We cannot guarantee that the versions offered there are current. Note also that some of them apply security patches on top of the standard versions but keep the original version number. We announce the end-of-life date for a current stable version at the time a new stable version is released. We maintain old branches for at least two years. For GnuPG 2. For most other packages we don't maintain branches and thus there is no end-of-life; always use the latest version.
Remarks: Pinentry is a collection of passphrase entry dialogs which is required for almost all usages of GnuPG. GnuPG 1. This branch has no dependencies on the above listed libraries or the Pinentry. Optional: Show the Thunderbird Menu Bar. This step will be useful for the rest of this guide.
Add your existing email account to Thunderbird by navigating to Thunderbird's menu bar. Fill out your complete name, your email address and your password. Then uncheck "Remember password". But this is not mandatory: you can enter anything you would like to be addressed with. Please note that if you have enabled 2-factor authentication on your email account, you might have to enter an app-specific password here. This won't be necessary if you are using a Gmail account. Note: if you prefer Thunderbird to store your password, you should make sure that the password database is encrypted, so that nobody who has access to your computer can get to your email password.
To do this, you will need to set a strong master password, following these instructions. Click "Continue". Thunderbird will check that your email configuration is correct and will present you with two options for reading your incoming email: IMAP or POP3.
Leave "IMAP remote folders " selected if you want to access the same messages from multiple devices, leaving your email in the servers. If you prefer to use Thunderbird for all your email, and to download your email to a trusted secure device rather than keep it in servers you don't control, select the "POP3 keep mail on your computer " option. Please note that by choosing this option, the messages you have downloaded will no longer be accessible from other devices. Either one indicates that your connection to your email provider will have a basic layer of encryption.
If everything has worked fine, by clicking the "Done" button Thunderbird will connect to your email server and download your mailbox. This operation will happen in the background and might take some time, depending on the size of your inbox folder and speed of your internet connection. If you are using a Gmail account, you will be prompted to enter your password and 2-factor authentication code and to accept the connection to an email client.
Once your email account is connected to Thunderbird, you can start using PGP by creating a key pair, consisting in a private key , which you must store safely and never share with anyone , and a public key , which you can share publicly or with trusted people.
Enigmail's key manager window will appear. Select "Generate" from the top menu and click "New Key Pair". Choose a strong and unique passphrase for your key if you don't know how to generate a strong password, please read this guide.
In a nutshell, your passphrase should be at least characters long and include special characters, capital letters and numbers. In the "Key expires in" box, you can leave the default 5 years option, or select a shorter time span. Don't choose a longer time span, and leave the "Key does not expire" option unchecked.
While Enigmail is generating your key pair, you will also be asked to generate a revocation certificate. Generating a revocation certificate is important and you should click on the "Generate Certificate" button in the prompt, and save the certificate in a secure location like an encrypted USB stick that you keep for exclusive, personal use.
This file is needed only to revoke your key pair in case you lose your private key or there are doubts about it being compromised.
The revocation certificate cannot be used to decrypt your PGP-encrypted communications. The revocation certificate will allow you to securely discontinue the usage of your key at any time. It is very important to create a revocation certificate for future use and store it in a secure place that only you or trusted people can access and that is separate from the device where you keep your key pair.
Revoking your key will prevent people from encrypting to the unused or compromised key, and signals to the keyservers that the key is no longer valid. If you did not create a revocation certificate while generating your key pair, you should do so now, following the steps below:.
Go to the Thunderbird menu bar, click "Enigmail", then choose "Key Management". Choose a secure location to save your revocation certificate. An encrypted USB stick that you do not lend out and is kept for exclusive, personal use is a good choice. Make sure to keep the storage device where you have saved the certificate in a secure place. You will be notified that the revocation certificate has been successfully generated.
Click "Close". Backing up your key pair in a safe location is important to be sure you will not lose it even if your device is lost or your hard disk damaged, or if you want to encrypt your emails with the same key pair on another computer. Right-click your key in the Key Management window and choose "Export Keys to File" in the drop-down menu.
Note: The private key in your key pair is the most important component of the encryption system, and its security should be top priority. Only export your key pair to a secure place , like an encrypted USB stick that you use exclusively, store in a secure place, and do not lend out. You should see a message stating that "The keys were successfully saved". Your contacts will need to import your public key to encrypt messages to you.
To let others find your public key, you may upload your public key to a key server or attach the key in an email. Warning: If you don't want to disclose publicly that you're using encryption, for example because encryption is illegal in your country, you should avoid publishing your public key on the key servers.
In such cases it's a good idea to only send your public key by email or through other means to your trusted contacts you exchange encrypted emails with. Right-click your key and choose "Upload Public Keys to Keyserver" in the drop-down menu. This section explains how to configure Thunderbird's preferences to help defend your system against attacks that originate in emails.
Navigate to Thunderbird's menu bar, select "Tools", then "Account Settings". Click "OpenPgp Security" in the left-hand menu. All "Message Composition Default Options" should be checked, to encrypt messages and drafts and sign messages by default. Click "OK". If you are not reading and sending unencrypted email from a webmail interface, and are using Thunderbird for managing all your email, you might want to uncheck the "Encrypt messages by default" option, to make it easier to write unencrypted messages.
If you choose to uncheck this box, you should always make sure that the lock icon in your email form is highlighted as in the screenshot below when writing an encrypted email. If you followed our tutorial in Part 1 of this guide, then you will already have generated a key pair which you can select to use here.
For the purposes of this tutorial, however, we will generate a new key pair. To do this, select 'I want to create a new key pair for signing and encrypting my email. Choose a secure pass phrase which is used to protect your private key try to aim for one that is at least 20 characters long, using non-sequential words. You will use this to decrypt emails sent to you using your public key. If this ever becomes compromised you should immediately revoke the matching public key, and generate a new key pair and then publish it.
Wait while a key is generated. It is then a good idea to create a revocation certificate just follow the Wizard. All keys generated using this method are secured with bit RCA encryption and expire after 5 years. Okay, so now you are set up and have a key pair. The next step is to share your public key or keys so that others can send encrypted emails to you. For you to send encrypted emails you require your recipients' public keys. Remember that your public key is designed to be public, and the more people who have access to it, the more people who can send you encrypted emails.
Write the email and select the recipient s as normal, then select 'Attach My Public Key' the paperclip icon will turn yellow to show this is enabled. When you are ready, hit 'Send'.
Note that the red lettering in the 'To:' field alerts us the fact that we do not have the public OpenPGP keys for this recipient. A better way to share your public key is via a keyserver basically, a server that stores public OpenPGP keys, so that they can be accessed by anyone.
A big advantage to using a keyserver is that if for any reason you need to revoke your public key for example your if your private key is compromised , this can be easily done just once by deleting the old key and uploading a new one to the key server rather than sending out new keys to all your contacts. This also makes it easy for anyone to send you secure email without having to ask you to send them your public key to them first.
You can now include the name of your keyserver address and Key ID in your signature to advertise the fact that you have a public key available. When you receive an encrypted message that contains a public key, double-click on the attached.
Knowing the name of the keyserver is good, by Enigmail does a good job of finding keys anyway. You can also tell Enigmail to 'Find keys for all contacts'. An important final security step is to validate and sign a key pair, which should be done using a method other than email. Face-to-face is best, although encrypted VoIP is also a good option remembering that telephone conversations cannot be considered secure in this age of blanket government surveillance.
Be very careful to make sure that you are talking to the right person!
0コメント