If you would like Thunderbird to digitally sign and/or encrypt every email message sent, follow the steps below. Please note that this is not necessary to do; you may choose to sign and/or encrypt each message individually.
It all boils down to how private you want to keep the information in your emails (bear in mind that the webmail interfaces to Gmail and other email providers can't be used to encrypt and sign your email).
How to Encrypt and Digitally Sign a Thunderbird email
For example, a business using Gmail may wish to encrypt any intellectual property contained in their emails. In the event that their Gmail account has been compromised, the intruder will not be able to read any of these emails because the intruder does not have the private key. If they manage to steal the private key, they still need to know its passphrase in order to use that private key!
If someone digitally signs their outgoing email messages, then (as long as their private key remains private) there is no question about who sent the signed email. Digitally signing an email also allows the recipient to prove that the email has not been tampered with in any way.
You may decide that you only want to encrypt email when necessary (i.e. when it contains information that you would like to remain private in the event that your Gmail account or Yahoo mail account is compromised).
However, once you start using encrypted mail, you will not be able to read anything that has been encrypted without your private key. This means you may only be able to encrypt/decrypt email on specific devices (to put it another way, you may not be able to read all of your email on all of your devices).
Next, you'll need to configure whether or not you want to sign your outgoing emails. Some people find that signing all outgoing email is overkill (pick whatever suits your requirements). If you'd just like the option to sign them, select "No, I want to create per-recipient rules for emails that need to be signed" as shown below, then click "Next".
Now, you'll need to configure whether or not you want all outgoing email to be encrypted by default. Most people will just want the option to be able to encrypt an outgoing email, so if this suits your requirements pick "No, I will create per-recipient rules for those that sent me their public key" as shown in the screenshot below (should be selected by default), then click "Next".
Next you'll be asked if you want Thunderbird/Enigmail to tweak your email settings so that signing and encrypting run more smoothly on your machine. Most people will want to select "Yes" then click "Next" as shown below. (Note that you can take a look at what is being tweaked via the "Details" button. If desired, you may choose to skip some of the tweaks ... or you can say no to the lot by selecting "No, thanks").
When you go to write an email, you'll see an "OpenPGP" button at the top. By clicking this you will open up a popup window where you can select "Sign Message" (this is shown below). Select that, then click OK. Now when you send your message, it will be digitally signed.
To send a signed and encrypted email, when writing the email click on the "OpenPGP" button to open the popup shown below. Select both "Sign Message" and "Encrypt Message", then click "OK". When you go to send an encrypted email for the first time, you'll get a popup like the one below asking if you want the saved copy to be encrypted before being saved i.e. before being saved to the "Sent" folder, do you want it to be encrypted?
S/MIME Certificates allow you to digitally sign and encrypt emails so you can prove your emails actually came from you and not an imposter, and ensure that only your intended recipient can access the encrypted contents.
In this guide, you will learn how to install an S/MIME certificate on Thunderbird and digitally sign your messages. The latter section will feature useful tips on where to buy the best email certificate for your email client.
When writing a new email, expand the Security Drop-down menu and select the Digitally Sign This Message option. Please note that you must first receive a digitally signed email message from the recipient, to be able to send an encrypted message.
The best place to buy email certificates to encrypt and digitally sign your correspondence is from an official SSL reseller. Here, at SSL Dragon, we offer the best email certs on the market. Depending on your account (personal or business), you can choose from CPAC certificates issued by Sectigo or S/MIME products provided by DigiCert.
The ACS' PKCS Middleware also allows a user to send/receive signed and/or encrypted e-mails using the ACOS5 card/CyptoMate token. Before using your Thunderbird, make sure first that you have requested a certificate in a Certificate Authority. This certificate will be the one used for encryption and signing e-mail.
When viewing an email message A, which contains an attached message B, where B is encrypted or digitally signed or both, Thunderbird may show an incorrect encryption or signature status. After opening and viewing the attached message B, when returning to the display of message A, the message A might be shown with the security status of message B.
Note: In order to encrypt mail, you must first have your recipient's email certificate in your certificate store. To obtain their certificate, you need to get your contact to send you a signed email. Upon receipt of the signed mail, their certificate will be automatically imported into your certificate store and you will be able to sign/encrypt mail to that person.
Some mailing lists reject digitally signed messages because the signature is treated as an attachment. If this happens, click the signed icon in your message; an x replaces the tick, indicating the message will be sent unsigned.
Plus, the label of that tick box is wrong. It is: "This certificate can identify email users." However, email users are very rarely directly identified by a CA certificate / certificate issuer. Instead, the issuer usually signs other certificates which in turn identify email users (or are also used as intermediate certificates). Therefore, that label should should be reworded. The label of the other tick box in that dialog ("... can identify websites") is wrong in the same way.
I am glad that you found this little tidbit of information helpful -- like you, I spent a lot of time digging it out -- and I do agree with your comments. Thunderbird's behaviour when importing certificates seems rather illogical: I find it hard to imagine why someone would wish to import a certificate into an e-mail client if not in order to sign or encrypt/decrypt e-mail messages. I suppose there could be some reason for this behaviour that we don't know -- but at the very least, we may safely say that the error messages given when this problem occurs are more confusing than helpful. Let us hope for better things in the future. :)
reads my card objects just fine. I am able to find my certificates on the card in Thunderbird. I am also able to decrypt email that has previously been encrypted and sent to me using S/MIME. As a further point of data on this, the recipient of this message has an intermediate certificate that is not present in the trust store, so the signature is marked as invalid. Even when I add this certificate and modify the trust to trust email users, the signature is reported as invalid.
I frequently see issues with being unable to send signed messages. If I try to send myself a signed and encrypted message, when selecting security and then view certificates of recipients, my own certificate is marked as invalid, even though it is valid and expires at the end of 2024.
"Sending of the message failed.You specified that this message should be digitally signed, but the application either failed to find the signing certificate specified in your Mail & Newsgroup Account Settings, or the certificate has expired."(I found this info, but there is no info on Pure OS, just OpenSUSE: -digitally-signed-emails-with-thunderbird/)Does anybody know how to fix this problem? (I'm a Linux newbie...)
Enigmail actually does both, OpenPGP, and S/MIME. So you'll have to make sure to choose OpenPGP encryption and signing, as your post above suggests this is what you're actually trying to do.This can be specified in your Account Settings, or on the fly via the Enigmail menu item in a compose window.You'll also need to specify which keypair shall be used for encryption and signing in your Account Settings.
Yes, I did, I installed Thunderbird and by doing so, I got a new key, but I also installed my old key and the keys I have from people I know. Could these two keys I have now create problems? I didn't know how to avoid creating a new one. I found out right now that I can sign and encrypt mails with very few people, but in most cases I get the error message...
Thank you for asking and trying to help me with this problem! I have a new laptop and I installed Thunderbird the same way I did before on my old computer, and I made the whole set-up for Enigmail as I did on my old computer. Probably, that's why I have two keys for the same e-mail address now. I then realized that I couldn't read the old encrypted messages anymore and remembered that I had saved the keys on a USB stick. I imported them and realized that my e-mail address had two different keys now, the old one and the new one. I thought I can simply delete the new one, but this caused problems, and I imported it again (had saved it before on the stick). I can reply to the old encrypted mails with encryption and signature, but I can't sign new mails. Do you know what might have happened based on this description? Thank you!! 2ff7e9595c
Comentarios