Privacy Tools #Thunderbird#OpenPGP#encrypted email

Thunderbird + OpenPGP: How to Send Encrypted Email Step by Step

Learn how to set up end-to-end encrypted email with Thunderbird and OpenPGP. Generate keys, exchange them, and encrypt every message you send.

7 min read

Email was not designed with privacy in mind. Without encryption, your messages travel across servers in plaintext — readable by your provider, by anyone who intercepts the connection, and potentially by law enforcement with a subpoena. OpenPGP (the open standard based on Pretty Good Privacy) gives you genuine end-to-end encryption: only the intended recipient can decrypt what you send.

Since version 78, Mozilla Thunderbird ships with native OpenPGP support — no Enigmail plugin required. This guide walks through the full setup from installation to sending your first encrypted message.

Step 1: Install Thunderbird

Download Thunderbird from thunderbird.net and install it for your platform. It is available for Windows, macOS, and Linux. Most Linux distributions also package it:

# Debian/Ubuntu
sudo apt install thunderbird

# Fedora
sudo dnf install thunderbird

# Arch
sudo pacman -S thunderbird

Launch Thunderbird and connect your email account. The setup wizard handles most configurations automatically for major providers (Gmail, Outlook, Fastmail, Proton via IMAP bridge). For Gmail, you may need to enable “Allow less secure apps” or use an App Password if you have 2FA enabled — though for privacy, consider migrating to a provider like Proton Mail or Tutanota that does not harvest your data.

Step 2: Generate Your OpenPGP Key Pair

OpenPGP uses asymmetric cryptography: you have a public key (share it freely) and a private key (never share it). Messages encrypted with your public key can only be decrypted by your private key.

In Thunderbird:

  1. Open Tools → OpenPGP Key Manager
  2. Click Generate → New Key Pair
  3. Select your email account from the dropdown
  4. Set a strong passphrase — this protects your private key on disk
  5. Key type: ECC (Curve25519) is modern and recommended; RSA 4096 works too
  6. Set expiry: 2 years is a sensible default — you can extend it later

Click Generate Key. This may take a few seconds. Once complete, your key pair appears in the Key Manager.

Export Your Public Key

Right-click your key in the Key Manager and select Export Public Key(s) to File. Save the .asc file somewhere accessible — you will share this with contacts.

You can also copy your public key as ASCII-armored text:

-----BEGIN PGP PUBLIC KEY BLOCK-----

mDMEZxample...
-----END PGP PUBLIC KEY BLOCK-----

Post this on your website, email signature, or upload it to a keyserver like keys.openpgp.org.

Key servers let others find your public key without you manually sending it to them.

  1. In Key Manager, right-click your key
  2. Select Upload Public Key to Keys Server
  3. Thunderbird defaults to keys.openpgp.org — this server requires email verification before publishing, which prevents key spam

Alternatively, upload manually at keys.openpgp.org by pasting your exported .asc file.

Step 4: Import a Contact’s Public Key

To encrypt mail to someone, you need their public key. They can send it to you directly, or you can search for it.

Import from a file:

  1. Ask your contact to send you their .asc public key file
  2. In Key Manager: File → Import Public Key(s) from File
  3. Select their .asc file — their key now appears in your keyring

Search a keyserver:

  1. In Key Manager: Keyserver → Discover Keys Online
  2. Enter their email address
  3. If found, click Import

After importing, right-click the key and set Accepted trust level if you have verified the key belongs to them (ideally via a phone call or in-person fingerprint comparison).

Step 5: Verify Key Fingerprints

Key servers can theoretically serve a fake key. The only way to truly verify a public key belongs to your contact is to compare fingerprints through a separate channel.

A fingerprint looks like:

4A3B F291 8E2C 10D4 77F3  8849 BA91 22CE 1A8F 2B5E

Call your contact and read the fingerprint aloud, or meet in person. If it matches what Thunderbird shows, mark the key as Verified in Key Manager.

Step 6: Send an Encrypted and Signed Email

Compose a new message to your contact who has a verified key.

In the compose window:

  • Click the Security menu (padlock icon in the toolbar)
  • Enable Encrypt This Message
  • Enable Digitally Sign This Message

Encryption ensures only the recipient can read the message. Signing proves it came from you (using your private key) and has not been tampered with.

When you click Send, Thunderbird will prompt for your key passphrase if it is not cached. The message is then encrypted before leaving your machine.

What the Recipient Sees

Your contact opens the email in their OpenPGP-capable client and sees a padlock icon indicating the message is encrypted and signed. They enter their own passphrase to decrypt. The decrypted content is displayed as normal text.

Step 7: Enable Per-Account Encryption Defaults

To always encrypt when a contact’s key is available:

  1. Tools → Account Settings
  2. Select your account → End-To-End Encryption
  3. Check Add my digital signature by default
  4. Check Encrypt messages by default (Thunderbird will only encrypt when a valid key is available)

Key Management Best Practices

Back up your private key. If you lose it, you cannot decrypt any messages sent to you.

Key Manager → Right-click your key → Export Secret Key(s) to File

Store this backup on an encrypted USB drive in a safe physical location. Never upload your private key anywhere.

Set a key expiry and renew it. An expired key signals to contacts that something may be wrong. Renew before expiry:

  1. Key Manager → right-click your key → Edit Key Expiry
  2. Extend by 1–2 years

Revoke a compromised key. If your private key is stolen:

  1. Key Manager → right-click → Revoke Key
  2. Upload the revocation certificate to the keyserver

This tells anyone who fetches your key that it should no longer be trusted.

Limitations to Understand

OpenPGP encrypts the message body and attachments, but not the subject line, sender, recipient, or metadata. Your email provider still sees who you are communicating with and when. For metadata-resistant communication, tools like SimpleX Chat or Session go further.

Also, both parties must use OpenPGP-capable software. Most webmail clients (Gmail, Outlook.com) do not support it natively — this is one more reason to use Thunderbird.

Quick Reference Table

ActionLocation in Thunderbird
Generate key pairTools → OpenPGP Key Manager → Generate
Import contact keyKey Manager → File → Import
Search keyserverKey Manager → Keyserver → Discover Keys Online
Encrypt a messageCompose → Security → Encrypt This Message
Sign a messageCompose → Security → Digitally Sign
Back up private keyKey Manager → Export Secret Key(s) to File

End-to-end encrypted email is one of the most powerful privacy tools available to ordinary users. With Thunderbird’s native OpenPGP support, the barrier to entry has never been lower. Set it up once, share your public key, and start communicating with confidence.

#email security #privacy #PGP #encrypted email #OpenPGP #Thunderbird

// related articles

privacy-tools Check If Your Email Was Breached: HaveIBeenPwned & What to Do Next 8 min read privacy-tools DNSCrypt-Proxy: Set Up Encrypted DNS on Any System 7 min read privacy-tools Firejail Linux App Sandboxing: Complete Security Guide 7 min read