Thunderbird:OpenPGP:Migration-From-Enigmail

This document is intended specifically for existing users of Enigmail, who want to start using Thunderbird 78 and its integrated OpenPGP functionality.

If you have never used the Enigmail Add-on, then you can skip this document.

Due to required technology changes, you'll experience a lot of changes. We have tried to make the new OpenPGP functionality easier to understand and use, but on the other hand, some features will work differently than before, or might be missing.

Before you update to Thunderbird 78, you should read this whole document, to understand the changes that you will see.

If you're reading this before OpenPGP has been declared as a stable feature in Thunderbird 78.x (expected for the 78.2 release end of August 2020), then please consider to stay with Thunderbird 68 and Enigmail for another while, especially if you depend on the security of OpenPGP and are worried about correct behavior.

If you're using an early release version of Thunderbird 78 the OpenPGP functionality is still disabled by default.

If you would like to test while OpenPGP support is still experimental, you may open Thunderbird preferences, and use the config editor to change the preference with the name "mail.openpgp.enable" to the value "true". Then restart Thunderbird. This will enable the user interface for OpenPGP.

Thunderbird no longer uses the external GnuPG software. Previously, all your own keys and the keys of other people were managed by GnuPG, and Enigmail offered you to view, use and manage them. Now that Thunderbird uses a different technology, it's necessary to perform a migration of your existing keys from GnuPG into Thunderbird's own storage (inside the Thunderbird profile directory). Thunderbird will uses its own copy of the keys, sharing your keys between Thunderbird 78 and GnuPG currently isn't supported. (Exception: There is an optional mechanism to use GnuPG with smartcards. It's disabled by default and needs more testing.)

The migration functionality isn't provided by Thunderbird. Rather, an update for the Enigmail Add-on and Thunderbird 78 will be available, which no longer provides the usual functionality, but rather will help you to perform a migration of your existing keys.

Once you are using Thunderbird 78, Enigmail will update and will offer you to migrate your keys. Note that this will work, even if OpenPGP is not yet stable. The migration process will attempt to configure your email accounts to use the same keys that you had used previously. After the migration has completed, you should open Account Settings and the End-To-End Encryption tab, to verify the configuration.

Thunderbird doesn't use on-demand unlocking (key passwords) of your secret keys. Rather, the only way to password protect the use of your OpenPGP secret keys is to set up the global Master Password feature of Thunderbird, which you can find in Thunderbird's security preferences.

To enable Thunderbird to use your existing secret keys, you must unlock them to import them. This may require you to enter your password twice. First, to confirm that GnuPG is allowed to export the password. Second, to allow Thunderbird to access the raw key and copy it into Thunderbird's configuration storage. This is handled as part of the migration process, offered by the updated Enigmail Add-on, that acts as a migration tool.

If you were using the ownertrust configuration for keys with GnuPG, this is handled differently in TB. The equivalent of marking a secret key as ownertrust ultimate is to use Thunderbird's OpenPGP key manager, open its details, and confirm that you accept it as a personal key. This flag will be automatically set by the migration. You might have to manually set it when importing a key using Thunderbird's key manager. The stable Thunderbird release is expected to ask you to set that flag at import time.

Enigmail had offered multiple modes of operation. If you had started to use Enigmail in recent years, you might have been using Enigmail's Junior Mode, which was operated behind the scenes by pEp software. If you have frequently seen red squares, yellow triangles and green shields with Enigmail, then you were likely using that mode.

Thunderbird 78 does not support the Junior Mode. (However, the aforementioned Enigmail migration Add-on is said to offer you the option to install newer pEp Software for Thunderbird. Note that Mozilla and Thunderbird are not affiliated with pEp.)

Thunderbird's new OpenPGP implementation is more similar to Enigmail's classic mode of operation, which was configured in recent Enigmail releases with the setting "Force using S/MIME and Enigmail". If you have already been using Enigmail for many years, and you already had OpenPGP keys in Enigmail at the time the junior mode was offered for the first time, you have probably been using Enigmail's classic mode, and might have never seen Enigmail's alternative junior mode.

The remainder of this document will not talk about junior mode, but rather will only discuss differences between Enigmail's classic mode and Thunderbird 78.

Enigmail had a lot of configuration choices to control the email encryption workflow.

Enigmail's "general preferences for sending" allowed a choice of "default" and "manual". The default settings allowed the opportunistic use of encryption, which could also manually be enabled using the "Automatically send encrypted" choice. Thunderbird 78 does not use an opportunistic mode. Rather, it uses a strict mode, where correspondent keys must be manually accepted before they are used. This is also related to the Enigmail preference that controls which keys are accepted for sending encrypted messages. Enigmail's default was "all usable keys". Thunderbird's new behavior is closer to Enigmail's alternative choice "only trusted keys".

In order to send an encrypted message, Thunderbird requires that you accept each correspondent's key once. However, it attempts to make that process straightforward. When trying to send an encrypted message, and you haven't yet used a correspondent's key, you will be guided to review the keys that you already have available, and review, accept, and optionally verify them. If keys are missing, you'll be given the choice to discover them online on a WKD server, or on the keys.openpgp.org keyserver.

