Securing E-Mail
Contents Chapter 1 – Introduction and Overview Chapter 2 – E-mail Programs Chapter 3 - What is PGP? Chapter 4 - Set Up Your Gmail Mailbox For IMAP Chapter 5 - Set Up the Mozilla Thunderbird E-mail Client On Your Computer Chapter 6 - Install and Configure PGP with Thunderbird Chapter 7 – Add Public PGP Keys to Thunderbird Chapter 8 – Backup All Your Keys Chapter 9 – Thunderbird and PGP Conclusion Chapter 10 – Confirm it Works Chapter 11 – Setting Up PGP On Another Computer With Thunderbird Chapter 12 – Frequently Asked Questions (FAQ)
Chapter 1 – Introduction and Overview
If you are in the medical profession then you’re already familiar with Health Insurance Portability and Accountability Act, otherwise referred to as HIPAA. Basically, it has nothing to do with Heath or Insurance. The primary purpose of HIPAA is the protection of personal sensitive medical information that is stored, transferred or transmitted over electronic devices and pathways. Of course, this also includes patient medical information sent via e-mail. Data encryption is one of the most common and effective ways to prevent serious information breaches, such as unauthorized access to PHI. Encryption is such a powerful security measure that breaches of encrypted health information are not considered reportable security incidents unless the encryption key has also been taken. Granted, e-mail encryption is not mandated under HIPAA regulations. However, if a company does not utilize encryption as a security measure, then it must implement an equivalent method for the transfer of sensitive patient information from one entity to another.
Presently, many medical professionals utilize 3rd party websites that allowed for controlled protected access to patient information that is uploaded to the third-party server. The uploaded data may or may not be encrypted. Most don’t encrypt the data, but instead allow for controlled access to the data. This leaves the patient’s medical information on a third-party computer that is vulnerable to illegal and unauthorized access by hackers, as well as malicious software that may be on that computer. One method is where the providing MD creates a password protected account on the third-party server, uploads the patient data and then sends a separate notification either themselves or through the third- party server to the intended recipient. That notification contains access instructions for the intended recipient on how to access the uploaded patient data. Generally, this access will expire after a set period of time from say, one hour to 1 or more days.
This is all fine and dandy. But the “how to access” instructions sent to the recipient are themselves vulnerable to unauthorized third-party access. There’s also the possibility of those access instructions being inadvertently sent to an unintended recipient. This would be a direct violation of the HIPAA requirements. There needs to be a better way. Well there is. Not only is this better way significantly more secure, it’s also more user friendly for both the sender and the recipient.
Sending information via email has always been the most effective and efficient way of sharing data. But e-mail itself has never been a secure way of sending or receiving sensitive information – be it in the form of a text message or as an attachment to an e-mail message. Thanks to recent advances in encryption technology and the integration of this technology into e-mail, it’s now possible to use e-mail for sending and receiving sensitive information that is so user friendly, it’s practically seamless and unseen by either the sender or the intended recipient.
Email encryption can be automatic on the sender’s end the instant they click the send button, as well as automatic decryption on the recipient’s end as soon as they open the received e-mail. Additionally, the e-mail remains in its encrypted form for as long as it resides on your e-mail server, as well as on your computer. The decrypted message and its associated attachments if any, are decrypted “on the fly”; meaning that the decrypted e-mail only exists on your viewable screen and not on your hard drive or remote mail server unless you take action to save it there in an unencrypted form. For some e-mail programs the initial setup for automatic encryption and decryption can be a bear. However, once it’s all set up and fine-tuned, you’re basically done. That’s what this document is intended to help you do – set it up and fine-tune it for your specific needs.
