Difference between revisions of "Thunderbird: Security"

From OnnoWiki
Jump to navigation Jump to search
Line 60: Line 60:
 
===1.1 Other tools like Thunderbird===
 
===1.1 Other tools like Thunderbird===
  
Thunderbird is available for GNU/Linux, Microsoft Windows and Mac OS X. Securely managing multiple email accounts is a complex task, and we strongly recommend Thunderbird for this purpose. However, if you prefer to use an alternative we recommend the following free and open source tools:
+
Thunderbird tersedia untuk GNU/Linux, Microsoft Windows dan Mac OS X. Mengelola beberapa akun email dengan aman adalah tugas yang rumit, dan kami sangat menyarankan Thunderbird untuk tujuan ini. Namun, jika anda memilih untuk menggunakan alternatif, kami merekomendasikan alat sumber gratis dan terbuka berikut ini:
  
 
* Claws Mail is available for GNU Linux and Microsoft Windows
 
* Claws Mail is available for GNU Linux and Microsoft Windows
Line 67: Line 67:
 
* Mailpile has a beta available for GNU/Linux and Microsoft Windows (and should be available for Mac OS X in the future)
 
* Mailpile has a beta available for GNU/Linux and Microsoft Windows (and should be available for Mac OS X in the future)
  
The security advantages of Thunderbird are significant, particularly when compared to commercial alternatives like Microsoft Outlook.
+
Keunggulan keamanan Thunderbird sangat menyolok, terutama jika dibandingkan dengan alternatif komersial seperti Microsoft Outlook.
  
 
==2. Install and configure Thunderbird==
 
==2. Install and configure Thunderbird==

Revision as of 06:30, 12 June 2017

sumber: https://securityinabox.org/en/guide/thunderbird/linux/



Thunderbird, Enigmail and OpenPGP for Linux - Secure Email

Posted10 August 2016 Table of Contents

   Required reading
   What you will get from this guide
   1. Introduction to Thunderbird
   2. Install and configure Thunderbird
   3. Improve Thunderbird's security and usability
   4. Sending and receiving encrypted messages
   FAQ

Mozilla Thunderbird is free and open source software that allows you to exchange and store email for multiple accounts with multiple service providers. Enigmail and GnuPG improve the security and privacy of your email correspondence by adding support for OpenPGP end-to-end encryption to Thunderbird. They also allow you to sign your messages digitally and verify the digital signatures of others. Required reading

   Keep your online communication private
   Protect the sensitive files on your computer
   Project website
   Project website
   Download Thunderbird
   GNUPG
   Enigmail
   Version: Thunderbird 38.8 (Enigmail 1.9.3)
   License: Free and Open Source Software
   System Requirements:
   GNU/Linux

What you will get from this guide

   The ability to manage multiple email accounts using a single tool
   The ability to read and compose messages while disconnected from the Internet
   The ability to send and receive encrypted email
   The ability to digitally sign your emails and authenticate signed email from others

1. Introduction to Thunderbird

Thunderbird adalah klien email lintas platform untuk mengirim, menerima dan menyimpan email yang free dan open source. Klien email adalah aplikasi yang memungkinkan anda mendownload dan mengelola pesan anda - dari beberapa akun dengan beberapa penyedia - tanpa browser.

Gnu Privacy Guard (GPG) adalah perangkat lunak bebas dan open source yang mampu mengenkripsi, mendekripsi dan mengirim pesan dan file secara digital. Ini juga menghasilkan dan mengelola kunci publik dan pribadi yang diperlukan untuk melakukannya.

Enigmail adalah add-on Thunderbird yang memungkinkan Anda mengakses fitur enkripsi dan otentikasi yang disediakan oleh GnuPG, yang harus diinstal agar Enigmail dapat bekerja.

1.0 Things you should know about Thunderbird before you start

Anda memerlukan setidaknya satu akun email untuk menggunakan Thunderbird.

Seperti semua klien email, Thunderbird membuat salinan pesan anda tersedia di komputer anda. Ini termasuk email yang anda kirim dan juga yang anda terima. Akibatnya, sangat penting bahwa anda menerapkan enkripsi full disk jika anda berniat menggunakan Thunderbird.