The Enigmail migration will help you by marking the keys of your correspondents as accepted, which you have previously certified (signed).

At this time Thunderbird does not support automatically accepting keys if you they carry your signature on it. This functionality might be added at a later time. Also, the Web of Trust functionality is not supported. In other words, with Enigmail and OpenPGP some keys of your correspondents might have been automatically accepted for use, if there was a path of trust from your keys, along a path of keys that you had signed, eventually pointing to the key you'd like to use. This indirect trust isn't offered in Thunderbird. Instead, you are currently required to manually accept each recipient key that you'd like to use.

Enigmail offered to show you a prompt at the time you request to send the message, telling you whether the message will be encrypted, signed or not, and offering you to confirm or cancel the sending of the message. At this time, Thunderbird does not provide this prompt. You should look at the message settings prior to sending the message, which is shown in the status bar of the composer window. Or you can open the dropdown menu next to the security button. The shown options will tell you if encryption and signing are enabled. Currently, if encryption is enabled for a message, you cannot send the message, unless you have valid keys available for each recipient (not revoked, not expired), and you have accepted at least one valid key for each recipient email address. The key availability for a message you are sending can be seen by clicking the security button, or by using the classic menu command "view message security info".

With Enigmail, if you attempted to send an encrypted message, but Enigmail couldn't automatically identify which key should be used to encrypt for a particular recipient, Enigmail would open a rather complex dialog, in which you could manually select the keys to use. Thunderbird will not. Rather, you need to have keys for each recipient, that contain the recipient's email address in one of the key's user IDs. Thunderbird does not support using alternative keys that contain no email address, nor the use of keys that don't contain a matching email address.

Also, because Enigmail used GnuPG to encrypt, it was possible to use advanced configuration in a GnuPG configuration file, that controlled which keys would be automatically used based on recipient email addresses. At this time, Thunderbird does not offer an equivalent feature.

Enigmail offered a configuration mechanism named per-recipient-rules. Thunderbird does not support that feature at this time, and will ignore the previous configuration.

Today, if you enable encryption for a message, then digital signing will be automatically enabled, too. And if digital signing is used, the option to attach your own public key to the message is automatically enabled, too. You may manually disable these options for an individual message, if desired.

Previously, instead of sending your public key as an attachment, Enigmail had the functionality to include your public key in a hidden email header according to the Autocrypt standard. This functionality currently isn't offered, but might be added in the future.

Because Thunderbird continues to support the S/MIME email security technology, you'll find a new choice in the security or options menu, which allows you to control the encryption technology that you would like to use.

When receiving an email, to display the OpenPGP security status of a message, Enigmail used a line of text above the message sender information. This has been changed to work similarly to showing the status of S/MIME messages. Instead of a line of text, icons will be shown to visualize the state of the message.

A padlock in varying appearances is used to show the encryption status of a message you have received. A stamped envelope icon in varying appearances is used to show the digital signature status of a message you have received. You may click the icons to view a more detailed explanation.

The signature status of a message depends on the status you have granted to the signer's key, whether you have accepted it or not. A signature is treated as valid, if it is technically correct, if you have already imported the key, and if you have accepted to use the sender's key. You have the choice to simply accept a correspondent's key without further verification, which will not confirm that you are using the correct key, but at least you will be able to distinguish the use of known keys from the use of keys that you haven't yet accepted. If you prefer, you may perform the more secure fingerprint verification, and mark a key as verified. The digital signature status icon will be different after marking a sender's key as verified.

When telling Thunderbird that you have verified a correspondent's key, Thunderbird will remember this information separately from the key. The classic way of remembering it is by adding a key certification to your correspondent's key (signing their key). This is not yet supported, but will likely added in the future version.

Enigmail offered a feature to define automatic message filters, that performed automatic actions based on the properties of an email, and could automatically decrypt a message, and store a decrypted message locally. Thunderbird does not support this functionality at this time, the messages are kept encrypted, and will need to be decrypted each time you are reading them. As a consequence, encrypted messages are not included in global searches and the message search index.

When receiving an email, Thunderbird will scan the message for attached keys. Currently, attachments of type application/pgp-keys and the autocrypt header are automatically processed. Key updates, for keys that you have previously imported, such as expiration extensions or revocations for keys, will be automatically imported at the time of opening a message, without the requirement for manual confirmation. (Feature expected for 78.1.)

Other keys, which haven't been imported previously, will be offered for import. If a new key for the sender's email address is seen, although you have previously accepted a different key, Thunderbird will show an extra warning (new feature expected for 78.1).

Thunderbird will not automatically import keys transferred with the Autocrypt email header mechanism. Thunderbird will not automatically enable encryption with correspondents based on Autocrypt email headers. The user needs to confirm the offer to import the attached key in an email, and then manually accept the use of the key, and also manually enable encryption in messages that are sent.