Thunderbird:OpenPGP:Smartcards

From MozillaWiki
Jump to: navigation, search

Thunderbird's OpenPGP feature contains experimental support for using the secret key on a smartcard using GnuPG. Decryption and Signing works with the 78.1 release, when enabled and configured according to these instructions.

How to use Thunderbird 78 with smartcards

Thunderbird 78 does NOT use GnuPG by default. Instead, it uses the RNP library. The RNP library does NOT yet support the use of smartcards for secret keys.

This means, in the default configuration, Thundbird does not support smartcards. However, using smartcards is possible using an optional, advanced configuration mechanism.

If you'd like to use a smartcard with Thunderbird 78, you must perform several manual configuration steps.

Install GnuPG and GPGME

You need to download and install GnuPG yourself. In addition, you must ensure the GPGME C library is installed in a corresponding version. You must ensure that Thunderbird 78 can find GPGME in the system library search path.

Install your smartcard

You're responsible for installing all software that is required to use your Smartcard. You must use the appropriate tools to prepare your smartcard for use, for example, the card must contain an appropriate key pair. You must make note of the primary key ID of the smartcard's key that you'd like to use. It has 16 characters. It is the same as the last 16 characters of your primary key's fingerprint.

Allow the use of external GnuPG

Use the Thunderbird config editor (found at the bottom of preferences/options), and search for mail.openpgp.allow_external_gnupg. Switch the value to true.

Enabling this preference will cause Thunderbird to attempt to decrypt a message using GnuPG, whenever RNP fails to decrypt a message with the secret keys that are available inside Thunderbird's key storage.

Enabling this preference is also required for the remaining settings described on this page.

Qubes split GPG configuration

The Qubes OS offers a mechanism to store your GPG keys in a separate VM. This is similar to using a smartcard, and Thunderbird 78 supports it.

In addition to the explanations above, you must set a preference that tells thunderbird that you want to use the GnuPG wrapper tool provided by Qubes OS.

Open the config editor, search for mail.openpgp.alternative_gpg_path. Set its value to /usr/bin/qubes-gpg-client-wrapper . Restart Thunderbird after this change.

Configure an email account to use an external GnuPG key

Open the Account Settings and open the End-to-End Encryption tab of the respective email account. Click the "Add Key" button. You'll be offered the choice "Use your external key through GnuPG". Select it and click Continue.

Now paste or type the ID of the secret key that you would like to use. Be careful to enter it correctly, because your input isn't verified. It should be exactly 16 characters, as explained further above. Confirm to save this key ID.

This key ID will be used to digitally sign messages with your account. It will also be used when you send an encrypted message, which will be encrypted for you, in addition to encrypting for the message recipients. For this to work, Thunderbird needs a copy of your public key. At this time, Thunderbird doesn't fetch the key from GnuPG, you must manually import it.

Use GnuPG to export a copy of your public key. Use Thunderbird's Tools menu to open OpenPGP Key Management. In that window, use the File menu to access the Import Public Key command. Open the file with your public key. After the import was successfull, you must open the key details, and you must mark your own key as "accepted".

Once this is done, you should be able to send an encrypted and signed email. You can try it by sending an email to yourself.

(For configurations that use an offline primary key: It may also work to configure the ID of a sub key that can be used for signing. Based on feedback, Thunderbird seems to be able to automatically find the related encryption sub key.)

Trying decryption

Try to open a message that can only be decrypted using the key from your external setup (e.g. from the smartcard of from the Qubes OS setup). You might be prompted by gpg-agent for your key's password, and then decryption should work, and the decrypted message contents should be shown.

Limitations of using GnugPG

This page describes the use of GnuPG to use a smartcard. However, please be aware that the optional use of GnuPG is strictly limited to secret key operations. Only decryption and digital signing are supported.

For all public key operations and their trust settings, Thunderbird 78 will always use the internal RNP library. GnuPG will not be used for encryption, and GnuPG will not be used for signature verification.

Although the intention is to support secret keys on smartcard, there's currently no strict limitation to this scenario. If a secret key is contained in a GnuPG keyring that's stored on the computer's disk, this setup should work, too.

Thunderbird 64 bit on Windows

You must perform a manual configuration to allow the 64-bit version of Thunderbird for Windows to find the 64-bit GPGME library. It's located in Gpg4Win's installation directory, in a bin_64 subdirectory.

Open the system control panel. Search for the system environment variable settings and open them. In the list of existing system variables, you'll find an existing variable named "Path". Select and edit it. Add a new entry that points to the bin_64 subdirectory.

For example, the standard installation directory for Gpg4Win is c:\Program Files (x86)\Gpg4Win

If this directory was used on your system, then add a new entry c:\Program Files (x86)\Gpg4Win\bin_64

If necessary, move the entry up, to a position before the existing Gpg4Win entry.

Thunderbird on macOS

There are several way to obtain GnuPG for macOS. You should obtain the gpg executable and the GPGME library from the same source, to ensure you have are using versions that are compatible with each other.

If you are using a smartcard that is protected with a PIN or a password, you must ensure that you have software installed that allows GnuPG to prompt you. When installing GnuPG from the Homebrew project, the default pinentry package is insufficient. You should install the pinentry-mac package, and you need to configure the GnuPG software to use it. In your home directory, edit file .gnupg/gpg-agent.conf and ensure it contains a statement to define your pinentry program: pinentry-program BREWPREFIX/bin/pinentry-mac

The above BREWPREFIX must not be used literally. Rather, you must replace it with the homebrew installation path used on your system. You may obtain it by executing the following command: brew --prefix