Chapter 2 – E-mail Programs
Many folks are using their web browser to access their email. Could be Internet Explorer, Microsoft Edge, Chrome or even Firefox. There are multiple issues with using a web browser to send and receive e- mail, with the major issue being that it’s just flat out not possible to afford any level of protection to sensitive data sent or received via e-mail. Due to the designed and intended functionality of a web browser to be used for multiple things other than just surfing the web, it’s just flat out not possible for a web browser interface to an e-mail account to provide the level of security necessary by HIPAA. The bottom line is, if you want to be HIPAA compliant you flat out have to stop using any web browser to send or receive email that contains sensitive patient information. You really don’t have a choice if you want to be in full compliance with the law.
I highly encourage all medical professionals to use a third-party e-mail program that is designed and intended for primary purpose of sending and receiving e-mail. This will give both the sender and recipient better control over the management of e-mail. A third-party e-mail program also allows the implementation of e-mail security protocols that will meet, and more commonly exceed HIPAA requirements. Even the so-called built-in e-mail program included with Windows 10 is basically nothing more than a web browser, as it does use Microsoft Edge. The built-in e-mail of Windows 10 just can’t come anywhere close to meeting HIPAA requirements. Many third-party e-mail programs also include additional functionality you may find useful too. For example, calendar scheduling and to do lists.
The two most commonly used e-mail programs are Microsoft Outlook and Mozilla Thunderbird. Both also include the added functionality of calendar scheduling and to do lists. Outlook comes as part of the Microsoft Office 2019 suite and is also included in the online Office 365 suite. Either one you use, the Outlook program gets installed on the local hard drive of your computer, and that’s what you want.
Mozilla Thunderbird is another highly popular e-mail program used by many. Not only is this program free, but It too comes with the calendar scheduling as an added function. One can also elect to install many other add-ons that are available free of charge such as to do lists, reminders, and many more. Thunderbird is also considerably easier to set up, use and configure than Outlook is.
For both of these programs the added functionality of e-mail encryption is also available. For Outlook, it can be installed and configured as an add-on in such a way that, once installation and configuration is complete it will handle all e-mail and attachments encryption and decryption in the background automatically with no user intervention. Whereas the basic Mozilla Thunderbird program comes by default with e-mail encryption built it. All you have to do is set it up.
The most common as well as the most secure e-mail encryption out there is called Pretty Good Privacy, or PGP for short. Best of all it’s absolutely free. Set up of PGP while not intuitive, is somewhat easy with proper guidance. But once you have it set up and configured the way you want, you’re done! It’s all hands off with all the work done automatically in the background. The end user doesn’t notice anything different really. But you do have the piece of mind of knowing that protected patient information sent via e-mail does in fact, meet or exceed the HIPAA requirements for the protection of that information.
Chapter 3 - What is PGP?
PGP, which stands for Pretty Good Privacy is a software program used to encrypt information on your computer, before it leaves your computer. It also does the opposite and will decrypt encrypted data after it has been downloaded to your computer. PGP consists of two parts. There’s a private key and a public key.
The public key is used to encrypt information. That’s the only thing it can do. There is no way possible for a public key to be used for decrypting and reading information that has already been encrypted. The public key is shared with anyone and everyone that you wish to share information with via e-mail.
The private key is used to decrypt information which was encrypted with it’s corresponding public key. The private key is never shared with anyone. It remains only in the possession of the person who will be receiving information from others that was encrypted with the public key that corresponds to the private key.
For two parties to send encrypted e-mail back and forth, each party must have their own private key which each party will never share with another. Likewise, each party must have the public key that corresponds to the private key of the individual they wish to send sensitive information to.
The nice thing about the PGP program is that you can set up your e-mail program to automatically attach your public encryption key to everyone you send an e-mail to. That way, all of those you communicate with will have your public key available to them. Then they can use that public key to encrypt sensitive information they which to e-mail to you.
When you receive an e-mail that has been encrypted with your public key, then your e-mail program uses your private key to decrypt that e-mail message the instant you open it for viewing. It’s all done in the background and from your perspective, nothing changed. You can read that e-mail the instant you open it.
The remainder of this document provides detailed instructions on obtaining, installing and configuring PGP to work with Thunderbird. I gave up on providing instructions for Microsoft Outlook because Microsoft can’t seem to leave things alone. Their constant changes with automatic updates keep “breaking” the PGP install instructions. I’m tired of trying to keep up.
