Confirm
563
edits
Changes
Improve text based on suggestions from Berna
== GnuPG vs. RNP and key storage ==
Thunderbird no longer uses the external GnuPG software. Previously, all your own keys and the keys of other people were managed by GnuPG, and Enigmail offered you to view, use and manage them. Now that Thunderbird uses a different technology, it's necessary to perform a migration of your existing keys, to migrate them from GnuPG into Thunderbird's own storage (inside the Thunderbird profile directory). Thunderbird will uses its own copy of the keys, sharing your keys between Thunderbird 78 and GnuPG currently isn't supported. (TODO: explain the smartcard situation.)
The migration functionality isn't provided by Thunderbird. Rather, an update for the Enigmail Add-on and Thunderbird 78 will be available, which no longer provides the usual functionality, but rather will help you to perform a migration of your existing keys.
Once you are using Thunderbird 78, Enigmail should will update, and should will offer you to migrate your keys. Note that this will work, even if OpenPGP is not yet stable. The migration process should will attempt to configure your email accounts to use the same keys that you had used previously. After the migration has completed, you should open Account Settings and the End-To-End Encryption tab, to verify the configuration.
Thunderbird doesn't use on-demand unlocking (key passwords) for of your secret keys. Rather, the only way to password protect the use of your OpenPGP secret keys is to set up the global Master Password feature of Thunderbird, which you can find in Thunderbird's security preferences.
To enable Thunderbird to use your existing secret keys, you must unlock them to import them. This may require you to enter your password twice. First, to confirm that GnuPG is allowed to export the password. Second, to allow Thunderbird to access the raw key and copy it into Thunderbird's configuration storage. This is handled as part of the migration process, offered by the updated Enigmail Add-on, that acts as a migration tool.
== Other changes ==
Previously, instead of sending your public key as an attachement, Enigmail had the ability functionality to include your public key in a hidden email header according to the Autocrypt standard. This functionality currently isn't offered, but might be added in the future.
Because Thunderbird continues to support the S/MIME email security technology, you'll find a new choice in the security or options menu, which allows you to control the encryption technology that you would like to use.
When receiving an email, the display the OpenPGP security status of a message, Enigmail used a line of text above the message sender information. This has been reworked changed to be similar work similarly to the existing mechanism that shows showing the status of S/MIME messages. Instead of a line of text, icons will be shown to visualize the state of the message.
A padlock in varying appearances is used to show the encryption status of a message you have received.
When telling Thunderbird that you have verified a correspondent's key, Thunderbird will remember this information separately from the key. The classic way of remembering it is by adding a key certification to your correspondent's key (signing their key). This is not yet supported, but will likely added in the future version.
Enigmail offered a feature to define automatic message filters, that performed automatic actions based on the properties of an email, and could automatically decrypt a message, and store a decrypted message locally. Thunderbird does not support that this functionality at this time, the messages are kept encrypted, and will need to be decrypted each time you are reading them. As a consequence, at this time encrypted messages are not included in global searches and the message search index.
When receiving an email, Thunderbird will scan the message for attached keys. At this timeCurrently, attachments of type application/pgp-keys and the autocrypt header are automatically processed. Key updates, for keys that you have previously imported, such as expiration extensions or revocations for keys, will be automatically imported at the time of opening a message, without the requirement for manual confirmation. (Feature expected for 78.1.)
Other keys, which haven't been imported previously, will be offered for import. If a new key for the sender's email address is seen, although you have previously accepted a different key, Thunderbird will show an extra warning (new feature expected for 78.1).
Thunderbird will not automatically import keys transferred with the Autocrypt email header mechanism. Thunderbird will not automatically enable encryption with correspondents based on Autocrypt email headers. The user needs to confirm the offer to import the attached key in an email, and then manually accept the use of the key, and also manually enable encryption in messages that are sent.
