Confirm
563
edits
Changes
Created page with "Enigmail and Thunderbird 78 HOWTO. This document is specifically for existing users of Enigmail, who want to start using Thunderbird 78 and its integrated OpenPGP functionali..."
Enigmail and Thunderbird 78 HOWTO.
This document is specifically for existing users of Enigmail, who want to start using Thunderbird 78 and its integrated OpenPGP functionality. If you have never used the Enigmail Add-on, you don't need this document to use OpenPGP with Thunderbird 78.
If you're reading this before OpenPGP has been declared as a stable feature in Thunderbird 78.x (expected for the 78.2 release end of August 2020), then please consider to stay with Thunderbird 68 and Enigmail for another while, especially if you depend on the security of OpenPGP and are worried about correct behavior.
If you are willing to experiment, or if the Thunderbird has already declared OpenPGP as stable, please read one.
Due to required technology changes, you'll experience a lot of changed. We have tried to make the new OpenPGP functionality easier to understand and use, but on the other hand, some features might no longer work as before, or might be missing.
Let's go through the various areas in order.
If you're using an early release version of Thunderbird 78, e.g. 78.0 or 78.1, and you are willing to experiment, the OpenPGP functionality might still be disabled by default. Use the preferences, config editor, and change the preference with the name "mail.openpgp.enable" to the value "true". Then restart Thunderbird. This will enable the user interface for OpenPGP.
Thunderbird no longer uses the external GnuPG software. Previously, all your own keys and the keys of other people were managed by GnuPG, and Enigmail simply offered you to view, use and manage them. Now that Thunderbird uses a different technology, it's necessary to perform a migration of your existing keys, to migrate them from GnuPG into Thunderbird's own storage (inside the Thunderbird profile directory). Thunderbird will uses its own copy of the keys, it's not easily possible to share your keys between Thunderbird 78 and GnuPG.
The migration functionality isn't provided by Thunderbird. Rather, an update for the Enigmail Add-on and Thunderbird 78 will be available, which no longer provides the usual functionality, but rather will help you to perform a migration of your existing keys.
Once you are using Thunderbird 78, Enigmail should update, and should offer you to migrate your keys. It should configure your email accounts to use the same keys that you had previously.
Thunderbird doesn't use on-demand unlocking for your keys. Rather, the only way to password protect the use of your OpenPGP secret keys is to set up the global Master Password feature of Thunderbird, which you can find in Thunderbird's security preferences. To enable Thunderbird to use your existing secret keys, you must unlock them to import them. This may require you to enter your password twice. First, to confirm that GnuPG is allowed to export the password. Second, to allow Thunderbird to access the raw key and copy it into Thunderbird's configuration storage. This is handled as part of the migration process, offered by the updated Enigmail Add-on, that acts as a migration tool.
If you were using the ownertrust configuration for keys with GnuPG, this is handled differently in TB. The equivalent of marking a secret key as ownertrust ultimate is to use Thunderbird's OpenPGP key manager, open its details, and confirm that you accept it as a personal key. This flag will be automatically set by the migration. You might have to manually set it when importing a key using Thunderbird's key manager. Future import procedures will ask you to set that flag at import time.
Regarding the workflow to send encrypted emails: Enigmail had offered multiple modes of operation. If you had started to use Enigmail in recent years, you might have been using Enigmail's junior mode, which was operated behind the scenes by pEp software. If you have frequently seen red squares, yellow triangles and green shapes with Enigmail, then you were likely using that mode. Thunderbird 78 does not support the junior mode.
Thunderbird's new OpenPGP implementation is more similar to Enigmail's classic mode of operation, which was configured in recent Enigmail releases with the setting "Force using S/MIME and Enigmail". If you have already been Enigmail for many years, and you already had OpenPGP keys in Enigmail at the time the junior mode was offered for the first time, you have probably been using Enigmail's classic mode. The remainder of this document will talk about this classic mode.
Enigmail had a lot of configuration choices to control the email encryption workflow.
Enigmail's "general preferences for sending" allowed a choice of "default" and "manual". The default settings allowed the opportunistic use of encryption, which could also manually be enabled using the "Automatically send encrypted" choice. Thunderbird 78 does not use an opportunistic mode. Rather, it uses a strict mode, where correspondent keys must be manually accepted, before they are used. This is also related to Enigmail's preference, which keys are accepted for sending encrypted messages. Enigmail's default was "all usable keys". Thunderbird's new behavior is closer to Enigmail's alternative choice "only trusted keys".