Thunderbird tidak dapat melindungi perangkat anda jika anda membuka lampiran berbahaya atau mengeklik tautan berbahaya. Jangan membuka lampiran yang tidak diminta dan hati-hati saat mengeklik tautan yang dikirimkan kepada anda melalui email. Pelajari cara Melindungi perangkat Anda dari panduan Malware dan Hacker.

1.1 Other tools like Thunderbird

Thunderbird tersedia untuk GNU/Linux, Microsoft Windows dan Mac OS X. Mengelola beberapa akun email dengan aman adalah tugas yang rumit, dan kami sangat menyarankan Thunderbird untuk tujuan ini. Namun, jika anda memilih untuk menggunakan alternatif, kami merekomendasikan alat sumber gratis dan terbuka berikut ini:

  • Claws Mail is available for GNU Linux and Microsoft Windows
  • Sylpheed is available for Mac OS X, GNU Linux and Microsoft Windows
  • K9 Mail and OpenKeychain are available for Android
  • Mailpile has a beta available for GNU/Linux and Microsoft Windows (and should be available for Mac OS X in the future)

Keunggulan keamanan Thunderbird sangat menyolok, terutama jika dibandingkan dengan alternatif komersial seperti Microsoft Outlook.

2. Install and configure Thunderbird

Most Linux distributions come with Thunderbird installed by default. Some distributions come with a version called Icedove, which is the same software under a different name. If you're using Ubuntu, you can launch Thunderbird by opening Dash (typically by pressing the Windows key), searching for Thunderbird, and pressing Enter. If your distribution does not include Thunderbird by default, you can probably install from your Software Center. You can then configure Thunderbird and add your email account information as described below.

2.1 Add an email account to Thunderbird

To add an email account to Thunderbird, follow the steps below.

Step 1. Launch Thunderbird

If you have not yet added an email account, Thunderbird will display the Would you like a new email address? screen

Figure 1: Thunderbird offering to help you create a new email address

Step 2. Click [Skip this and use my existing email] to open the Mail Account Setup screen

Figure 2: The Mail Account Setup screen

Step 3. Type the name, email address and password that correspond to the account you wish to access using Thunderbird

Step 4. Uncheck the box next to Remember my password

Figure 3: Mail Account Setup details

Step 5. Click [Continue]. Thunderbird will check the configuration of the email service you have entered.

Figure 4: Thunderbird after verifying the configuration of an email service

You probably want to leave "IMAP (remote folders)" selected. IMAP stores the master copy of your email folders (including the Inbox, Drafts, Templates, Sent and Trash folders) on the server and makes a local copy on your device. This allows you to access the same messages from multiple devices while keeping your folders in sync. (POP, on the other hand, retrieves your messages from the server and stores them on the first device to which they are downloaded. This does not mean they are actually deleted from the server, but it does make it much more difficult to access your email from multiple devices.)

Important: Make sure that both the Incoming and Outgoing information on the screen above show SSL (Secure Sockets Layer) or STARTTLS (Start Transport Layer Security). Either one indicates that your email provider supports basic encryption.

Step 6. Click [Done] to create your account and enter the main Thunderbird interface.

Figure 5: The main Thunderbird interface

Note: To add another email account, click File in the menu bar and select New > Existing Mail Account. This will activate Figure 2, above. Then, simply repeat Steps 3 through 6.

Each time you launch Thunderbird, you will be asked to enter the passphrase for each account you have added.

Figure 6: The Mail Server Password Required screen

Step 7. Type your passphrase

Figure 7: Entering a Mail Server Password

Step 8. Click [OK] to sign in to your account using Thunderbird

3. Improve Thunderbird's security and usability

This section explains how to configure Thunderbird's preferences to help defend your system against attacks that originate in emails. For more information, see Protect yourself from Malware & Hackers.

3.1 Disable HTML email

Thunderbird allows you to include colours, fonts, images and other formatting in the emails you write. It does this by sending messages that include HTML — the same technology used in webpages — rather than just basic text. It also has the ability to display HTML messages sent to you by others. Unfortunately, viewing HTML email can expose you to some of the attacks used to target web browsers. And writing HTML email sometimes prevents GnuPG encryption from working properly.

