Thunderbird: Setup End-to-End Encryption
Summary
This article provides a step-by-step guide to integrating S/MIME and OpenPGP into Thunderbird, enabling secure email communication through end-to-end encryption and digital signatures. It explains the processes for setting up both encryption methods, including certificate creation for S/MIME and key pair generation for OpenPGP.
Requirements
- 2 Virtual Machines: Ubuntu 22.04.5 LTS
- 2 Email-Accounts for Thunderbird
S/MIME in Thunderbird
Step 1: Creating a Self-Signed Certificate (own CA)
- Generate the CA private key:
openssl genrsa -des3 -out ca.key 4096
- Create a self-signed certificate for the CA:
openssl req -new -x509 -days 365 -key ca.key -out ca.crt
- Send ca.crt to both Clients
- Example cert:
Step 2: Creating a Certificate for Client1, Signed by Your Own CA
- Generate the private key for Client1:
openssl genrsa -des3 -out cert.key 4096
- Create a Certificate Signing Request (CSR) for Client1:
openssl req -new -key cert.key -out cert.csr
- Sign the CSR with your CA to generate Client1's certificate:
openssl x509 -req -days 365 -in cert.csr -CA ca.crt -CAkey ca.key -out cert.crt
- Export the certificate and private key to a PKCS#12 file:
openssl pkcs12 -export -in cert.crt -inkey cert.key -name "Alice Smith" -out cert.p12
- Send cert.crt to Client2
- Example cert:
Step 3: Creating a Certificate for Client2, Signed by Your Own CA
- Generate the private key for Client2:
openssl genrsa -des3 -out cert.key 4096
- Create a Certificate Signing Request (CSR) for Client2:
openssl req -new -key cert.key -out cert.csr
- Sign the CSR with your CA to generate Client2's certificate:
openssl x509 -req -days 365 -in cert.csr -CA ca.crt -CAkey ca.key -out cert.crt
- Export the certificate and private key to a PKCS#12 file:
openssl pkcs12 -export -in cert.crt -inkey cert.key -name "Bob Builder" -out cert.p12
- Send cert.crt to Client1
- Example cert:
Configuration in Thunderbird
- Open Thunderbird and navigate to:
Settings > Privacy & Security > Certificates > Manage Certificates
- Import the certificates as follows:
- On Client1:
- Import the Step 1 certificate (ca.crt) under Authorities.
- Import the Step 2 certificate (your own, cert.p12) under Your Certificates.
- Import the Step 3 certificate (from Client2, cert.crt) under People.
- On Client2:
- Import the Step 1 certificate (ca.crt) under Authorities.
- Import the Step 3 certificate (your own, cert.p12) under Your Certificates.
- Import the Step 2 certificate (from Client1, cert.crt) under People.
- On Client1:
By completing these steps, S/MIME will be successfully integrated into Thunderbird, enabling secure email communication with encryption and digital signatures between the two clients.
Integration of OpenPGP in Thunderbird
OpenPGP enables end-to-end encryption in Thunderbird, ensuring secure communication through encrypted emails and digital signatures. The following steps outline the process for setting up OpenPGP in Thunderbird, creating key pairs, and exchanging public keys.
Step 1: Enable OpenPGP in Thunderbird
- Open Thunderbird.
- Navigate to Account Settings and select End-to-End Encryption.
- Click Add Key to create a new OpenPGP key pair.
- Optionally, set an expiration date for the key or leave it as "Never Expires."
- Choose a Key type.
- Click Generate Key. Thunderbird will create the key pair and associate it with your email account.
Step 2: Exporting Your Public Key
- Navigate to Account Settings and select End-to-End Encryption.
- Navigate to the OpenPGP Key Manager:
- Locate your newly created key in the list.
- Right-click on your key and Select one of these Options to Share your Public Key:
- Copy Public Key
- Export Public Key To File
- Send Public Key By Email
Step 3: Importing Public Keys from Contacts
- When you receive a contact's public key
- via Message: Open the OpenPGP Key Manager in Thunderbird, Save the copied Public Key into a `.asc` File & Import it via OpenPGP Key Manager
- via File: Open the OpenPGP Key Manager in Thunderbird, Click File > Import Keys from File, then select the `.asc` file you received.
- via Email: double-click the `.asc` file in the email, and Thunderbird will prompt you to import the key
By following these steps, you can successfully integrate OpenPGP into Thunderbird, enabling secure email communication with encryption and digital signatures.