In order to send an encrypted message, Thunderbird requires that you accept each correspondent's key once. However, it attempts to make that process straightforward. When trying to send an encrypted message, and you haven't yet used a correspondent's key, you will be guided to review the keys that you already have available, and review, accept, and optionally verify them. If keys are missing, you'll be given the choice to discover them online on a WKD server, or on the keys.openpgp.org keyserver.
The Enigmail migration will help you by marking the keys of your correspondents as accepted, which you have previously certified (signed).
At this time Thunderbird does not support automatically accepting keys if you they carry your signature on it. This functionality might be added in a later time. Also, the Web of Trust functionality is not supported. In other words, with Enigmail and OpenPGP some keys of your correspondents might have been automatically accepted for use, if there was a chain of trust from your keys, along keys that you had signed, to the key you'd like to use. Instead, you are currently required to manually accept each recipient key that you'd like to use.
Enigmail offered to show you a prompt at the time you request to send the message, telling you whether the message will be encrypted, signed or not. At this time, Thunderbird does not provide this prompt. You should look at the message settings prior to sending the message, which is shown in the status bar of the composer window. Or you can open the dropdown menu next to the security button. The shown options will tell you if encryption and signing are enabled. Currently, if encryption is enabled for a message, you cannot send the message, unless you have valid keys available for each recipient (not revoked, not expired), and you have accepted at least one valid key for each recipient. The key availability for a message you are sending can be seen by clicking the security button, or by using the classic menu command "view message security info".
With Enigmail, if you attempted to send an encrypted message, but Enigmail couldn't automatically identify which key should be used to encrypt for a particular recipient, Enigmail would open a rather complex dialog, in which you could select the keys to use. Thunderbird will not. Rather, you need to have keys for each recipient, that contain the recipient's email address in of the key's user IDs. Thunderbird does not support using alternative keys that contain no email address, or keys that don't contain a matching email address.
Also, because Enigmail used GnuPG to encrypt, it was possible to use advanced configuration in a GnuPG configuration file, that controlled which keys will be automatically used based on recipient email addresses. At this time, Thunderbird does not offer an equivalent feature.
Enigmail offered a configuration mechanism named per-recipient-rules. Thunderbird does not support that feature at this time.
Today, if you encryption is enabled for a message, the digital signing will be automatically enabled, too. And if digital signing is used, the option to attach your own public key to the message is automatically enabled, too. You may manually disable these options for an individual message, if desired.
Previously, instead of sending your public key as an attachement, Enigmail had the ability to include your public in a hidden email header according to the Autocrypt standard. This functionality currently isn't offered, but might be added in the future.
Because Thunderbird continues to support the S/MIME email security technology, you'll find a new choice in the menu, which allows you to control the encryption technology that you would like to use.
When receiving an email, Enigmail had used a line of text above the message sender information, to display the OpenPGP status of a message. This has been reworked to be similar to the way that has been used to show the status of S/MIME. Instead of a line of text, icons will be shown to visualize the state of the message.
A padlock in varying appearance is used to show the encryption status of a message you have received.
A stamped envelope icon in varying appearance is used to show the digital signature status of a message you have received.
You may click the icons to view a more detailed explanation.
The signature status of a message depends on the status you have granted to the signer's key. A signature is treated as valid, if it is technically correct, if you have already imported the key, and if you have accepted to use the sender's key. You are given the choice to accept a correspondent's key without verification, if you prefer to avoid the more security fingerprint verification. The digital signature status icon will be different after verifying a sender's key.
When telling Thunderbird that you have verified a correspondent's key, Thunderbird will remember this information separately from the key. The classic way of remembering it is by adding a key certification to your corresponden't key (signing their key). This is not yet supported, but will likely added in the future version.
Enigmail offered a feature to define automatic message filters, that performed automatic actions based on the properties of an email, and could automatically decrypt a message, and store a decrypted message locally. Thunderbird does not support that at this time, the messages are kept encrypted, and will need to be decrypted each time you are reading them. As a consequence, at this time encrypted messages are not included in global searches and the message search index.
When receiving an email, Thunderbird will scan the message for attached keys. At this time, attachments of type application/pgp-keys and the autocrypt header are automatically processed. Key updates, for keys that you have previously imported, such as expiration extensions or revocations for keys, will be automatically imported at the time of opening a message, without the requirement for manual confirmation.
Other keys, which haven't been imported previously, will be offered for import. If a new key for the sender's email address is seen, although you have previously accepted a different key, Thunderbird will shown an extra warning.
Thunderbird will not automatically import keys transferred with the Autocrypt email header mechanism. Thunderbird will not automatically enable encryption with correspondents based on Autocrypt email headers. The user needs to confirm the offer to import the attached key in an email, and then manually accept the use of the key, and also manually enable encryption in messages that are sent.
