we want to send emails to. Normally to exchange public keys you will contact that person and ask them to send you their key via email or you will download it from the Internet. Conversely, you can then send them your key via email or put in online for them to download. 

Receiving public keys and adding them to your keyring

Downloading keys from the web

Many people put their public keys on the web so that it is possible for others to download their key. Later challenges will cover the use of key servers as another way of receiving and sending keys.  

To continue with this task you may want to use the following key and email to test your ability to send encrypted mail.

PGP key:  http://clearerchannel.org/keys/encryptedenigma.gpg
Associated email:  encryptedenigma@aktivix.org

To be able to send an encrypted email to this address you first need to add that key to your keyring in Thunderbird. To do this click on the link to the PGP key and download that file to your computer. 

Then, in the Thunderbird application go to OpenPGP > Key Management

In the Key Management window select File > Import Keys from File

Browse to the place where you saved the public key you downloaded and then select it and click on the Open button

You should then receive an alert message saying that The key(s) were successfully imported.

You should now be able to progress to sign and encrypt email.

Receiving keys by email

Let's say you are able to request and receive a public key from a friend by mail. The key will show up in Thunderbird as an attached file. Scroll down the message and below you will find tabs with one or two file names. The extension of this public key file will be .asc, different from the extension of an attached PGP signature, which ends with .asc.sig

Look at the example email in the next image, which is a received, signed PGP message containing an attached public key. We notice a yellow bar with a warning message: 'OpenPGP: Unverified signature, click on 'Details' button for more information'. Thunderbird warns us that the sender is not known yet, which is correct. This will change once we have accepted the public key.

What are all those strange characters doing in the mail message? Because Thunderbird does not recognize the signature as valid, it prints out the entire raw signature, just as it has received it. This is how digitally signed PGP messages will appear to those recipients who do not have your public key.

The most important thing in this example is to find the attached PGP public key. We mentioned it is a file that ends with an .asc. In this example it's the first attachment on the left, which is in the red circle. Double-clicking on this attachment would make Thunderbird recognize the key.

In the example image above, we should double-click on the attached .asc file to import the PGP public key.

After we have clicked on the attachment, the following pop-up will appear.

Thunderbird has recognized the PGP public key file. Click on 'Import' to add this key to your keyring. The following pop-up should appear. Thunderbird says the operation was successful. Click on 'OK' and you are done. You now have the ability to send this friend encrypted messages.

Sending public keys

There are multiple ways to distribute your public key to friends or colleagues. By far the simplest way is to attach the key to a mail. In order for your friend to be able to trust that the message actually came from you, you should inform them in person (if possible) and also require them to reply to your mail. This should at least prevent easy forgeries. You have to decide for yourself what level of validation is necessary. This is also true when receiving emails from third-parties containing public keys. Contact your correspondent through some means of communication other than e-mail. You can use a telephone, text messages, Voice over Internet Protocol (VoIP) or any other method, but you must be absolutely certain that you are really talking to the right person. As a result, telephone conversations and face-to-face meetings work best, if they are convenient and if they can be arranged safely.

Sending your public key is easy.

1. In Thunderbird, click on the icon.

2. Compose a mail to your friend or colleague and tell them you are sending them your PGP public key. If your friend does not know what that means, you may have to explain them and point them to this documentation.

3. Before actually sending the mail, click to OpenPGP > Attach My Public Key option on the menu bar of the mail compose window. Next to this option a marked sign will appear. See the example below.

4. Send your mail by clicking on the button.

Task

  • Import someone else's public key. You can ask someone to send it  via email or by downloading it from the web. You can use http://clearerchannel.org/keys/encryptedenigma.gpg for testing purposes.
  • Send your public key to someone you know uses PGP email encryption. You can sent it to encryptedenigma@aktivix.org.

Task Discussion


  • Mohit Kumar said:

    Successfully sent my public PGP key to my friend for testing purposes. Waiting for his reply.

    on March 18, 2013, 8:02 a.m.