To display HTML email as plain text, follow the steps below:

Step 1. Click to display the Thunderbird menu

Step 2. Select View > Message Body As > Plain Text

Figure 1: Disabling the display of HTML email

To write email in plain text, follow the steps below:

Step 1. Click to display the Thunderbird menu

Step 2. Select Preferences > Account Settings

Figure 2: Thunderbird account settings

Step 3. Select Composition & Addressing under your email address

Figure 3: Thunderbird composition & addressing settings

Step 4. Uncheck the Compose messages in HTML box.

Figure 4: Disabling HTML message composition

Step 5. Click [OK]

3.2 Configuring Thunderbird's security preferences

To modify Thunderbird's security preferences, follow the steps below:

Step 1. Click to activate the Thunderbird menu bar

Step 2. Select Preferences > Preferences

Step 3. Click the Security tab

Figure 1: Thunderbird's security preferences screen

Step 4. Click the Passwords sub-tab

Figure 2: The Passwords tab

To view or remove email account passphrases stored on your computer, click [Saved Passwords]

Figure 3: The Saved Passwords window

To remove all of the passphrases saved by Thunderbird, click [Remove All]. You can also remove individual passphrases.

Important: We recommend that you protect your passphrases using a tool designed specifically for that purpose. See KeePassX for more information. However, if you do intend to allow Thunderbird to remember them for you, it is extremely important that you set a master password so that Thunderbird can encrypt your other passwords. In fact, even if you do not want Thunderbird to store your email account passphrases, you might still want to set a master password. Doing so will ensure that Thunderbird encrypts any passphrase you might accidentally ask it to save. If you do this, be sure to remember your master password or record it somewhere safe (like in a KeePassX database). And be aware that Thunderbird will ask you for that master password every time you restart the application.

Step 5. Check the Use a master password box to activate the following screen

Figure 4: Change Master Password window

Step 6. Type a strong passphrase into both fields

Step 7. Click [OK]

3.3 Configuring Thunderbird's privacy preferences

Cookies contain information that is sent to your browser by the websites you visit. When you return to those sites, you send the corresponding cookies back to them, along with your request for content. Cookies are used for a number of reasons. For example, websites that require you to sign in often use them to remember whether or not you have done so. But cookies can also be used to track your online activities.

Thunderbird accepts cookies primarily to support RSS feeds and newsgroups, not for email. We recommend that you disable support for cookies in Thunderbird. If this prevents you from using a feature of Thunderbird that you need, you can always go back and enable it.

You can tell Thunderbird not to accept cookies by following the steps below:

Step 1. Click to activate the Thunderbird menu bar

Step 2. Select Preferences > Preferences

Step 3. Click the Privacy tab

Figure 1: The Privacy tab

Step 4. Uncheck the following boxes:

   Allow remote content in messages box. (You can still enable remote content on a per-message basis)
   Remember web sites and links I've visited
   Accept cookies from sites

Step 5. Click [Close]

4. Sending and receiving encrypted messages

GNU Privacy Guard (GnuPG) is free cryptographic software that was developed by the GNU Project. This software is compliant with the OpenPGP standard and was designed to inter-operate with Pretty Good Privacy (PGP), another email encryption program that was initially designed and developed by Phil Zimmermann.

GnuPG relies on a form of public-key cryptography that requires each user to generate his or her own pair of keys. This key pair can be used to encrypt, decrypt and sign digital content such as email messages. It includes a private key and a public key:

   Your private key is extremely sensitive. Anyone who managed to obtain a copy of this key would be able to read encrypted content that was meant only for you. They could also sign messages so they appeared to have come from you. Your private key is, itself, encrypted to a passphrase that you will choose when generating your key pair. You should choose a strong passphrase and take care not to let anyone gain access to your private key. You will use your private key to decrypt messages sent to you by those who have a copy of your public key.
   Your public key is meant to be shared with others and can not be used to read an encrypted message or fake a signed one. Once you have a correspondent’s public key, you can begin sending her encrypted messages. Only she will be able to decrypt and read these messages because only she has access to the private key that matches the public key you are using to encrypt them. Similarly, in order for someone to send you encrypted email, they must obtain a copy of your public key. It is important to verify that the public key you are using to encrypt email actually does belong to the person with whom you are trying to communicate. If you or your correspondent are tricked into encrypting email with the wrong public key, your conversation will not be secure.