So if you’re using Microsoft Outlook and are just to stubborn to change to something that’s not only easier and simpler, it’s also free, you can find the most current PGP installation instructions for Outlook at https://www.comparitech.com/blog/information-security/pgp-encryption-with-outlook/ If that website is not there or not up-to-date, then you can do a google search for “OUTLOOK PGP INSTALL” and take your pick. Good luck. You’re gonna need it.
I myself highly recommend that you stop using Outlook for your business e-mail. Especially if you send and receive HIPAA protected information. The security vulnerabilities of Outlook seem to be constant. Every time Microsoft releases a patch to fix one problem, they seem to create two more. In this IT professional’s opinion, Outlook is probably the worst e-mail program out there.
The program that I recommend for my clients, and the one practically all of my clients have been using is called Mozilla Thunderbird. This program is designed and intended specifically and explicitly for E-mail. That’s what it does. The installation and setup is so simple, easy and user friendly, it can be done by a 6 year old without having to produce a self-induced thought in less than 2 minutes after it’s downloaded. Setup only requires that you provide three pieces of information; Name, E-Mail address and password. That’s it. Period. The program does the rest for you automatically.
Additionally, if you need added functionality that equals and exceeds that of Outlook, it’s available as a seamless add-on. For example, you can add reminders, calendar, to-do lists, alarms and many more. One advantage of this is that you only install the add-ons you want and use. So unlike Outlook, you don’t have a bunch of useless programs taking up space and resources, thus slowing your computer down.
In closing out this chapter on what is PGP, if you’ve been using a web browser to access your e-mail and now need to switch to a third-party program, be it Outlook, Thunderbird or some other, you may need to set up your mailbox to allow you to use that third-party program with your mailbox. For example, if you use a google or Gmail account for e-mail, you’ll need to take some action from your web browser to enable e-mail access by another program. The next chapter walks you through setting up an existing e- mail account so that you can access it with Outlook, Thunderbird, or something else of your choosing.
Chapter 4 - Set Up Your Gmail Mailbox For IMAP
If your e-mail address is on the gmail.com domain, then before you can use any third-party e-mail program, you first have to set up your e-mail box to recognize and allow that program. This is absolutely necessary if you use a Gmail account. In this chapter we’ll go through setting up your Gmail address to work with either Outlook or Thunderbird.
I highly recommend that you create and set up a separate G-mail account that will be used for secure encrypted e-mail only, and that you provide this e-mail address only to those you will be exchanging sensitive information with. This will significantly reduce the possibility of sensitive information being sent to you unencrypted.
- Using the web browser of your choice (Edge, Internet Explorer or Firefox) go to www.gmail.com and log into your account and go straight to your inbox.
- In the upper right of the screen from your inbox, click on the gear icontne click the See All Settings button. See below image.
In the settings menu, click on Forwarding and POP/IMAP as shown circled in the image below.
Now select the radio box next to Enable IMAP as circled in red in the image below.
Then scroll to the bottom of that screen and click the Save Changes button.
That does it. You can log out of your Gmail account now and you’re ready to set up your third party e- mail program to access your Gmail account.
Chapter 5 - Set Up the Mozilla Thunderbird E-mail Client on Your Computer
Go to www.thunderbird.net and click the Free Download button to download the program to your computer.
Double-click the downloaded file to start the installation process. Select all defaults while installing. When installation completes click the Finish button. Give it a minute and the program will automatically start and open, presenting a Setup an Existing Email Account popup as shown below.
Enter your name (or business name), email address and password for this e-mail account. You can also put a checkmark in the Remember Password box so that you don’t have to enter your password every time you want to send or receive e-mail. Then click the Continue button.
As shown in the below image, you can see where Thunderbird has found the settings for your mailbox. It’s important that the IMAP option is selected by default. If it’s not, then you did not set up your mailbox for IMAP access correctly, as covered in Chapter 4.
