Changes

This document is inteneded specifically for existing users of Enigmail, who want to start using Thunderbird 78 and its integrated OpenPGP functionality. If you have never used the Enigmail Add-on, then you don't need this document to use OpenPGP with Thunderbird 78.

If you are willing to experiment, or if the Thunderbird project has already declared OpenPGP as stable, then please read oneon.

Due to required technology changes, you'll experience a lot of changedchanges. We have tried to make the new OpenPGP functionality easier to understand and use, but on the other hand, some features might no longer will work as differently than before, or might be missing.

LetIf you's go through re using an early release version of Thunderbird 78, e.g. 78.0 or 78.1, and you are willing to experiment, the various areas in orderOpenPGP functionality might still be disabled by default. Use the TB preferences, config editor, and change the preference with the name "mail.openpgp.enable" to the value "true". Then restart Thunderbird. This will enable the user interface for OpenPGP.

If you're using an early release version of Thunderbird 78no longer uses the external GnuPG software. Previously, e.g. 78.0 or 78.1all your own keys and the keys of other people were managed by GnuPG, and Enigmail offered you are willing to experimentview, the OpenPGP functionality might still be disabled by defaultuse and manage them. Use the preferencesNow that Thunderbird uses a different technology, config editorit's necessary to perform a migration of your existing keys, and change to migrate them from GnuPG into Thunderbird's own storage (inside the preference with the name "mailThunderbird profile directory).openpgp.enable" to Thunderbird will uses its own copy of the value "true". Then restart keys, sharing your keys between Thunderbird78 and GnuPG currently isn't supported. This will enable (TODO: explain the user interface for OpenPGPsmartcard situation.)

The migration functionality isn't provided by Thunderbird no longer uses the external GnuPG software. PreviouslyRather, all your own keys and an update for the keys of other people were managed by GnuPG, and Enigmail simply offered you to view, use Add-on and manage them. Now that Thunderbird uses a different technology78 will be available, which no longer provides the usual functionality, it's necessary but rather will help you to perform a migration of your existing keys, to migrate them from GnuPG into Thunderbird's own storage (inside the Thunderbird profile directory). Thunderbird will uses its own copy of the keys, it's not easily possible to share your keys between Thunderbird 78 and GnuPG.

The migration functionality isn't provided by Once you are using Thunderbird. Rather78, an Enigmail should update for the Enigmail Add-on , and Thunderbird 78 will be available, which no longer provides the usual functionality, but rather will help should offer you to perform a migration of migrate your existing keys. It should configure your email accounts to use the same keys that you had used previously.

Once you are using Thunderbird 78doesn't use on-demand unlocking (key passwords) for your keys. Rather, Enigmail should update, and should offer you the only way to migrate password protect the use of your OpenPGP secret keys. It should configure your email accounts is to use set up the same keys that global Master Password feature of Thunderbird, which you had previouslycan find in Thunderbird's security preferences.

Thunderbird doesn't use on-demand unlocking for your keys. Rather, the only way to password protect the use of your OpenPGP secret keys is to set up the global Master Password feature of Thunderbird, which you can find in Thunderbird's security preferences. To enable Thunderbird to use your existing secret keys, you must unlock them to import them. This may require you to enter your password twice. First, to confirm that GnuPG is allowed to export the password. Second, to allow Thunderbird to access the raw key and copy it into Thunderbird's configuration storage. This is handled as part of the migration process, offered by the updated Enigmail Add-on, that acts as a migration tool.

If you were using the ownertrust configuration for keys with GnuPG, this is handled differently in TB. The equivalent of marking a secret key as ownertrust ultimate is to use Thunderbird's OpenPGP key manager, open its details, and confirm that you accept it as a personal key. This flag will be automatically set by the migration. You might have to manually set it when importing a key using Thunderbird's key manager. Future import procedures will The stable Thunderbird release is expected to ask you to set that flag at import time.

Thunderbird's new OpenPGP implementation is more similar to Enigmail's classic mode of operation, which was configured in recent Enigmail releases with the setting "Force using S/MIME and Enigmail". If you have already been using Enigmail for many years, and you already had OpenPGP keys in Enigmail at the time the junior mode was offered for the first time, you have probably been using Enigmail's classic mode, and might have never seen Enigmail's alternative junior mode. The remainder of this document will not talk about this junior mode, but rather will only discuss Enigmail's classic mode.

