Using encrypted email

This guide explains how to use encrypted email in Thunderbird.

If you want to know more about encryption then see our guide about the basics of encryption.

What this guide covers

• Install Thunderbird
• Set up your email account
• Create your own key pair
• Set Thunderbird to automatically sign messages and attach your public key
• Import a contact’s public key
• Send and receive encrypted emails
• Back up your keys

1. Install Thunderbird

You will need Thunderbird 115 or newer to follow this guide. Make sure to install the latest version available.

Windows and macOS
Download and install Thunderbird on your computer.

Ubuntu
Thunderbird is installed by default.

2. Set up your email account

The first time you open Thunderbird you will automatically be guided through the process of setting up your email account. In most cases, all you have to do is enter your existing email address and password and it will begin working.

You might want to check that the outgoing server is not using port 25 which we block because of spam. Instead it should be set to either port 465 with SSL/TLS or port 587 with STARTTLS.

3. Create your own key pair

1. Click on the menu button (≡) > Account Settings.
2. In the left-hand menu, click End-To-End Encryption.
3. Click on Add Key…
4. Make sure Create a new OpenPGP Key is selected, then click Continue.
5. Select Key type: RSA and Key size: 4096.
6. Click Generate key and then Confirm. Wait for the new key pair to be generated.
7. You are now ready to encrypt emails!

At any time, you can manage your key or create a new one in the End-to-End Encryption settings.

4. Set Thunderbird to automatically sign messages and attach your public key

To automatically sign every email sent and to automatically attach your public key follow the steps.

1. In Thunderbird, click on menu button (≡) > Account Settings > End-to-End Encryption.

2. Check the box Sign unencrypted messages.

3. Under Advanced settings make sure that Attach my public key when adding an OpenPGP digital signature is checked.

5. Import a contact’s public key

To send an encrypted message, you need not only your own key pair but also the recipient’s public key. Let’s import one.

Public keys received as email attachments

If someone sends you their public key as an email attachment, you can right click on it and select "Import OpenPGP Key".

Discovering publicly available keys

Some people make their public keys searchable by email. To check this, open an email from someone and click on their email address. In the pop-up, click Discover OpenPGP Key.

Manually importing a public key

Some people publish their public keys on a website or a key server. Ours is available on our website so that anyone can send us an encrypted message. Here’s how to manually import our key into Thunderbird:

1. Download Mullvad’s GPG key (it’s located in our website’s footer).
   The fingerprint of the key is:
   291F CE63 2170 E5D9 005F 1556 3A91 DB0E 8DA8 01C4
2. In Thunderbird, click on menu button (≡) > Account Settings > End-to-End Encryption.
3. Click on the button OpenPGP Key Manager.
4. In the new window, click on File > Import Public Key(s) From File.
5. Select the downloaded file and click on Open.
6. Select Accepted (unverified) and then click on Import.
7. In the “Success!” pop-up, click OK.
8. You will now see the corresponding email in the list of keys.

6. Send and receive encrypted emails

Now comes the fun part: communicating secretly! Here’s how to email our support team and tell them how great they are.

1. Open Thunderbird and compose a new email.
2. Type support@mullvadvpn.net in the To field.
3. Click on the Encrypt button in the toolbar to enable encryption. To have it enabled by default you can select "Enable encryption for new messages" in Account Settings > End-To-End Encryption.
4. Click on the drop-down icon next to the Attach button and make sure that My OpenPGP Public Key is checked (so you can get an encrypted reply).
5. Finish composing the email and send it.

Congrats! Repeat sections 5-6 to correspond with anyone else using encryption.

7. Back up your keys

Just as you have a spare key to your home, it’s important to have a backup of your key pair.

1. In Thunderbird, click on menu button (≡) > Account Settings.
2. In the left-hand menu, click End-To-End Encryption.
3. To the right of your personal key, click on the chevron symbol to view more information.
4. Click More, then select Export Public Key To File and save the file.
5. Click More again, but this time select Backup Secret Key To File. Save it to a secure location.

You can also upload your public key that you exported to keys.openpgp.org so other people can find it.