GnuPG and Enigmail also let you attach digital signatures to your messages. If you sign a message using your private key, any recipient with a copy of your public key can verify that it was sent by you and that its content was not tampered with. Similarly, if you have a correspondent's public key, you can verify his digital signatures.

4.1 Install Enigmail

Most Linux distributions come with GnuPG installed by default. However, you will need to install the Enigmail add-on for Thunderbird so that you can start using GnuPG for email encryption. You can do this by following the steps below:

Step 1. Click to display the Thunderbird menu

Step 2: Select Tools > Add-ons to display the Thunderbird Add-ons Manager

Step 3: Type “Enigmail” in the upper, right-hand corner and press Enter

Step 4: Click “Install” to download Enigmail

Step 5: Click the Restart now link to restart Thunderbird and finish installing Enigmail

Now that you have restarted Thunderbird, you should see “Enigmail” included in the menu bar.

4.2 Generate encryption keys and configure Enigmail

You can now configure one or more of your email accounts to use Enigmail and generate one or more encryption keypairs.

4.2.1 Generate encryption keys

You can configure Enigmail and generate a pair of encryption keys by following the steps below:

Step 1. Click to display the Thunderbird menu

Step 2. Select Enigmail > Setup Wizard

Figure 1: The Enigmail Setup Wizard

Step 3. Click [Next] to proceed with the standard configuration (as a beginner)

Figure 2: Creating a keypair

Step 4. Choose a strong passphrase and type it into the appropriate fields to generate a keypair

Note: This passphrase will protect your private key. Without it, you will be unable to sign or decrypt emails. As such, it is important that you choose a strong passphrase and that you remember it or record it securely. You can learn more from the Create and maintain strong passphrases guide.

Figure 3: Choosing a strong passphrase

Step 5. Click [Next] to generate your keypair.

Figure 4: Generating a GnuPG keypair

Enigmail will let you know when it is done creating your keypair.

Figure 5: Keypair generated

You should generate a revocation certificate so you can let others know when a particular key is no longer valid. This may happen if you:

   Stop using a keypair
   Lose a private key
   Forget the passphrase for a private key
   Believe a private key has been compromised or shared with others

It is particularly important that you generate a revocation certificate if you plan to upload your public key to a keyserver. There is no other way to "delete" a key once you have uploaded it, and you do not want old or compromised keys sitting around on a keyserver confusing people.

Step 6. Click [Create Revocation Certificate]

Figure 6: Choosing a location for your revocation certificate

Step 7. Navigate to the location where you would like to save your revocation certificate.

This certificate does not contain sensitive information and cannot be used to learn your private key, but someone could upload it to a keyserver and invalidate your current keypair, so you should put it somewhere safe.

Step 8. Click [Save] to enter the passphrase for your private key

Figure 7: Entering the passphrase for your private key to generate a revocation certificate

Step 9. Type your passphrase

Step 10. Click [Unlock] to generate your revocation certificate

Figure 8: Revocation certificate generated

Step 11. Click [OK] to return to the Enigmail Setup Wizard.

Figure 9: Completing Enigmail setup

Step 12. Click [Next] to continue.

Figure 10: Enigmail setup complete

Step 13. Click [Finish] to start using Enigmail.

4.2.2 Viewing and managing your key properties

Once you have generated your keypair, you can view and manage its properties by following the steps below:

Step 1. Click to display the Thunderbird menu

Step 2. Select Enigmail > Key Management

Figure 1: The Enigmail Key Management window

Step 3. Double-click the keypair that corresponds to your email account

Figure 2: The Key Properties window

These windows display, among other things, your public key ID and its fingerprint. For example, the public key ID for ekaterina@riseup.net is 0xFBB4EFFE, while the full fingerprint is 3B9F 54DD 571A 6F77 251D 92E7 E8B1 F5E6 FBB4 EFFE. This window also displays the expiration date of your keypair (20 June, 2021 in this case).

You must share your public key with others in order for them to send you encrypted email. You should also share your full fingerprint, through a different channel, so that your correspondents can verify that the public key you sent them really belong to you. You should never share your private key, as anyone who has a copy of it can decrypt messages sent to you and sign messages so they appear to have come from you.