If you are not using G-Mail and the program is unable to successfully configure things automatically for you, then you’ll need to contact your Internet service provider or e-mail provider. More than likely they have customized the incoming IMAP server and outgoing SMTP server, meaning you will have to manually configure those settings yourself. Your provider can provide you with the settings you need. Take note that any AT&T e-mail address (@att.net, @bellsouth.net and others) will find the correct settings. However, your password will not work because you are required to manually generate a secure password on the e-mail provider’s website. How this is done is not covered in this document. For instructions on creating a secure password for your AT&T account that will work in Thunderbird, Click Here.
Once the setup program configures itself, click the DONE button to confirm the e-mail password you entered is correct. If this is not a Google or Gmail address you’re setting up, skip the next two paragraphs. If this is a Google or Gmail address you’re setting up, you’ll get a popup G-mail or Google account login screen in a web browser window showing your E-mail address as shown below
Click Next for the password entry screen as shown below.
Enter your password and click the Sign In button.
Now you get a screen telling you that Mozilla Thunderbird wants to access your Gmail or Google account as shown below.
Click the Allow button. This window closes and you’re presented with a popup from the Thunderbird program as shown below.
Leave all the defaults on the popup and click the Set As Default button.
That does it. Thunderbird is now set up as your e-mail client.
Note that if desired, you can set up Thunderbird to access multiple email accounts. I don’t know if there’s a limit on the number of e-mail accounts the program can handle. But I currently use it to access 10 e-mail accounts with no problem.
Confirm that you can both send and receive e-mail with Thunderbird now, by simply sending yourself an e-mail. If successfully sent you’ll see a copy of it in your Sent folder. Of course, it will appear in your inbox when you receive it.
Chapter 6 - Configure PGP with Thunderbird
PGP is built in to the program and is referred to as End-to-End Encryption. In the Thunderbird program click the menu button followed by Account Settings, as shown below.
This opens an “Account Settings” tab as shown below. On the left click the “End-to-End Encryption” shown in dark blue in the below image. This displays the “End-to-End Encryption” screen you see below. Now click the “Add Key” button circled in red below.
Now you are presented the below. Ensure that “Create a new OpenPGP Key” is selected (circled in red below) and click the Continue button.
Now you’re presented with the below.
Referring to the above image, ensue that the correct e-mail address you will use for encryption is selected in the Identity pull down menu.
By default, the key is set to expire in 3 years. You can change this as desired or elect the option “Key does not expire.” I suggest you use an established expiration time that doesn’t exceed 5 years.
In the “Advanced settings” section leave the Key type set to RSA. A minimum key size of 3072 is required. I suggest you change it to 4096 or higher. The bigger the key, the more difficult it is to break. The key size has no effect on the time it takes to encrypt or decrypt e-mail. So I suggest the highest key size possible.
Once everything is set, click the “Generate key” button at the bottom, shown in dark blue in the above image. You’ll be presented with the below confirmation dialog.
Click the “Confirm” button to start the key creation and generation process. This process will take anywhere from a few seconds to several minutes. The screen may look like it’s frozen and doing nothing. But rest assured it’s working. Once complete the above dialog will close and you’ll see the below.
Now scroll down so that you can see and access the three items circled in the image below.
Now select the option to “Require Encryption by default” and the option for “Addmy digital signature by default” and then click the “Open PGP Key Manager” button to open the key manager pictured below.
Now right-click on the key you created previously and select “Key Properties” as shown highlighted in blue in the above image. The produces the menu below. Note that you absolutely positively MUST have the option circled in red selected, or you will not be able to send encrypted e-mail. Once you’ve confirmed this, click the OK button to close this dialog.
Now you can click the Close button to close the key manager window. Then click the Close (X) button on the Account Settings tab to exit account settings, and that does it. BUT THERE’s MORE! So you can’t send e-mail quite yet.