  • HDRedneck said:

    I'm having trouble with this one.

    So what if the majority of your e-mail folks are not encripting.  Can you just send that / thses persons a public key to add?

    If they are not using PGP how do they open your encripted e-mail?

    Sorry this might be a stupid question.  I'm trying to maximize the tools in the Thunder Bird program.

    on Feb. 20, 2013, 1:41 a.m.

    Link said:

    You encrypt to the recipient's public key.  The message is decrypted with the corresponding secret key.  If the recipient does not use PGP you would would not be able to send a viable encrypted email since the required key pair would not exist.  You certainly can send your public key to allow others to encrypt to you, but until the recipient generates a PGP keypair and provides you with a public key, you will not be able to encrypt to the recipient.  The short answer is all participants in an email exchange need to be using PGP to effectively encrypt and decrypt messages.

    on Feb. 20, 2013, 2:11 a.m. in reply to HDRedneck

  • Rodolfo Aguirre said:

    Hello try to open the link does not open.

    PGP key:  http://clearerchannel.org/keys/encryptedenigma.gpg

      besides also saw them on youtube.

    Its easy.

    on Sept. 3, 2012, 10:02 p.m.

    Mick Fuzz said:

    Anyone else having this problem?

    It works fine for me.

    on Sept. 4, 2012, 3:30 a.m. in reply to Rodolfo Aguirre

    boneidol said:

    Your webserver is sending the incorrect mime type for the pgp key

     

    Content-Type: application/pdf

     

    when it should probably

     

    Content-Type: text/plain

     


     

    on Sept. 4, 2012, 4:39 a.m. in reply to Mick Fuzz

    Mick Fuzz said:

    I've changed this. Thanks for the help.

    on Sept. 5, 2012, 7 a.m. in reply to boneidol

  • firewire2879 said:

    i'm having troubles with this assignment. I sent my message to someone at encrytedengigma and they said they received a revocation certificate not my public key.

    on Aug. 21, 2012, 8:56 p.m.

  • firewire2879 said:

    ok I used encryptedenigma@aktivix.org to send my PGP public key. Many of my friends do not use encryption.

    What I learned about PGP "pretty good Privacy"

    When PGP uses a key for encryption or signing, it determines if in PGP's opinion, the key can be trusted. If PGP does not trust the key, it will print an message warning you that the key is not to be trusted. You can tell PGP to use the key anyway. PGP determines trust on the basis of signatures from trusted keys. In the future, if you make it a habit to always use PGP in your emails, then you will not draw any attention to any sensitive information you may wish to send.

     

    on Aug. 21, 2012, 4:37 p.m.

  • ciderpunx said:

    OK, I got a bit stuck on this task when the encryptedenigma key turned out to belong to Mick Fuzz, and didn't mention the encryptedenigma@riseup email addy anywhere. Is that important? I wasn't sure whether I could email encryptedenigma with that key.

    on June 20, 2012, 2:25 p.m.

  • Gzikskud said:

    Do you want to cover some of the reasons why you may not want to load a public key... For say trust reasons?

    on June 19, 2012, 7:45 a.m.

    boneidol said:

    Thats good point,

    The course does not cover using keyservers, or signing keys.

    Receiving keys attached to emails and importing them without verifying a trust path leaves us vulnerable to some of the same attacks that we are trying to avoid by using gpg in the first place.

     

    Perhaps another section should added on

    1. Downloading/Uploading keys from/to keyservers

    2. Signing Keys

    3. verifying trust paths

     

     ?

    on June 19, 2012, 8:07 a.m. in reply to Gzikskud

    Mick Fuzz said:

    Hi there, Great points - there is definately space for this.

    We need to make sure we don't lose people who are new to these issues. I think we can do this with using example users with different stories. I'll give it some thought.

    on June 19, 2012, 10:52 a.m. in reply to boneidol

  • Gzikskud said:

    Typo under receiving emails.

    on June 19, 2012, 7:42 a.m.