This document is specifically for existing users of Enigmail, who want to start using Thunderbird 78 and its integrated OpenPGP functionality. If you have never used the Enigmail Add-on, you don't need this document to use OpenPGP with Thunderbird 78.
If you're reading this before OpenPGP has been declared as a stable feature in Thunderbird 78.x (expected for the 78.2 release end of August 2020), then please consider to stay with Thunderbird 68 and Enigmail for another while, especially if you depend on the security of OpenPGP and are worried about correct behavior.
If you are willing to experiment, or if the Thunderbird has already declared OpenPGP as stable, please read one.
Due to required technology changes, you'll experience a lot of changed. We have tried to make the new OpenPGP functionality easier to understand and use, but on the other hand, some features might no longer work as before, or might be missing.
Let's go through the various areas in order.
If you're using an early release version of Thunderbird 78, e.g. 78.0 or 78.1, and you are willing to experiment, the OpenPGP functionality might still be disabled by default. Use the preferences, config editor, and change the preference with the name "mail.openpgp.enable" to the value "true". Then restart Thunderbird. This will enable the user interface for OpenPGP.
Thunderbird no longer uses the external GnuPG software. Previously, all your own keys and the keys of other people were managed by GnuPG, and Enigmail simply offered you to view, use and manage them. Now that Thunderbird uses a different technology, it's necessary to perform a migration of your existing keys, to migrate them from GnuPG into Thunderbird's own storage (inside the Thunderbird profile directory). Thunderbird will uses its own copy of the keys, it's not easily possible to share your keys between Thunderbird 78 and GnuPG.
The migration functionality isn't provided by Thunderbird. Rather, an update for the Enigmail Add-on and Thunderbird 78 will be available, which no longer provides the usual functionality, but rather will help you to perform a migration of your existing keys.
Once you are using Thunderbird 78, Enigmail should update, and should offer you to migrate your keys. It should configure your email accounts to use the same keys that you had previously.
Thunderbird doesn't use on-demand unlocking for your keys. Rather, the only way to password protect the use of your OpenPGP secret keys is to set up the global Master Password feature of Thunderbird, which you can find in Thunderbird's security preferences. To enable Thunderbird to use your existing secret keys, you must unlock them to import them. This may require you to enter your password twice. First, to confirm that GnuPG is allowed to export the password. Second, to allow Thunderbird to access the raw key and copy it into Thunderbird's configuration storage. This is handled as part of the migration process, offered by the updated Enigmail Add-on, that acts as a migration tool.
If you were using the ownertrust configuration for keys with GnuPG, this is handled differently in TB. The equivalent of marking a secret key as ownertrust ultimate is to use Thunderbird's OpenPGP key manager, open its details, and confirm that you accept it as a personal key. This flag will be automatically set by the migration. You might have to manually set it when importing a key using Thunderbird's key manager. Future import procedures will ask you to set that flag at import time.
Regarding the workflow to send encrypted emails: Enigmail had offered multiple modes of operation. If you had started to use Enigmail in recent years, you might have been using Enigmail's junior mode, which was operated behind the scenes by pEp software. If you have frequently seen red squares, yellow triangles and green shapes with Enigmail, then you were likely using that mode. Thunderbird 78 does not support the junior mode.
Thunderbird's new OpenPGP implementation is more similar to Enigmail's classic mode of operation, which was configured in recent Enigmail releases with the setting "Force using S/MIME and Enigmail". If you have already been Enigmail for many years, and you already had OpenPGP keys in Enigmail at the time the junior mode was offered for the first time, you have probably been using Enigmail's classic mode. The remainder of this document will talk about this classic mode.
Enigmail had a lot of configuration choices to control the email encryption workflow.
Enigmail's "general preferences for sending" allowed a choice of "default" and "manual". The default settings allowed the opportunistic use of encryption, which could also manually be enabled using the "Automatically send encrypted" choice. Thunderbird 78 does not use an opportunistic mode. Rather, it uses a strict mode, where correspondent keys must be manually accepted, before they are used. This is also related to Enigmail's preference, which keys are accepted for sending encrypted messages. Enigmail's default was "all usable keys". Thunderbird's new behavior is closer to Enigmail's alternative choice "only trusted keys".
In order to send an encrypted message, Thunderbird requires that you accept each correspondent's key once. However, it attempts to make that process straightforward. When trying to send an encrypted message, and you haven't yet used a correspondent's key, you will be guided to review the keys that you already have available, and review, accept, and optionally verify them. If keys are missing, you'll be given the choice to discover them online on a WKD server, or on the keys.openpgp.org keyserver.