If you would like to change the passphrase that protects your private key, click [Select action...] and select Change Passphrase. You will be prompted for your current passphrase and asked to choose a new one. To revoke your key, click [Select action...] and select Revoke Key.

4.2.3 Configure Enigmail to work with your email account

To enable Enigmail for use with a specific email account, follow the steps below:

Step 1. Click to activate the Thunderbird Menu

Step 2. Select Preferences > Account settings

Figure 1: The Thunderbird menu

Step 3. Click OpenPGP Security under your email account on the left side of the Account Settings window.

Figure 2: OpenPGP Security settings

Step 4. Make sure the Enable OpenPGP Support (Engimail) for this identity box is checked

Step 5. Make sure the Use specific OpenPGP Key ID box is checked and the appropriate Key ID is selected

Step 6. Make sure the Use PGP/MIME by default box is checked

Step 7. Check the Sign encrypted messages box

Figure 3: Configuring Enigmail to sign encrypted messages by default

Note: If you would like to configure Enigmail so that it will try to send encrypted email by default—even if you do not have a valid public key for the recipient—you can do so by checking the Encrypt messages by default box.

Step 8. Check [OK] to return to Thunderbird's main window

4.2.4 Generating additional encryption keys

It is common practice to add more than one email address to a given GnuPG keypair. In some cases, however, you may want to create different keypairs for different accounts. This is particularly important if you do not want others to know that both accounts belong to the same person.

You can generate a new keypair by following the steps below. These steps assume that you have already configured Thunderbird to work with a second email account (in this case, elenakaterina60@gmail.com).

Step 1. Click to activate the Thunderbird menu

Step 2. Select Enigmail > Key Management

Figure 1: The Enigmail Key Management screen

Step 3. Select Generate > New Key Pair from the Enigmail menu

Note: The Enigmail menu includes different options while the Key Management screen is active

Figure 2: The Generate OpenPGP Key screen

Step 4. Click the selected entry next to Accont / User ID in order to choose a different account

Figure 3: Selecting an alternative email account for which to generate a GnuPG keypair

Step 5. Select the account for which you would like to generate a new GnuPG keypair

Figure 4: Choosing a passphrase for a new GnuPG keypair

Step 6. Choose a strong passphrase for your new keypair and type it into the Passphrase and Passphrase (repeat) boxes. You can learn more from the Create and maintain strong passphrases guide.

Step 7. Click [Generate key]

Figure 5: Confirming that you would like to generate a new keypair

Step 8. Click [Generate key]

When it is done, Enigmail will prompt you to generate a revocation certificate.

Figure 6: New keypair generated

Step 9. Click [Generate Certificate]

Figure 7: Choosing a location for your revocation certificate

Step 10. Navigate to the location where you would like to save your revocation certificate

Step 11. Click [Save]

Step 12. Type the passphrase for the private key you just created

Figure 8: Entering the passphrase for your secret key

Step 13. Click [Unlock]

Figure 9: Revocation certificate successfully created

Step 14. Click [OK] to return to the Key Management screen

Figure 10: Two keypairs visible in the Key Management window

Enigmail will automatically configure your email account to use this keypair. See the previous section for more information about how to change account-specific settings. (We recommend that you configure Enigmail to sign your encrypted email by default unless you have a specific reason not to.)

4.3 Exchanging public keys

Before you can start sending encrypted email to one another, you and your correspondents need to exchange public keys. You also need to confirm the validity of any key you receive by confirming that it really belongs to the person you believe sent it.

4.3.1 Sending your public key as an email attachment

To send a public key using Enigmail, follow the steps below. Your correspondents can send you their public keys in the same way.

Step 1. In Thunderbird, click [Write] to write an email.

Step 2. Compose your message

Figure 1: Composing a message in Thunderbird

Step 3: Click [Attach My Public Key]

Figure 2: Attaching your own public key to an email before sending it

The button (and the paperclip icon) should change color to indicate that your public key will be attached to this message before it is sent.

Step 4. Click [Send]

Figure 3: Thunderbird about to send an email with a public key attached

Thunderbird may prompt you for your email account passphrase. It will not ask for your GnuPG passphrase unless you chose to sign this email. (Just attaching your public key does not require "unlocking" your private key.)