You need to set up this account to automatically attach your public key to all outgoing e-mails sent from this account. You also need to ensure that a signature block is attached to each e-mail sent. The signature block informs the recipient of an e-mail of this account about the requirement for encryption along with guidance on how to meet that requirement. As it stands right now, this account is already set up to automatically attach your public encryption key to all outgoing e-mails. But you also need to include a signature block to inform recipients of the requirement for encryption. Here’s an example of a recommended signature block, which can be tailored to your specific needs. “In accordance with HIPPA requirements all e-mail containing protected information and attachments sent from and received by this e-mail address are required to be encrypted using PGP. The public encryption key is attached for your use and convenience. Any unencrypted messages sent to this address will not be seen by the recipient. If you need assistance implementing PGP e-mail encryption please see burchfieldcs.dynu.net/Securing_Email.pdf or consult with your IT professional.”
To set this up, open Thunderbird and select the inbox folder of the account desired. Then click the menu button and select “Account Settings” as shown below.
You now have the below screen presented to you.
If you desire to include a clickable link in your signature, make sure the “Use HTML” box is checked as shown above. Then below that enter your text with any HTML formatting desired. As an example of a signature with a clickable link it it, you can use the below.
In accordance with HIPPA requirements all e-mail containing protected information and attachments sent from and received by this e-mail address are required to be encrypted using PGP. The public encryption key is attached for your use and convenience. Any unencrypted messages sent to this address will not be seen by the recipient. If you need assistance implementing PGP e-mail encryption please see burchfieldcs.dynu.net/Securing_Email.pdf or consult with your IT professional.
The and tags make all text between them BOLD. The and tags identify the document or page to link to, and the clickable text will appear in blue to the recipient.
Once you have everything entered as desired, you can click the Close(X) button on the Account Settings tab to close it, and that just about does it. Of course, when you start sending e-mail from this address, the default settings will not allow you to send unencrypted e-mail, because you don’t yet have the public key of any of your recipients. If you attempt to do so, you will see the following.
When you click the Close button you see:
Note the above informs you of the e-mail address you can not send to, and shows a status of “no key available”. This will happen often when you are first getting started with Thunderbird’s e-mail encryption. To get around this in your open e-mail message, before you click the Send button, select Security, then “Do Not Encrypt” as shown below. Once done you can click the Send button and the e- mail will be sent unencrypted with your signature file and your public key attached. Just make sure this specific e-mail does not have any protected sensitive information in it, before you send it unencrypted.
Chapter 7 – Add Public PGP Keys to Thunderbird
Before you can send encrypted e-mail you need the public encryption key of the intended recipient. Once you receive the key you need to add it to Thunderbird. How you do this depends on how you receive the key. It could be sent to you as an e-mail attachment, as a part of the body of an e-mail, or in a file supplied to you on a CD, USB drive or other electronic storage media. We’ll deal with receiving it as an e-mail attachment first, since that is the most common way public keys are shared.
By default, a file containing a public PGP key is a simple text file that can be opened and viewed with Notepad. This file can contain one or more public keys. The file must have a filename extension of .asc also. For example, a public key you receive as an attachment may have a filename of [email protected]. A file containing multiple keys may be named something like publicPGPkeys.asc.
Import Public PGP Key from E-Mail Attachment
With Thunderbird, when you receive an e-mail with an attached file with an .asc filename extension the program will “know” this is a public PGP key file. When you select the email to read it you will see in the upper right corner of the message an “OpenPGP” button with a blue lock on it, as circled in red below.
Click the OpenPGP button and it produces the drop down menu above. Click the “Import” button This presents the below dialog. Just click the OK button.
Now get the “Success! Keys Imported” dialog as shown below. Click Ok to close this box.
Click OK to close this box and you’re back to the message you imported the key from.
VERIFY THE PUBLIC KEY
At this point, you can not send an encrypted e-mail to this recipient because you have not yet told the Thunderbird program that you have verified and certified this key. To verify the key so you can actually use it, do the following.
