Get e-mail encryption with the least hassle possible

Comments None

Tested on Windows 7. Confirmed by a friend to work on Linux as well (just download the same tools, but for linux).

1. Use Thunderbird, the e-mail program.
If you are using an earlier version than 24 or no Thunderbird at all,
download e.g. Version 24.6 from and install it.

Configure your e-mail account in Thunderbird.
If this does not work automatically, then details have to come from your e-mail provider.
 If they offer IMAP and POP, prefer IMAP.

Do not forget to test sending and receiving unencrypted e-mails with Thunderbird
  to make sure that you are ready for the next step.


2.Use GPA, the crypto program. (“Gnu Privacy Assistant”)

Download:   (also called the “GPG4win” package)

Install it and choose only GnuPG and GPA, when given the choice.

Start GPA (e.g. from Desktop or start menu),

  • Create your key:     Either GPA will ask you to, or otherwise select:
    menu bar – Keys – New key, but

  • enter NO passphrase. Confirm questions like “Really no passphrase?!”.

You actually created a pair of keys:

  • Public key: Your communication partners need this to crypt e-mails to you.
    How to share it is explained further below.
    It cannot be used to remove encryption, though. Thus you can give it to your worst enemy without harm.

  • Secret key: With this key only, the above mentioned encryption is removable,
    so that at least you can read the mails. Keep it to yourself.

  • Make sure you understand the difference.


3.Use Enigmail, the plugin for Thunderbird.

It connects GPA and Thunderbird.

Download at:
and save it somewhere. It is the last program I ask you to download :-)

Install it using Thunderbird:

  • Thunderbird – Menu Bar – Tools – Add-ons

  • in the upper right area:   click on the gear-wheel button

  • choose “Install Add-on From File…”

  • choose the “enigmail… .xpi“ file you just downloaded

  • restart Thunderbird

Now there is some configuration to be made.

Either Enigmail will ask you, or you configure them in the “OpenPGP” menu of the main Thunderbird window.

They could be named or placed a wee bit differently in your Version…

  • When asked, choose only one Identity, and choose the key you created with GPA earlier.
  • When asked, choose always sign messages. It does not hurt.
  • When asked, choose always encrypt messages. You can only encrypt if a receiver has created a key pair, anyway.
  • When asked, choose Encrypt message before saving and Do not ask me again
  • When asked, choose Encrypt/sign message as a whole.
  • When asked, choose Hide BCC recipients.

  • Prevent Enigmail from hiding settings from you:
    Thunderbird – Menu Bar – OpenPGP – Preferences - Button: Display Expert Settings

  • Prevent Enigmail from asking you before sending each mail:
    Thunderbird – Menu Bar – OpenPGP – Preferences – Key selection – “No Manual Key selection”
    (Will send unencrypted mails to recipients that have not given you a public key yet, without warning.)

  • Prevent Enigmail from adding its self-advertising banner to your mails:
    Thunderbird – Menu Bar – OpenPGP – Preferences - Advanced – Disable “Add Enigmail comment …”


4.Send your public key to people – then they can encrypt mails to you

  • Via e-mail: (recommended)
    • Thunderbird – Start writing an e-mail as usual -
      menu bar – OpenPGP – “Attach my public key”

    • Consider also sending a link to this tutorial
      if the person does not have a working setup already.

    • Ask for their public key,
      so that you can send crypted mails to them.

  • Via public key server: (recommended as an addition)

    GPA – Brief(key list) – select your key. Then: menu bar: Server – Send key

    by default is used, which is fine as far as I know.

5.Import their public key to be able to encrypt mails you send

  • Via e-mail:

    Assuming that the public key of another person is attached to an e-mail you received…

    Thunderbird – click on attachment to get the context menu, e.g. with right mouse button – Import public key…

  • Via public key server:

    Assuming that the public key was sent there by its owner already.

    GPA – menu bar – Server – Retrieve keys…


You are finished. But read on to understand more and get more out of your setup with ease.

