Sending encrypted emails using Thunderbird and PGP

More than 200 billion e-mails are sent worldwide every day. Although it is a very practical tool for exchanging information, it is also vulnerable and users can encounter problems such as interception, identity theft and monitoring. Yet there are easy ways to ensure your Internet activities remain confidential.

Use an email client, not webmail

One way of enhancing the confidentiality of your email is to use an application to send and receive email, such as Thunderbird.

One of the most important security factors when you send emails is the method you use to log into your email provider. Thunderbird allows you to control how you log in. Whenever possible, you should use an SSL (Secure Sockets Layer) or TLS (Transport Layer Security) connection. These protocols protect your email password from possible interception by any third-party software installed on your system or at any point between Thunderbird and your email server.

How to configure Thunderbird

Thunderbird is free software. You can download it free of charge from the Mozilla project website. Once you have installed it, you need to configure it to connect to your email provider. Don’t worry, Thunderbird does most of this by itself. 


When you launch Thunderbird for the first time, a wizard helps you configure the link between your account and the email client. If you already have an email address, when the assistant is launched choose “Skip this and use my existing email”. All you need to know is your email address, username and password. Enter these on the next page. Thunderbird retrieves the data from the mail server. The software automatically configures the most widely used email address such as Gmail, Yahoo, Hotmail. The screenshot below shows an example of a Gmail address.

However, if your address is not in the Thunderbird email database, you will have to configure your account manually. In that case you will need:

  • your email address
  • your username
  • your password
  • the name and the protocol of the receiving server (for example IMAP will be and POP will be
  • the name of the outgoing mail server (

You can find this information in the help pages of your email provider

To see for yourself whether Thunderbird uses SSL or TLS, go to Tools->Account settings>Server settings and check the section “Security settings”.

Using Thunderbird and the TSS or SSL protocol only protects the connection between your computer and the email server. They do not ensure the security of your exchanges with a third party. Your emails may be intercepted at various points between the server and the recipient’s computer. To remedy this, it is possible to encrypt one’s emails end-to-end by using the protocol PGP (pretty good privacy). 

How to encrypt email using PGP

Cryptography, from the Greek for “hidden writing”, is the main technique used to ensure effective confidentiality of electronic communications.

PGP is the protocol that we shall use to encrypt our emails end-to-end. Its use excludes any possibility of interception. Your emails are encrypted from start to finish and only the addressee is able to decrypt it. Note that the “subject” line and the other header fields of a PGP-encrypted email are not encrypted.

Beware: Encryption attracts attention.


Sending encrypted emails can sound the alarm for the authorities and may lead to unwanted attention. There is another way of sending email securely and anonymously: disposable email addressing.

In order to understand how to implement PGP in Thunderbird, it is important first of all to cast an eye over the principle of asymmetric encryption on which PGP is based.

Classic encryption

Ann and Michael want to exchange secret messages, so they agree on an encryption and decryption code and a key. Then they exchange messages using them. The snag with this method is that if a third person intercepts the messages in which Ann and Michael exchange their key, that person can see it and use it, perhaps to send bogus e-mails to Ann and Michael. So Ann and Michael have to exchange their key when nobody else can see it, by meeting in person, for example. 

Asymmetric encryption

The best way to fix the problem is to use “asymmetric” encryption. Two keys are needed
for this, one to encrypt, the other to decrypt. Details of the encrypting key (the “public
key”) can be exchanged without risk over the Internet because it can’t be used to decrypt messages. The decrypting key (the “secret key”) must never be communicated.

With asymmetric encryption, Ann has her own pair of keys (a public key that she gives out and a secret one that she keeps). Ann sends her key to Michael, who uses it to encrypt his messages to her. Only Ann, with her secret key, can then decrypt Michael’s messages. Michael, with his own pair of keys, in turn sends his public key to Ann, who can then reply to his messages in complete privacy.

But since the public key is exchanged over the Internet without special protection, it’s best to check its validity with its owner. Each key has a “fingerprint” (a short string of characters), which it’s easy to communicate in person or over the phone.