As shown in the image below, click the Menu button, then the Tools button.
Then will produce a new menu as shown below. Click OpenPGP Key Manager as indicated below.
This opens the OpenPGP Key Manager window as shown below. Right click on the key you need to verify and select Key Properties shown in blue in the below image.
This opens the Key Properties dialog for the selected key as shown below.
You must select any one of the bottom two selections circled in read, in order for this key to work. Once selected click the OK button to close this Key Properties dialog.
Finally, click the OK button to close OpenPGP Key Manager and you’re done. You can now send encrypted e-mail to the verified recipient, and all encryption will be done automatically in the background when you click the Send button.
Import Public PGP Key from File
Sometimes someone may provide you their public key on a CD, USB Thumb Drive or some other sort of electronic media. The first thing you must do is copy that tax file to your desktop. If the file only contains one key, it will usually have a filename of the e-mail address that key is for, with an .asc filename extension. For example, Users Name [email protected](0x5803195507DFDB13)-public.asc
If the file contains more than one public key, it will have a filename such as Exported-public-keys.asc
Regardless of the filename though, it must end with an .asc filename extension. Otherwise, you will not be able to import it. After saving the file to your desktop, open Thunderbird, click the Menu button and select Tools. Then select OpenPGP Key Manager. Click here to go to the image above that shows this.
Now you must verify the imported key before you can use it. Leave the OpenPGP Key manager window open and click here for instructions to verify the key.
CHAPTER 8 – Backup All Your Keys
It is imperative to make a backup copy of all of your keys and store them in a safe place. This is extremely important for your private keys. If your thunderbird installation becomes corrupt, compromised or otherwise unusable, without a backup of your private keys there will be no way for you to decrypt and read emails and attachments sent to you by others. Maintaining a backup copy of your keys is extremely important. The backup should be stored on either a CD, USB Thumb Drive or some other type of storage media that gets stored in a secure location away from all possible electrical and magnetic devices that could potentially erase or corrupt the backup. Storage should be in such a way so that the backup copy is completely isolated from the Internet and all other networks so there is no possible way for it to be compromised. So here we will cover creating a backup copy of your private keys and public keys in a file on your desktop. Once done you can copy the backup file to whatever external storage device you desire for secure storage and safe keeping. I recommend you store the backup on a small USB Thumb Drive that you can lock in a safe, filing cabinet, or other secure location.
First, open Thunderbird and click the Menu button then select Tools as shown below.
After selecting Tools you’ll now see the below selections. Click on OpenPGP Key Manager as indicated below to open the OpenPGP Key Manager window.
Now you see the OpenPGP Key Manager window as below. Click on your private key to select it. If you have more than one private key you can back them all up in one file. Just hold down the CNTL key and click on each private key to highlight it. Private keys are easy to identify because they are the ones displayed in a darker bold text than the public keys are.
Once you have your private key(s) highlighted and selected, select File and click Backup Secret Key(s) To File as shown above. The window shown below will open. Select Desktop on the left side, take note of the name that will be given to the saved file, then click the Save button. This opens a window that requires you to select and enter a password for this backup file. The secret keys require a password which you can create. This password will be required for you to import into another PGP installation later. Without this password there is flat out no way possible to import your secret key(s) to any other encryption program. So whatever you do, *DO* *NOT* *FORGET* *THIS* *PASSWORD*. If you forget it, then by intentional design there is no possible way to recover it. Since it could easily be years before you would need this backup, I always suggest you set the password to your e-mail address in reverse. For example, if the e-mail address of this secret key is [email protected], then set the password to moc.liamg@liameym.
After entering the password twice, click OK to complete the process and save the file to your desktop.
Repeat the above for saving a backup of all of your public keys. Instead of selecting/highlighting the private keys, hold down the CNTL key as you click on each public key to highlight it. Then instead of selecting File – Backup Secret Key(s) To File, select Export Public Keys To File.