Figure 4: Thunderbird asking for an email account passphrase

Step 5. Type your email passphrase and press Enter

4.3.2 Importing a public key attached to an email

Both you and your correspondent must follow the steps below to import one another's public keys.

An attached public key should be visible in the lower, left-hand corner of the email in which it was sent:

Figure 1: A public key attached to an email

Step 1. Right click the attachment

Figure 2: The context menu for a public key attached to an email

Step 2. Select Import OpenPGP Key

Figure 3: Confirming the import of a public key

Step 3. Click [Yes] to import the public key

Figure 4: Details of an imported public key, including its full fingerprint

Step 4. Click [OK]

Enigmail's Key Management screen should now show your correspondent's public key:

Step 5. Click to activate the Thunderbird menu

Step 6. Select Enigmail > Key Management.

Figure 5: A new public key displayed in Enigmail's Key Management screen

4.4 Validating and signing public keys

You should now verify that the key you have imported actually belongs to the person you believe sent it to you. You and your email correspondents should go through this process for each public key you receive. Once you verify the key, you must sign it. This is how you tell GnuPG and Enigmail that you consider it valid.

4.4.1 Validating someone else's public key

To validate your correspondent's public key, contact him using a means of communication that allows you to be absolutely certain that you are talking to the right person. In-person meetings are best, but voice and video conversations are acceptable if you are confident you can recognise his voice or appearance. You will be exchanging public key fingerprints, which do not need to be kept secret, so this conversation does not have to be confidential as long as you refrain from discussing sensitive topics.

Both you and your correspondent should verify the fingerprints of the public keys you have exchanged. A fingerprint is a unique series of numbers and letters that identifies a GnuPG key pair. You can use Enigmail's Key Management screen to determine:

   The fingerprint of the key pair you have generated
   The fingerprint of other people's public keys that you have imported

To view the fingerprint of a particular key pair, follow the steps below.

Step 1. Click to activate the Thunderbird menu

Step 2. Select Enigmail > Key Management

Figure 1: Enigmail's Key Management screen

Step 3: Double-click a key pair to open the Enigmail Key Properties window.

Figure 2: Enigmail's Key Properties screen

In the Key Properties window, you will be able to see the fingerprint of the selected key. For example, the fingerprint of ekaterina@riseup.net is 3B9F 54DD 571A 6F77 251D 92E7 E8B1 F5E6 FBB4 EFFE

Your correspondent should carry out these steps as well. To verify fingerprints:

   Read the fingerprint of your keypair to your correspondent
   Have him verify that the fingerprint he has for your public key matches what you just told him
   Have your correspondent read you the fingerprint for his keypair
   Verify that the fingerprint you have for his public key matches what he just told you

If the fingerprints don't match, exchange public keys again and repeat the process.

Note: Because key fingerprints are not themselves sensitive, you can easily write down the fingerprint that your correspondent reads off to you. Then, when you have more time, you can verify that it matches the fingerprint you have for his public key using Enigmail's Key Management screen. (This is also why some people print their GnuPG fingerprints on their business cards.)

4.4.2 Signing someone else's valid public key

Once you have verified a correspondent's key, you should sign it. This will tell Enigmail to remember that you consider this key valid.

Important: If you sign some else's public key, then make your signed copy of their key available publicly, it exposes the fact that you know that person and that you likely exchange sensitive information with them. To prevent this from happening by accident, always check the Local signature box when signing a correspondent's public key.

You can sign a validated public key by following the steps below.

Step 1. Click to activate the Thunderbird menu

Step 2. Select Enigmail > Key Management

Figure 1: Enigmail's Key Management screen

Step 3. Right click the public key you want to sign

Step 4. Select Sign Key

Figure 2: Signing someone else's public key

Figure 3: Sign keys locally to avoid exposing your connection to their owners

Step 5. Make sure your keypair is selected next to Key for signing. If you have two keypairs, and you want to send this person encrypted email using both of them, you will have to sign their public key twice, once with each "identity."