An unverified key may be a false one issued by a third person with evil intent, making the encryption totally useless. The reliability of asymmetric encryption depends entirely on protecting the secret key and checking the public key of the other person. OpenPGP (Open Pretty Good Privacy) is the standard asymmetric encryption. The most popular software to generate and use a pair of keys and manage the public keys of its correspondents is GnuPG (GNU Privacy Guard), which can be used with email clients as well as Macs, Windows and Linux.

Using PGP with Thunderbird

How to install PGP on Windows

To be able to send encrypted emails, there are three things you need:

  1. Software that allows you to generate your secret key and the manage the public keys of your contacts: gpg4win
  2. An email client installed on your computer: Thunderbird 
  3. A plug-in that allows the encryption of emails: enigmail

After downloading and installing gpg4win, install the enigmail plug-in for Thunderbird.

  1. Got to the Thunderbird menu Tools->Add-ons, which opens the plug-ins window.
  2. Write “Enigmail” in the search window and click the search button.
  3. Click the “install” button.
  4. Once installation is completed, relaunch Thunderbird.

How to install PGP on Mac OS X

To install PGP on a Mac, all you need to do is download the suite of free and open source tools at GPGtools. These include all the necessary tools for using PGP on Mac OS X.

Generate a PGP key

To encrypt your emails using PGP, you need to generate a public key and a private key. This is done easily in Thunderbird by following the steps suggested by the PGP key wizard. To launch it, choose OpenPGP->Setup wizard.


Once the wizard has been launched, follow the instructions, choosing the default options:

Signing: “Yes, I want to sign all of my email” – you will authenticate all the emails you send using your private key.

Encryption: “No, I will create per-recipient rules or those that sent me their public key” – not all the emails you send will be encrypted, i.e. you decide whose messages you will encrypt.

Preferences: “Yes” – you authorize the wizard to make changes to the default formatting of you emails, which should be in plain text in order to be compatible with PGP.

Open PGP key not found: If you have no PGP key, this screen shows you how to generate one.

Creating a key: To prevent your secret key being used by anyone else, the wizard suggests you protect it with a password. Enter a password in both fields. Using fast words is good method of creating secure passwords.

Everything is ready. To launch the creation of your PGP key, click “next”.

Optional: You can create a revocation certificate. This will allow you to disable your key if you lose it. Keep it somewhere safe on your hard disk

Note: If the wizard ask for the path to the GnuPG application, this was installed at the same time as GPG4win and is on your disk in Program Files (x86) > GNU > GnuPG > gpg2.exe.

The creation of your PGP is complete and you can now sent encrypted emails, so long as you have the recipients’ public keys.

Sending an encrypted message

In Thunderbird, click the “write” button, which opens a message window. At the bottom right there are two symbols, a pencil and a key.

These allow you to sign or encrypt a message. Click on the key, which will turn yellow, and write your message. 

If you click on “send” and you have not retrieved the addressee’s public key, Thunderbird will suggest downloading if for you. In the screen below, click on 
“Download missing keys”.

A window appears showing a choice of servers that host public keys.

Thunderbird suggests standard directories of the most commonly used public keys. Choose one of the servers and click OK. If the addressee has published his key in one of the suggested directories, you should be able to retrieve it easily.

Click OK to download the key.


Once it is completed, the result is shown in a window. Close this window. The addressee’s key will now appear in the list offered by the application. Choose it and click OK.

If you have protected your own key with a password (which you should have done if you have generated a key following this tutorial), Thunderbird will ask you to enter your password to encrypt the message using your secret key. Enter the password and click OK.

The message has been sent.

There are other methods for importing addressees’ public keys. For example they could send it to you by email and provide you with the fingerprint. The fingerprint is a unique number that allows you to identify a public key. By verifying a key’s fingerprint you can ensure you are sending the message to the intended recipient.

For more information on using PGP and key management, see the Enigmail handbook.