Easy & Secure Thunderbird: PGP encryption with Tor Birdy for Linux

pgp-smallThe following is a step by step guide for setting up Mozilla Thunderbird using PGP with the Engmail add-on over the Tor anonymity network via the TorBirdy add-on.

This is more of a compilation of instructions based on manuals for installing and setting up Thunderbird, followed by installing and setting up TorBirdy and Enigmail add-ons. Also includes additional configuration settings for best security and easiest access, as well as a few borrowed screenshot to help you through the process.

Requirements: Full disk or system encryption using Linux, otherwise the security of this procedure is not complete. An up to date version of Tor Browser, as well as a functional internet connection.

Tested on: Linux Mint 18.1 and Lubuntu 16.10/17.04.  This should otherwise work for all Debian-based systems, as well as those where Thunderbird is available. Instructions should work for Windows and OS X from steps 2-10, after Thunderbird installation. 


1. Install latest version of Thunderbird (for best usage and security)
2. Install TorBirdy Add-on for Thunderbird: Access emails via Tor
3. Install Enigmail Add-on for Thunderbird: PGP client for Thunderbird
4. Check TorBirdy is enabled in Thunderbird  – Very Important!
5. Setup User account in Thunderbird
6. Check User account is functioning properly
7. Setup User account PGP keys in Enigmail
8. Check PGP Key configuration in Thunderbird for User account
9. Test PGP Key is working to encrypt/decrypt messages
10. Import and sign keys in Key Management for good house keeping

1. Install latest version of Thunderbird (for best usage and security)

thunderbird-smallNote: Enter Terminal commands following the $ symbol.

From Tech Mint: Use CTRL + ALT + T from the desktop to open terminal and add the Thunderbird repository under Ubuntu and its derivatives.

$ sudo add-apt-repository ppa:ubuntu-mozilla-security/ppa

Next, update the system software packages using update command.

$ sudo apt-get update

Once you’ve updated the system, install it using the following command.

$ sudo apt-get install thunderbird

Important: For better security ignore any set up email option until TorBirdy is installed.

2. Install TorBirdy Add-on for Thunderbird: Access emails via Tor

TorBirdyIn Thunderbird, open Add-ons from the Tools menu (top right, three horizontal lines). Click on either Plugins or Extentions, then search for TorBirdy, followed by clicking Install.

Ignore the Restart now option, this can be done in Step 3.

3. Install Enigmail Add-on for Thunderbird: PGP client for Thunderbird
Repeat Step 2 replacing TorBirdy for Enigmail. After downloading and installing, click Restart now. This will then activate both TorBirdy and Enigmail on restarting Thunderbird.

4. Check TorBirdy is enabled in Thunderbird  – Very Important!

torbirdyA) Start Tor Browser, check link if unfamiliar. This will allow TorBirdy to become active. Each time you want to access emails using Thunderbird, Tor Browser will need to be open, otherwise TorBirdy with not allow Thunderbird to use the connection (unless disabled).
B) Open Thunderbird, again for now ignoring setup account options.
C) Check TorBirdy is engaged. With the add-on successfully installed, it will be in the bottom right hand corner of the Thunderbird window. If active, in green, it will read: TorBirdy Enabled: Tor (this is the default).
D) If TorBirdy reads ‘TorBirdy Enbaled: JonDo or Whonix’, left click on it, click on ‘Use Tor Onion Router’, which then will change the onion router to Tor.

5. Setup User account in Thunderbird

Now it’s safe to set up your user account…

A) Go to Thunderbird: Click on Menu -> Preference -> Account Settings
B) Bottom left hand corner of the Account Settings windows, click on the drop down menu of Account Actions, go to ‘Add Mail Account…’
C) Enter the following information in Mail Account Setup:
Your name: ***Enter User name***
Email address: ***youremail@provider.net***
Password: ***Enter password of your user account***
(You can leave the option ticked of ‘Remember password’, since your operating system is encrypted, which will make for easier access.)
Protocol: IMAP – This means when moving, deleting, sending emails, etc, this will occur within the mail account itself, not just with your Thunderbird client.


D) Click Continue, TorBirdy will then tell you the following: TorBirdy has disabled Thunderbird’s auto-configuration wizard to protect your anonymity. If this is not the case, check step 4 again. Click OK

Ignore Server Name example, add your own: imap.***youre-mail-provider.net***

E) Check Server Settings. In the menu table on the left of Account Settings for youremail@provider.net, go to Server Settings (if not already redirected). The default server settings should read as follows, if not, then correct:

Server Name: imap.***your-email-provider.net***
User Name: ***your user name***
Port: 993
Connection security: SSL/TLS
Authentication method: Normal Password

(Further options can be configured for your own preferences)

F) Check Outgoing Server. In the menu tab on the left of Account Settings, go to Outgoing Server. At the bottom, ‘Details of selected server: should read as follows, correct by clicking Edit…, if necessary:

Description: <not specified>
Server Name: smtp.espiv.net
Port: 465
User Name: ***your user name***
Authentication method: Normal password
Connection Security: SSL/TLS

6. Check User account is functioning properly

Close Account Settings, click on youremail@provider.net on the left-hand column menu. This should begin downloading the message headers; opening folders Inbox, Drafts, Sent, Junk, etc. This means you have successfully setup the account, it may however take a while to download messages, so continue onto next step.