Once completed you will have two files on your desktop. One for your private key(s) that is password protected, and another for your public keys that is not password protected. Copy both of these files to a USB Thumb Drive or other external storage media, and remember to delete those files from your desktop once done. Then store your backup in a secure location. You might want to attach a sticker to it with a reminder on it of what the password is for your secret keys. Without that password, there is just flat out no way possible to restore your secret keys should the need arise.
Chapter 9 – Thunderbird & PGP Encryption Conclusion
From this point forward, every email that you send or reply to from the configured e-mail address will automatically have your public key attached to it. For those e-mail recipients that are familiar with PGP encryption and use it, they will know exactly what to do with it. For those that are not knowledgeable in this, they will more than likely just delete it.
However, you may have clients who know nothing about PGP, yet in order to be in compliance with HIPAA they need to be, and they need to implement and use it. Feel free to send them a copy of this document. Share it far and wide.
Chapter 10 – Confirm It Works.
Using Thunderbird, create a test e-mail and send it to yourself. After sending it you will see a copy of the email in your inbox folder, and also in your Sent Mail folder. From thunderbird you will be able to read them both.
Now use your browser program (Microsoft Edge, Internet Explorer or Firefox) log into your E-mail account and take note that using your browser the email message you sent yourself is also in your inbox folder and your sent mail folder. However, you can’t read them. They’re nothing but gibberish and completely undecipherable.
If you elected the option to also hide and encrypt the subject line of your e-mail, then all you will see is the below in both your inbox folder and sent items folder.
If you double click the “encrypted.asc” button it will open a text file that contains nothing but gibberish. That’s your encrypted message. Good luck to anyone who hacks your g-mail account and tries to decipher it. They will not succeed.
Chapter 11 – Setting Up PGP On Another Computer with Thunderbird
If you have a second computer, such as your computer at home if you did the initial setup on the computer at the office, you first need to install Thunderbird on that computer using the instructions in chapter 5. Once that’s done return to this Chapter 11.
Next, using the instructions in Chapter 8 make a backup copy of your public and private key and copy it to a USB Thumb drive to take home with you. (You should already have done this so that you have a backup in case of an unforeseen catastrophe.)
Now open Thunderbird, select the Menu icon, then click Account Settings as shown below.
Then opens an Account Settings tab as shown below.
Now click the Add Key button and it opens the below dialog. Select Import an Existing OpenPGP Key (circled in read) then click Continue.
Now click the Select File to Import button (not pictured) to open the import selection window (not pictured). Select Desktop on the right, then select the secret private key file to import and click Open. This presents the below dialog.
Ensure the checkbox for “Treat this key as a Personal Key” is selected, then click Continue. This opens the “Passphrase Required” dialog. Enter the password you created and used when you saved this secret key, then click OK.
Now you are presented the import confirmation dialog pictured below.
Just click the Continue button to close the dialog and you’re back to the Account Settings window as below.
Currently, no private key is selected to be used with this account as indicated by the radio button next to None being selected. Change it from None to your key as indicated above. Then click the OpenPGP Key Manager Button. This opens the OpenPGP Key Manager window as below.
Right-click on the private key you just imported and select Key Properties as shown above. This opens the Key Properties dialog shown below.
Confirm that ‘Yes, treat this key as a personal key” is selected, then click OK to close this dialog and return to the OpenPGP Key Manager window. In the OpenPGP Key Manager window select File and click Import Public keys From File as shown in the image below.
In the “Import OpenPGP Key File” dialog (not pictured” select the file containing the public keys you backed up earlier, then click the Open button. This presents the below dialog listing all the public keys found in the file to be imported.
Click the OK button and you’ll see a “Success Keys Imported” dialog similar to the below. It shows each key imported along with the fingerprint of that key is case you need to verify them visually.
Click the OK button to close this dialog as you’re returned to the OpenPGP Key Manager window below. At this point, none of the public keys will work because you need to tell Thunderbird that you have verified each individual key. To verify a key, right click on it and from the drop down mneu that appears (pictured below) select Key Properties.