  • Check whether encryption really worked: Strongly recommended!
    The receiver (only!) can verify this by two means:
    • Either check whether Thunderbird shows “Decrypted message
      above the received mail, on green or blue background.
    • Or select the received mail in the Thunderbrid main window, then:
        menu bar – View – Message Source
      now search for the text that should be encrypted:
        menu bar of source window – Edit – Find
      If you do not find the text, encryption works.
    • The sender of a mail cannot see whether encryption worked, with this setup. Because in his “Sent“ folder, his own public key is used. But the mail sent over the wire has to be crypted with the (public) key of the recipient!

  • Let GPA make a backup, when it asks for it.
    This crashed GPA on my computer but the backup was made,
    so nothing was lost.
  • Make sure that the public keys you send and receive are not replaced
    with another key claiming to be yours. Strongly Recommended!

    This is a very common procedure and is also called “verifying by fingerprint”.
    The following three steps are all it takes:

    1. Look at the fingerprint of your key: In the GPA Program select Brief(key list) – select your key

    The fingerprint is shown on the bottom of the window,
      below “Details“, in an extra line
      starting with “Fingerprint“.
      It looks like: 41B5 95D3 8E4E 1D5C DDD2 5087 2E38 5BA4 F67A 11FD

    2. Send this fingerprint of your key to the person that also received your public key.
    But send it by other means than e-mail to make sure it is not replaced on its way. Send it …

    • Via writing it on any webpage: OK
    • Via mobile text message: Good
    • Via reading it on the phone: Very Good
    • Via meeting in person and showing/giving the fingerprint: Perfect. No one may replace the fingerprint on its way.

    3. The recipient then compares this fingerprint
      with the fingerprint shown in her GPA: She should…
      start GPA
      select your(!) key
      compare the fingerprint at the bottom.

    Done. But you should also compare fingerprints for public keys you receive !

  • If you verified someone’s key by fingerprint,
    you may define the key as trusted. E.g. by:
    In the GPA Program select Brief(key list) – open context menu of the key by e.g. right clicking on it – Set Owner Trust

  • If you want to make an exception, you may prevent signing or encrypting one specific mail that you are writing, by this one step:
    In the Thunderbrid window opened for writing that mail, in the menu bar or button bar:
    Open “OpenPGP“ and then remove the check sign.
    This setting will not be remembered for other mails you’ll write.

  • The setup described on this page does NOT protect your secret key -
    anyone with access to your computer (or backup)
    can get your secret key and read all your e-mails and sign forged e-mails.

  • You can add a passphrase to your secret key to protect it.
    I do not recommend it; but this is how it’s done:
    In the GPA Program select Brief(key list) – select a key – menu bar – Keys – Edit secret key
    From then on you have to enter your passphrase
    when you want to read crypted mails or sign mails.
    (GnuPG remembers the passphrase for a few minutes.)

  • At some point in the future you may want to use your mail setup on a new(ly installed) device.
    No Problem:
    GPA – Brief(key list) – select your key. Then: menu bar: Keys – Export
    This creates a copy of your key pair. – Also Recommended as a backup!
    Take good care of the exported file.
    Later just import this file at the new place.

Good to Know:

  • All mails saved to your “Sent”-Folder from now on are encrypted,
    with your key,
    so that you can read them.
    Even all the sent mails which are not encrypted on their way to your recipients
    (e.g. due to missing key from them)
    are now encrypted in your Sent box
    and thus at least protected on your provider’s servers from any readers but you.
    That’s how it should be, anyway, right?!

  • Signing an e-mail guarantees that (1) you sent the mail
    (to be precise: that a person with your secret key signed the mail)
    and that (2) no bit in your mail was changed since the signing.
    (At least not between the signing markers,
    which sadly exclude e.g. the subject line).
    Only persons with you public key can verify the signature.

  • The administrative parts of your mail (the “Headers”) are not encrypted,
    e.g. the subject line, sender and receiver addresses.

  • More general download locations:
      (in case the links above do not work)


  • Both keys of your pair (public key and secret key)
    are connected by math.
    You cannot replace only one of them.
    Instead, if you ever need a new secret key,
    you also have to use the new public key
    that comes with it, and vice versa.

  • The fingerprint of my own key is 41B5 95D3 8E4E 1D5C DDD2 5087 2E38 5BA4 F67A 11FD
  • and my public key itself is also online here:

Categories ,


There are no comments on this article.

← Older Newer →