7. Setup User account PGP keys in Enigmail

To set up a new PGP key (to import your key file see below):


A) Click on Thunderbird Menu -> Enigmail -> Setup Wizzard
B) Select ‘I prefer a Standard configuration…’ as setting will be changed later.
C) Followed by ‘I want to create a new key pair…’.
D) Check your user account is the Account / User ID listed
E) Enter a strong passphrase (at least 8 characters)

If you already use PGP, import your key from file:


A) Export your key pair using (for example) GnuPG (if not already saved somewhere, or importable via another PGP client)
A) Click on Thunderbird Menu -> Enigmail -> Key Management
B) Click on File -> Import Keys from File
C) Import Private and Public key files (they may need to be imported separately).  A tab should open saying ‘SUCCESS! Keys imported’, with a green tick. In the Key Management window, youremail@provider.net should now be listed listed.

8. Check PGP Key configuration in Thunderbird for User account


A) Click on Thunderbird Menu -> Preferences -> Account Settings
B) In youremail@provider.net menu click on ‘OpenPGP Security’
C) Click/check ‘Enable OpenPGP Support (Enigmail) for this identity’
D) Check/Choose option ‘Use specific OpenPGP Key ID (0x********), click ‘Select Key…’, select ‘User PGP key description <youremail@provider.net>’, and click ‘Select Key…’. Or you can simply select the ‘Use email address of this identity…’ (as in the above screenshot) if you use only one PGP key for your email address.
E) Under Message Composition Default Options, tick these options:
– Encrypt messages by default and – Use PGP/MIME by default
(This will mean it will automatically encrypt messages to PGP keys you have imported to Key Management, for example replying to encrypted messages)
F) Tick ‘sign encrypted messages’ in ‘After application of defaults and rules:’
G) Option: Encrypt draft messages on saving. This is up to you, not really necessary.
H) At bottom, Click on ‘Enigmail Preferences…’, I recommend to configure as:
-> Manual encryption settings
Tick: Encrypt/sign replies to encrypted/signed messages
Automomatically send encrypted: If Possible
To send encrypted, accept: All usable keys
Confirm before sending: Always
Click OK to confirm any changes.

9. Test PGP Key is working to encrypt/decrypt messages


A) Top left on Thunderbird main window, click Write
B) Send email to: youremail@provider.net
C) On Enigmail menu bar, click on the padlock (to encrypt) and the pencil (to sign), if not already highlighted by default (in gold).
D) Enter subject: test, Message: testing, click Send. A window should appear named Enigmail confirm, it should read:
Send  PGP/MIME SIGNED ENCRYPTED message to youremail@provider.net? Note: The message is encrypted for the following User ID’s / Keys: 0x***************)
Before clicking OK, highlight and copy (Ctrl + C) your PGP password, if it’s too long to remember for example. Saving the password on your encrypted system isn’t the worst idea either.
Click Send Message
E) When prompted for password, type/paste PGP password, tick ‘Save in Password Manager’ (as your operating system is encrypted) and click OK.
F) Go to Inbox, click on email received named test. It should then have a green bar across the top reading: ‘Enigmail Decrypted message’, with the message therefore reading: testing.
G) Go to Sent box, click on ‘test’ email, the same should appear. Congratulations: Your PGP is successfully working! If not, then go back to step 8 and check settings.
Note: It will likely read ‘UNTRUSTED’, this because you cannot sign your own key, however, given it is your own key, you can ignore this warning.

FYI: Enigmail will automatically decrypt emails sent to you, you will only see the decrypted messages within it. With Enigmail configured as above, it will automatically select encryption/signing options when replying to encrypted emails, it will always confirm sending encrypted when this has happened, as well as confirm sending unencrypted messages.

10. Import and sign keys in Key Management for good house keeping


A) If you have a public key from another PGP user in your inbox or folders then go to this message and click ‘Import Key’ in the Enigmail options. In this example, the Engimail menu top will be in peach (rather than green) reading: Decypted message; Unverified signature, click on the ‘Import Key’ button to import key. So do this step.
B) Go into Engimail Key Management right click on the user account and email of the previously imported key and select the option ‘Sign Key’. Key for signing: User account …, leave default option of ‘I will not answer’, click OK. This will mean that you trust this key.
C) Now return to the message where you imported this public key, the Enigmail bar should now be Green, as the you have verified the public key.
D) Give yourself a pat on the back for successfully installing Thunderbird, TorBirdy and Enigmail, as well as configuring them, not to mention good house keeping by signing trusted keys.
E) Sit back and enjoy the easy and secure access to your emails, including automatic decrypting of emails and automated encrypting of emails.

Bought to you by:
Dragon vs Linux

Disclaimer: Since Thunderbird will download (using Tor) all emails and their attachments to your computer’s operating system, to do so without having your operating system or disk encrypted is considered completely unsecure. For example someone with access to your computer could access your emails if your PGP password is saved, or otherwise easily access unencrypted emails. Using the Thunderbird Master Password is not enough, as this does not encrypt the contents of the mail client. Stay safe!


Author: Dragon vs Linux

The Dragon is a newly found Linux fanatic. Beginning like any basic Linux user, after many years learning and fixing basic problems, the Dragon now writes manuals for Linux solutions and acts as an informal consultant to friends and businesses.

One thought on “Easy & Secure Thunderbird: PGP encryption with Tor Birdy for Linux”

  1. This is the right site for everyone who really wants to understand this topic.
    You realize so much its almost tough to argue with you (not that I actually will need to…HaHa).
    You certainly put a fresh spin on a subject that’s been written about for many
    years. Excellent stuff, just great!


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s