Enigmail's "general preferences for sending" allowed a choice of "default" and "manual". The default settings allowed the opportunistic use of encryption, which could also manually be enabled using the "Automatically send encrypted" choice. Thunderbird 78 does not use an opportunistic mode. Rather, it uses a strict mode, where correspondent keys must be manually accepted, before they are used. This is also related to the Enigmail's preference, that controls which keys are accepted for sending encrypted messages. Enigmail's default was "all usable keys". Thunderbird's new behavior is closer to Enigmail's alternative choice "only trusted keys".

At this time Thunderbird does not support automatically accepting keys if you they carry your signature on it. This functionality might be added in at a later time. Also, the Web of Trust functionality is not supported. In other words, with Enigmail and OpenPGP some keys of your correspondents might have been automatically accepted for use, if there was a chain path of trust from your keys, along a path of keys that you had signed, eventually pointing to the key you'd like to use. This indirect trust isn't offered in Thunderbird. Instead, you are currently required to manually accept each recipient key that you'd like to use.

Enigmail offered to show you a prompt at the time you request to send the message, telling you whether the message will be encrypted, signed or not, and offering you to confirm or cancel the sending of the message. At this time, Thunderbird does not provide this prompt. You should look at the message settings prior to sending the message, which is shown in the status bar of the composer window. Or you can open the dropdown menu next to the security button. The shown options will tell you if encryption and signing are enabled. Currently, if encryption is enabled for a message, you cannot send the message, unless you have valid keys available for each recipient (not revoked, not expired), and you have accepted at least one valid key for each recipientemail address. The key availability for a message you are sending can be seen by clicking the security button, or by using the classic menu command "view message security info".

With Enigmail, if you attempted to send an encrypted message, but Enigmail couldn't automatically identify which key should be used to encrypt for a particular recipient, Enigmail would open a rather complex dialog, in which you could manually select the keys to use. Thunderbird will not. Rather, you need to have keys for each recipient, that contain the recipient's email address in one of the key's user IDs. Thunderbird does not support using alternative keys that contain no email address, or nor the use of keys that don't contain a matching email address.

Also, because Enigmail used GnuPG to encrypt, it was possible to use advanced configuration in a GnuPG configuration file, that controlled which keys will would be automatically used based on recipient email addresses. At this time, Thunderbird does not offer an equivalent feature.

Enigmail offered a configuration mechanism named per-recipient-rules. Thunderbird does not support that feature at this time, and will ignore the previous configuration.

Today, if you enable encryption is enabled for a message, the then digital signing will be automatically enabled, too. And if digital signing is used, the option to attach your own public key to the message is automatically enabled, too. You may manually disable these options for an individual message, if desired.

Previously, instead of sending your public key as an attachement, Enigmail had the ability to include your public key in a hidden email header according to the Autocrypt standard. This functionality currently isn't offered, but might be added in the future.

Because Thunderbird continues to support the S/MIME email security technology, you'll find a new choice in the security or options menu, which allows you to control the encryption technology that you would like to use.

When receiving an email, the display the OpenPGP security status of a message, Enigmail had used a line of text above the message sender information, to display the OpenPGP status of a message. This has been reworked to be similar to the way existing mechanism that has been used to show shows the status of S/MIMEmessages. Instead of a line of text, icons will be shown to visualize the state of the message.

A padlock in varying appearance appearances is used to show the encryption status of a message you have received.A stamped envelope icon in varying appearance appearances is used to show the digital signature status of a message you have received.

The signature status of a message depends on the status you have granted to the signer's key, whether you have accepted it or not. A signature is treated as valid, if it is technically correct, if you have already imported the key, and if you have accepted to use the sender's key. You are given have the choice to simply accept a correspondent's key without further verification, if which will not confirm that you are using the correct key, but at least you will be able to distinguish the use of known keys from the use of keys that you haven't yet accepted. If you prefer to avoid , you may perform the more security secure fingerprint verification, and mark a key as verified. The digital signature status icon will be different after verifying marking a sender's keyas verified.

When telling Thunderbird that you have verified a correspondent's key, Thunderbird will remember this information separately from the key. The classic way of remembering it is by adding a key certification to your correspondencorrespondent't s key (signing their key). This is not yet supported, but will likely added in the future version.

When receiving an email, Thunderbird will scan the message for attached keys. At this time, attachments of type application/pgp-keys and the autocrypt header are automatically processed. Key updates, for keys that you have previously imported, such as expiration extensions or revocations for keys, will be automatically imported at the time of opening a message, without the requirement for manual confirmation.(Feature expected for 78.1.)

Other keys, which haven't been imported previously, will be offered for import. If a new key for the sender's email address is seen, although you have previously accepted a different key, Thunderbird will shown show an extra warning(new feature expected for 78.1).