Step 6. Click I have done very careful checking

Note: Other options (such as I have not checked at all) may not allow you to send encrypted email to the owner of this key. Furthermore, it may be difficult to change this setting later. As a result, we recommend that you always select I have done very careful checking when signing a correspondent's public key.

Step 7. Check the Local signature (cannot be exported) box

Important: Unless you are very confident with GnuPG – and know for a fact that the owner of this public key wants your signature of his key to be public – you should check the Local signature box.

Step 8. Click [OK]

Figure 4: Entering the passphrase to unlock your private key

Step 9. Type the passphrase for your private key when asked

Step 10. Click [Unlock] to sign this public key. Doing so will tell Enigmail that you have verified the identity of the key's owner, which will allow you to send him encrypted email.

4.5 Encrypting and decrypting email messages

GnuPG only protects the content of the messages and attachments you encrypt. The following information is never encrypted:

   The Subject line
   The sender's email address
   The Recipients' email addresses
   Any real names that might be associated with senders and recipients. (Elena S. Katerina <ekaterina@riseup.net>, for example.)

Furthermore, if you configure Enigmail to use Inline PGP instead of PGP/MIME, the filenames of attachments you send will remain unencrypted. So, choose your subject lines carefully, consider creating a GnuPG key for at least one email account that does not include your real name, and stick with PGP/MIME (which is enabled by default).

Finally, when you send encrypted email, rest assured that a copy — encrypted to your public key — will be placed in your Sent mail folder.

4.5.1 Sending encrypted email

Once you and your correspondent have successfully imported, validated and signed one another's public keys, you can begin exchanging encrypted messages. You can encrypt the content of an email message by following the steps below

Step 1. In Thunderbird, click [Write] and begin writing an email to a recipient for whom you have a signed public key

Figure 1: Composing an encrypted email

Important: Both the padlock button (which indicates that your message will be encrypted) and the pencil button (which indicates that your message will be signed) should light up as soon as you enter an email address for which you have a valid, signed public key. You should also see "This message will be signd and encrypted" toward the upper, right-hand corner of the window. This is because:

   By default, Enigmail automatically encrypts email to correspondents for whom you have a valid public key
   We enabled sign encrypted messages, under Account Settings > OpenPGP Security in a previous section.

You can choose not to encrypt or sign a message by disabling the padlock or pencil buttons before clicking [Send]. (You can also configure Thunderbird to send unencrypted email by default. This option is under Manual encryption settings in the Sending tab of Enigmail's Preferences menu.)

Step 2. Finish writing your message

Step 3. Click [Send]

Figure 2: Entering your GnuPG passphrase

Step 4. Type your GnuPG passphrase if prompted

Step 5. Click [Unlock]

Figure 3: Entering your email account passphrase

Step 6. Type your email account passphrase if prompted

Step 7. Click [OK] to send your encrypted and signed message

4.5.2 Decrypting an email from someone else

When you click on an encrypted message, Enigmail will prompt you for the passphrase to your private key so it can decrypt the message.

Figure 1: Entering your GnuPG passphrase

Step 1. Type your passphrase

Step 2. Click [Unlock]

Figure 2: A decrypted message with a verified signature

Enigmail will display some information at the top of the message. In the figure above, for example, "Decrypted message; Good signature from mansour" tells you that:

   The message was encrypted using your public key (which can be done by anyone)
   You successfully decrypted it
   It was signed by someone with the private key that corresponds to the mansour@riseup.net public key that you have imported
   You have signed that mansour@riseup.net public key, hopefully after verifying that it belongs to the real Mansour.

FAQ

Q: How many email accounts can I set up on Thunderbird?

A: As many as you like! Thunderbird is an email manager and can easily handle 20 or more email accounts.

Q: Remind me one more time, which parts of an email message does Enigmail encrypt?

A: Enigmail only encrypts the content of messages. Subject lines will not be encrypted, nor will sender and recipient email addresses (or the names associated with those addresses). So, choose your subject lines carefully and consider creating a GnuPG key for at least one email account that does not include your real name.

Q: I still don't understand the purpose of digitally signing my messages.

A: A digital signature proves that you're the real sender of a particular message and that the message hasn't been tampered with on its way to your intended recipient. Think of it as the electronic equivalent of the wax seal on an envelope, which contains a very important letter.



Referensi