Using encrypted email


Last updated:

You don’t have to be an encryption expert to send and receive encrypted emails. In this guide, we’ll show you how to do just that.

If you are new to encryption, you might be interested in reading our guide on the basics of encryption. Otherwise, let’s jump right in!

Many email applications have support for encrypted messages, but we will focus on using Mozilla Thunderbird since it works on macOS, Linux, and Windows.

1. Install Thunderbird

You will need Thunderbird 78 or newer to follow this guide.

Windows and macOS
Download and install Thunderbird on your computer.

Thunderbird is installed by default.

2. Set up your email account

The first time you open Thunderbird you will automatically be guided through the process of setting up your email account. In most cases, all you have to do is enter your existing email address and password and it will begin working.

You might want to check that the outgoing server is not using port 25 which we block because of spam. Instead it should be set to either port 465 with SSL/TLS or port 587 with STARTTLS.

3. Create your own key pair

  1. Click on the menu button (≡) > Account Settings.
  2. In the left-hand menu, click End-To-End Encryption.
  3. Click on Add Key…
  4. Make sure Create a new OpenPGP Key is selected, then click Continue.
  5. Select Key type: RSA and Key size: 4096.
  6. Click Generate key and wait for the new key pair to be generated.
  7. Once it’s complete, click Close.
  8. You are ready to encrypt emails!

At any time, you can manage your key or create a new one in the End-to-End Encryption settings.

4. Set Thunderbird to automatically sign messages and attach your public key.

To autamaticallly sign every email sent and to automatically attach your public key follow the steps.

1. In Thunderbird, click on menu button (≡) > Account Settings > End-to-End Encryption.

2. Check the box Add my digital signature by default.

3. Under Advanced settings make sure that Attach my public key when adding an OpenPGP digital signature is checked,

5. Import a contact’s public key

To send an encrypted message, you need not only your own key pair but also the recipient’s public key. Let’s import one.

Public keys received as email attachments

If someone sends you their public key as an email attachment, you can right click on it and select "Import OpenPGP Key".

Discovering publicly available keys

Some people make their public keys searchable by email. To check this, open an email from someone and click on their email address. In the pop-up, click Discover OpenPGP Key.

Manually importing a public key

Some people publish their public keys on a website or a key server. Ours is available on our website so that anyone can send us an encrypted message. Here’s how to manually import our key into Thunderbird:

  1. Download Mullvad’s GPG key (it’s located in our website’s footer).
  2. In Thunderbird, click on menu button (≡) > Account Settings > End-to-End Encryption.
  3. Click on the button OpenPGP Key Manager.
  4. In the new window, click on File > Import Public Key(s) From File.
  5. Select the downloaded file.
  6. Click Open, then OK.
  7. In the “Success!” pop-up, click OK.
  8. You will now see the corresponding email in the list of keys.
  9. In order to use the key, you need to verify that you accept and trust it.
  10. To do so, first double-click the key.
  11. In the Key Properties window, select one of the “Yes” options, then OK > Close.
  12. Now you’re ready to send encrypted messages to us!

6. Send and receive encrypted emails

Now comes the fun part: communicating secretly! Here’s how to email our support team and tell them how great they are.

  1. Open Thunderbird and compose a new email.
  2. Type in the To field.
  3. Click on the drop-down icon next to the Security button in the toolbar.
  4. Select Require Encryption. This will automatically attach your public key to the email and use Mullvad’s public key that you previously imported and verified. You can double-check this by clicking on the Security button. It should show an “ok” status next to Mullvad’s key.
  5. Finish composing the email and send it!

Congrats! Simply repeat sections 4 and 5 to correspond with anyone else using encryption.

7. Back up your key

Just as you have a spare key to your home, it’s important to have a backup of your key pair.

  1. In Thunderbird, click on menu button (≡) > Account Settings.
  2. In the left-hand menu, click End-To-End Encryption.
  3. To the right of your personal key, click on the chevron symbol to view more information.
  4. Click More, then select Export Public Key To File.
  5. Save the file in a secure location.
  6. Click More again, but this time select Backup Secret Key To File.
  7. Save this file in a secure place too.

You can also upload your public key that you exported to so other people can find it.

Next step

Continue with our guide about how to blog anonymously