Encrypting Your Thunderbird Mailbox

This is a two-part howto about encrypting data for Thunderbird. The first part is about Enigmail, a way to encrypt your email messages. The second is about encrypting your entire email storage on your computer.

There are a couple different ways to encrypt email. The industry standard way is via S/MIME, and the way preferred by security folks (seems to be) OpenPGP-based encryption.

The difference between the two is that S/MIME uses a centralized authentication system similar to HTTPS. There is a Certificate Authority that hands out Certificates (certs). You can see these certs in the Preferences->Advanced->Certificates->View Certificates dialog.

The idea behind this system is that it relieves the end user (you) of having to manage most of the security infrastructure. When you get a signed, encrypted message, it shows up as "OK", and you can decrypt it.

Think of this type of certification as "like the Department of Motor Vehicles". It licenses cars and drivers, handing out certificates. When you see someone's license, it means something. It's one of the less forgable identifiers we carry.

Enigmail

OpenPGP is a slightly different beast. You need to manage your own certification process - meaning that you maintain a local database of keys (which are basically the same as certificates, for our purposes). You will swap keys with people, and use these keys to send and receive encrypted email.

The technology is similar, but the key sharing mechanism is more explicit and visible to you.

To use OpenPGP with Thunderbird, you use the Enigmail add-on.

Enigmail requires that you install Gnu Privacy Guard (GPG). The encryption is performed by GPG, while Enigmail provides the user interface.

To start using Enigmail, you look under the menu Enigmail -> Key Management. Then you use the menu Generate -> New Key Pair...

Set the Account to your main account, and then click Generate Key. Wait a few minutes while it's created.

Next, you need to upload the keys to the server. In Enigmail -> Preferences, there's a Keyservers tab. Make sure the following server is in the keyservers list:

pool.sks-keyservers.net

Then, when the server's set, right-click on your key in the Key Management window, and select "Upload Public Key to Server". This publishes the public key to the world.

Public and Private Keys

You publish the public key because the encryption system uses two keys: a private key, and a public key. Messages encrypted with the public key can be decrypted with the private key. Messages signed with the private key can be verified with the public key.

When you encrypt a message to someone, Enigmail takes their public key, and then use that to encrypt the message. The recipient';s Enigmail then decrypts it with their private key.

Enigmail also "signs" the message to verify the sender and also verify that the message hasn't been altered.

Enigmail works, but it's hard to find others with whom to exchange mail.

Encrypting Your Mailbox

This is a whole other mess. Generally, people worry about moving email onto the internet, and having it sniffed or spied upon by someone else. They ignore that most email breaches are carried out by taking over someone's PC and then reading the mail that's stored on the PC.

The solution(s) are to encrypt the storage volume.

If you have a laptop, you should be using encrypted disks.

If you are on a desktop, you can settle for using TrueCrypt to make encrypted volumes that appear to be external disks.

Move your .thunderbird directory to this encrypted volume, and then symlink ~/.thunderbird to that directory on the encrypted volume.

You will now need to run TrueCrypt to mount the volume. It's a hassle, but it's safe. Not only does the encrypted .thunderbird contain your mails, it contains the information to log into your email accounts.

POP3 and Inbox Zero

If you are like me, you use IMAP to get your mail. You can then have all your mail in one server, and access it from multiple devices.

The big problem with that is that the email's sitting on a server. If the server is compromised, you're screwed.

It would be great if everyone used OpenPGP, but hardly anyone does. So you're never going to have a ton of encrypted email on the server. Most will be plaintext and readable.

I have no fix for this. What I do is occasionally use POP3 to download my email, and delete it from the server.