The Enigmail migration will help you by marking the keys of your correspondents as accepted, which you have previously certified (signed).
At this time Thunderbird does not support automatically accepting keys if you they carry your signature on it. This functionality might be added in a later time. Also, the Web of Trust functionality is not supported. In other words, with Enigmail and OpenPGP some keys of your correspondents might have been automatically accepted for use, if there was a chain of trust from your keys, along keys that you had signed, to the key you'd like to use. Instead, you are currently required to manually accept each recipient key that you'd like to use.
Enigmail offered to show you a prompt at the time you request to send the message, telling you whether the message will be encrypted, signed or not. At this time, Thunderbird does not provide this prompt. You should look at the message settings prior to sending the message, which is shown in the status bar of the composer window. Or you can open the dropdown menu next to the security button. The shown options will tell you if encryption and signing are enabled. Currently, if encryption is enabled for a message, you cannot send the message, unless you have valid keys available for each recipient (not revoked, not expired), and you have accepted at least one valid key for each recipient. The key availability for a message you are sending can be seen by clicking the security button, or by using the classic menu command "view message security info".
With Enigmail, if you attempted to send an encrypted message, but Enigmail couldn't automatically identify which key should be used to encrypt for a particular recipient, Enigmail would open a rather complex dialog, in which you could select the keys to use. Thunderbird will not. Rather, you need to have keys for each recipient, that contain the recipient's email address in of the key's user IDs. Thunderbird does not support using alternative keys that contain no email address, or keys that don't contain a matching email address.
Also, because Enigmail used GnuPG to encrypt, it was possible to use advanced configuration in a GnuPG configuration file, that controlled which keys will be automatically used based on recipient email addresses. At this time, Thunderbird does not offer an equivalent feature.
Enigmail offered a configuration mechanism named per-recipient-rules. Thunderbird does not support that feature at this time.
Today, if you encryption is enabled for a message, the digital signing will be automatically enabled, too. And if digital signing is used, the option to attach your own public key to the message is automatically enabled, too. You may manually disable these options for an individual message, if desired.
Previously, instead of sending your public key as an attachement, Enigmail had the ability to include your public in a hidden email header according to the Autocrypt standard. This functionality currently isn't offered, but might be added in the future.
Because Thunderbird continues to support the S/MIME email security technology, you'll find a new choice in the menu, which allows you to control the encryption technology that you would like to use.
When receiving an email, Enigmail had used a line of text above the message sender information, to display the OpenPGP status of a message. This has been reworked to be similar to the way that has been used to show the status of S/MIME. Instead of a line of text, icons will be shown to visualize the state of the message.
A padlock in varying appearance is used to show the encryption status of a message you have received.
A stamped envelope icon in varying appearance is used to show the digital signature status of a message you have received.
You may click the icons to view a more detailed explanation.
The signature status of a message depends on the status you have granted to the signer's key. A signature is treated as valid, if it is technically correct, if you have already imported the key, and if you have accepted to use the sender's key. You are given the choice to accept a correspondent's key without verification, if you prefer to avoid the more security fingerprint verification. The digital signature status icon will be different after verifying a sender's key.
When telling Thunderbird that you have verified a correspondent's key, Thunderbird will remember this information separately from the key. The classic way of remembering it is by adding a key certification to your corresponden't key (signing their key). This is not yet supported, but will likely added in the future version.
Enigmail offered a feature to define automatic message filters, that performed automatic actions based on the properties of an email, and could automatically decrypt a message, and store a decrypted message locally. Thunderbird does not support that at this time, the messages are kept encrypted, and will need to be decrypted each time you are reading them. As a consequence, at this time encrypted messages are not included in global searches and the message search index.
When receiving an email, Thunderbird will scan the message for attached keys. At this time, attachments of type application/pgp-keys and the autocrypt header are automatically processed. Key updates, for keys that you have previously imported, such as expiration extensions or revocations for keys, will be automatically imported at the time of opening a message, without the requirement for manual confirmation.
Other keys, which haven't been imported previously, will be offered for import. If a new key for the sender's email address is seen, although you have previously accepted a different key, Thunderbird will shown an extra warning.
Thunderbird will not automatically import keys transferred with the Autocrypt email header mechanism. Thunderbird will not automatically enable encryption with correspondents based on Autocrypt email headers. The user needs to confirm the offer to import the attached key in an email, and then manually accept the use of the key, and also manually enable encryption in messages that are sent.
