Setting Up Email Encryption and Signing with Mozilla Thunderbird 3.1

There are many reasons why you'd want to setup secure email communications (aka: encryption), especially given recent freedom of speech, privacy, and censorship issues in Western cultures.  It is useful and now thanks to Mozilla Thunderbird, it's also very easy to configure and use.

Requirements

• Mozilla Firefox 3.6 or later
• Mozilla Thunderbird 3.1 or later
• An IMAP/POP3 & SMTP email account
• A friend with the same setup (for testing)

Note: This approach avoids the need to maintain your own certificate store.

Get a Free s/MIME Certificate

1. You can get a free email encryption certificate from InstantSSL, Using Mozilla Firefox, go to http://www.instantssl.com/ssl-certificate-products/free-email-certificate.html and follow the on screen directions.  Each person that wants email encryption needs to get their own certificate.
2. InstantSSL sends you an email with a link to retrieve the certificate, make sure you open that link using Firefox.
3. Firefox will download and store the certificate.

---

Export the Certificate it to Thunderbird

1. In Firefox, go to "Tools" -> "Options".  Click "Advanced" then "Encryption"
2. Click on "View Certificates"
   
3. Make sure you are on the "Your Certificates" tab.
4. Look for "The USERTRUST Network".
5. Click on the certificate located underneath the heading above
   
6. If there is more than one, you can verify the correct certificate by clicking "View", and in the details tab select the "Subject" field under the "'s The USERTRUST Network ID".  It should show the email address associated with the certificate.  Click "Close" to return to the previous screen.
   
7. Once you have selected the correct certificate, click on the "Backup" button and save the certificate to your computer (or a secure central location) using the default settings.
8. You will be prompted to enter a password.  This is only used during the backup/export and restore/import process.
   
9. Once saved, Click OK three times to close the certificates dialog and Firefox option windows.
10. Go to Thunderbird
11. Go to "Tools" -> "Options".  Click "Advanced" then "Encryption"
12. Click on "View Certificates"
    
13. Make sure you are on the "Your Certificates" tab.
14. Click "Import"
    
15. Locate the certificate file you saved.
16. Enter the password you provided then click OK
    
17. Close out of the certificates and options window.

---

Setup your Email Account to Use the Certificate

1. Now that the certificate is installed in Thunderbird, we can assign it to an email account.
2. Click on "Tools" -> "Account Settings".
3. Locate the email account you would like to setup encryption for, then click "Security" underneath it.

   

4. Under "Digital Signing" Click "Select..".
5. Locate the certificate you just imported using the drop down list. Then click OK
6. If there is more than one, look at the "Issued to" field.  The email address much match.

   

7. Click YES on the pop-up message.

   

8. Place a check mark in the box "Digitally sign messages (by default)"
9. Make sure "Never" is selected under "Default Encryption settings" (more on this later)
10. Click OK the save and close the account settings.

---

Test Message Signing

Since this involves two people, have a friend repeat the steps above.   Then continue with the steps below.

1. Compose a new message and enter the recipients email address.
2. Ensure that the message will be digitally signed by making sure "Digitally Sign This Message" is checked under "Options". (it should be)
3. Enter a subject and content.
4. Send the message.
5. Open the message on the recipients computer.
6. The message should have a white envelope icon with a wax seal on it.
   
7. Click "reply" and send the message.
8. Open the message on the recipients computer.  It too should show the same icon.

The above "handshake procedure MUST be done (for each recipient) before you use the encrypted email option shown below.  In other words, both parties must exchange a digitally signed email at least once.  This ensures that both sender/recipient have each others public key.

---

Now, Test Encryption

1. Compose a new message and enter the recipients email address.
2. Click on "Options" then place a check mark near "Encrypt this Message", also ensure that "Digitally Sign" is enabled (it should be).  Or, click the down pointing arrow on the toolbar icon labeled "Security".

   

3. Enter a subject and content.
4. Send the message.
5. Open the message on the recipients computer.
6. The message will now have both a wax sealed envelope icon and a pad lock icon.   The pad lock icon signifies that the message is encrypted.

   

7. If you were to look at the message's source, it will show the message body as gibberish.

All replies to this message will be encrypted by default. If you try to send an encrypted message to a recipient who you have not done the "handshake" with, Thunderbird will pop-up with an error.

This is why we did not enable encryption by default.

Message encryption only requires that both parties have each others public keys.  So long as this is true, the encryption will work across any email client that supports it.  The above example had both parties using Thunderbird, but the same results can be achieved if the recipient was using Mac Mail or Outlook.