This opens the below Key Properties dialog.
By default, the “Not yet, maybe later” option is selected. For this key to work, you must select one of the two bottom options circled in red. Once done click the OK button to close this dialog and return to the OpenPGP Key Manager window.
You must do the above to verify each public key one at a time. Otherwise, unverified keys will not work. Once you have verified all public keys you can close the OpenPGP Key manager window by clicking the Close button on the bottom right of that window.
Now you’re back to the Account Settings menu. (Not pictured) Scroll down and under Default Settings for Sending Messages select the option for “Require Encryption by Default.”
Now click the Close(X) button on the Account Settings tab to exit account settings, and you’re all done. You are now able to send and receive encrypted e-mails with this Thunderbird installation.
Chapter 12 – Frequently Asked Questions (FAQ)
Q – I am unable to send any e-mails. I get a dialog box informing me that there’s a problem with the keys of the intended recipient. When I click the Close button on the popup I get another dialog titled “OpenPGP Message Security”. Then when I click Ok on that dialog I’m returned to the e-mail I’m trying to send, and it doesn’t go anywhere. A – Look at what it says in the security dialog under the status column. If it says “No key available” then click OK to close that dialog. Then at the top of the e-mail message you’re attempting to send click Security and select “Do not encrypt”. Now click Send and your email will be sent. Be aware the e-mail will not be encrypted however. If the status is “no accepted key” this indicates that you have a public key for this e-mail address, but you have not yet verified the key as valid. Follow the instructions in Chapter 7 or Chapter 12 to verify the public key to Thunderbird. Then it will work.
Q – I’ve installed PGP on my computer and it’s working great. But I also have this mailbox set up on my iPhone. Will I be able to read and send encrypted mail that I receive, on my iPhone? A – No, not easily. Yes, if you don’t mind jumping through hoops. You can download a free PGP program for your iPhone from the Apple App Store and install it. But setting it up to work with your existing private keys is a lot of work. Then encrypting and decrypting e-mails is even more work on your part. I don’t recommend having your private key on any Apple device, be it iPhone or iPad, as these devices can be easily compromised when connected to public wifi. That puts your private key at risk.
Q – It it possible to have PGP encryption on my Android device so I can send and receive encrypted Email that way to? A – Yes. You can find quite a number of free PGP programs on the Google Play store. A number of them are free. But as stated above, it’s not user friendly and can put your private key at risk when connected to public wifi.
Q – Is using PGP on my iPhone, iPad or Android as easy as it is on my computers? A – No. While it’s not hard, set up and configuration is time consuming and sending encrypted e-mail as well as decrypting received email is a multi-step process requiring you to perform additional steps in the process for each email you wish to encrypt before you send it, and each encrypted email you receive before you can read it. While I would not say it’s hard, I say it’s not easy because of the extra steps you have to perform for every encrypted e-mail you have to deal with.
Q – What if I lose my secret key and don’t have a backup? Or worse yet, what if I can’t recall the password I set when I saved or backed up my secret key? A – That make you the same as an inclined plane wrapped helically around an axis. In other words, you’re screwed. It’s that simple. You’ll have to create a new set of keys, both secret and public, and then distribute the new public key to all those you deal with that need it.
Q – Is there a place on the Internet where I can post my public keys so that others can get it without having to ask me for it? A – Yes. In fact, there are quite a number of public key distribution servers on the Internet that you can upload your public key to. While the Thunderbird program uses https://keys.openpgp.org by default, I recommend using the PGP Global Directory at https://keyserver.pgp.com because the website address is one of the easiest to remember. When folks call or e-mail you asking for your public key, just refer them to the website.
Q – I have a rather large number of recipients in my address book. Is it possible to have Thunderbird scan my address book and look for public keys for all of those e-mail addresses? A – With newest version of Thunderbird (Version 78.5.0) this feature is not yet available. However, from what I’ve read on the Thunderbird blog website it’s planned and in the works for a future release.