encrypted email with pgp keys & thunderbird

>> first posted: Nov 26, 2025
>> last updated: Nov 28, 2025

(1) install thunderbird by mozilla
  - i recommend using either your package manager or software center; not the webpage
  - after installing, open settings by pressing the hamburger menu in the top right
  - untick ‘When Thunderbird launches, show the Start Page in the message area
  - change the default search engine to duckduckgo
  - tick ‘clear cache at shutdown
  - at the v bottom of the settings page, click the button to open the ‘config editor
  - put network.protocol-handler.external-default in the top search bar
  - click on the toggle button on the right to change the value to ‘false
      this disables clicking links - removing the risk of misclicking malware links
      you /do/ want that, right? if not, probably don’t do this step..
      with this set, to open links in emails:
      right click on a link, choose ‘copy link location’, open the link in a browser
      have you considered using librewolf or mullvad?
  - if you are using a vpn or trusted dns provider already at the os level:
    set your ‘dns over https’ in thunderbird to ‘off’ to use your os level choice
  - if not, then choose ‘max protection’, choose custom, and put base.dns.mullvad.net
    or a different trusted dns which matches your preferences for speed vs. privacy
  - change any other settings you wish to make thunderbird work and feel the way you want

(2) connect an email provider to thunderbird
  - you want a provider which has imap/smtp support (most major ones do)
  - click on the hamburger menu in the top right of thunderbird’s menubar
  - choose ‘new account’ and then choose ‘email
  - enter your username (or real name if you are like that) & your email, and hit continue
  - for most email services you should be able to click continue again
    if yours doesn’t auto-generate, you will need to find separate instructions (sorry)
  - enter your password for the email service you use
      with some providers (especially with 2fa) you will need to create an app password to use
      in that case you would make one on the provider side and then use it in thunderbird
      make sure this password is /extra/ robust (random +32 length) since you are bypassing 2fa
  - do not select address books or calendars (unless you have other desires) and finish

(3) add a pgp key to thunderbird
  - right-click the account where it was added to the left (by default) and open settings
  - select the ‘end-to-end encryption’ section and click on ‘add key
  - either import your private key if you have one or choose to create one
      regardless of your choice, make sure to backup your private key securely
      if you use bitwarden, you can upload it as an attachment
      you will have no way to access your encrypted emails without it
  - below where you clicked ‘add key’, select the key you added and also click publish
      you will receive an email from openpgp.org which contains a link
      if you click it, it will connect your email to your public key on the openpgp server
      this will allow anyone using clients with the capability (like thunderbird)
      to seamlessly email you without needing to look anything up or get anything from you
      it does however make your email more public, and also links the two on the openpgp server
      thunderbird expects you to link the two - it is more work if you don’t
  - enable ‘enable encryption for new messages
      unless you don’t want trying to encrypt the message to be the default
  - i would recommend going under ‘spam settings’ and ticking ‘collected addresses
  - match the other settings under ‘spam settings’»’destination and retention’ to your needs

(4) from thunderbird user.js repo snag the user.js file
    on linux it should be placed at ~/.thunderbird/[text-string].default-release/user.js
      be aware that this disables javascript (as it well should)
      you may need to reenter the ‘config editor’ mentioned in part (1) to briefly reenable it
      by changing ‘javascript.enabled’ to ‘true’ for long enough to authenticate a new account

(5) email others securely
  - if your chosen recipient is not sharing their email and key on openpgp.org
    and you have not emailed them securely before, you may need to go to the settings
    go to the ‘end-to-end encryption’ section & click ‘openpgp key manager’ & then click ‘file
    choose ‘import public key(s) from file’ and then you should be able to email them as normal
      (thunderbird will be grumpy if their key does not include their email)
    you can confirm it is working if the lock next to ‘encrypt’ (near ‘send’) is not lined out
    if you try to email someone you don’t have a public key for there will be a large warning
    if you want to email anyway, you can simply click ‘do not encrypt’ on the warning banner

(6) be emailed securely
  - you know that email from openpgp.org with the link in it?
    if you clicked that, it’s easy - they just need your email, same as normal
  - your other option is to share your public key with anyone who wants to email you directly
    you can, of course, share the full text or file, but that can be unwieldy in some contexts
    it can be easier to share the long key-id (you should not use the eight character one)
    a 16 character code from (B) below is the long key-id & is often shared with ‘0x’ in front
    your id can also be found in the thunderbird encryption settings (e.g. 0x7F30636A354013AF)
    by making your long key-id available to everyone in the same places you make your
    email available (e.g. website, business card, sharpie on hand) they can email you securely
    assuming your unlinked key is on openpgp.org since they can use it to get the full key

if you have different thoughts/opinions, have questions, or just want to try it out
feel free to email me! my email and long key-id are on the /contact page at the top

[optional] generating and managing your pgp keys yourself

(A) generate your pgp key-pair in the terminal
  - gpg --full-generate-key be aware: the command is ‘gpgnotpgp
      this command will likely just work for you, if not it is likely because
      the command requires gnupg (which comes with most linux distros)
      if you lack it, you should look up instructions for installing it for your distro
  - choose ‘(1) RSA and RSA
  - enter ‘4096’ (more secure with no real downside)
  - i would recommend ‘3y’
      note: you can extend the expiration later as long as you have the private key
      some would encourage short expirations in case your private key becomes compromised
      but consider, if they have your private key they can also just extend the expiration
  - if the date looks right, enter ‘y’
  - enter the username to associate with the key
      this field is required, but it can be a username, real name, or something else
  - enter the email address to be associated with the key
  - you can press enter to submit no comment
  - if everything looks correct, enter ‘o’
  - enter a password when prompted
      this password protects your key from being stolen off your disk and used
      i strongly recommend +32 length random passwords everywhere using a password manager

(B) locate your newly generated pgp key-pair
  - list your keys with gpg --list-secret-keys --keyid-format=long
      find the 16 character long-id on the ‘ssb’ line for the key you generated
      for example: “ssb rsa4096/7F30636A354013AF 2025-11-27 [E] [expires: 2025-11-28]”
          note: the example is not a key in use on openpgp.org at the time of posting
  - run: gpg --armor --export-secret-keys [your long-id] > ~/Desktop/privatekey.asc
      you don’t need it for this guide but if you want your public key
      you can run --export instead of --export-secret-keys and name the file publickey.asc
      you /really/ don’t want to mix them up: public is for sharing - private is /v/ not