How-to: Encrypted Email on Mac OS X with Thunderbird, Enigmail and GPG

October 11, 2013

This document is intended to help people quickly get started encrypting their email on Mac OS X

Some background:

This tutorial will guide you through installing and configuring several pieces of software which can be used to protect the content of your email from interception by 3rd parties by using encryption.

During this tutorial you will generate a "key pair" for encrypting files. The key pair consists of two parts: the public key and the private key. The public key is used to encrypt plaintext or to verify a digital signature; whereas the private key is used to decrypt encrypted text or to create a digital signature. It is OK to give out your public key to others. Conversely, you should never give your private key to anyone unless you want them to be able to read your encrypted email or files. For further reading see the Wikipedia entry on public-key cryptography.

Mozilla Thunderbird is a free, open source, cross-platform email client developed by the Mozilla Foundation.

GNU Privacy Guard (GPG) is a free, open source cross-platform alternative to the "Pretty Good Privacy" (PGP) suite of cryptographic software. GPG can be used to encrypt many types of files but in this tutorial we will focus on its most common use which is for encrypting email.

Enigmail is a plug-in for Mozilla Thunderbird which adds support for encrypting and decrypting emails to make the process easier.

Important: Known Limitations:
- Encrypting your emails with GPG is a countermeasure against interception of the contents of the email by 3rd parties. However it does not solve the issue of meta-data. In other words, adversaries may still be able to figure out who you are emailing with, the subject line of your email and other information such as the frequency of your communications or the size of your encrypted messages.

- It is possible to encrypt email attachments ( files you attach to your email ) but you need to pay special attention to the informational dialog boxes to make sure that you are doing what you intend. Don't just click 'OK' a bunch of times.

Step 1: Download and install Mozilla Thunderbird

Go to and click the green button to begin downloading Thunderbird.

Once the download completes, the Thunderbird archive should be in your downloads folder, which is accessible from the task bar at the bottom of your screen. Click on the archive to open it.

A dialog box will open up saying something like "Opening Thunderbird 24.0.dmg". It will go through several stages: verifying, checking volumes, mounting. After a few seconds, a folder will open up containing the Thunderbird application. If you have ever installed a Mac OS X application this next step should be familiar to you. Simply drag the Thunderbird icon onto the Applications Folder icon that is also inside the folder. This will install the application on your system.

Step 2: Download and install GPGtools

In your web browser, go to Scroll down to where there is a button that says "Download GPG suite" and click on that button.

The file will download and once the download completes, the GPG suite archive should be in your downloads folder. Now you will follow similar actions as in the previous step: click on the archive to open it. After a few seconds, a folder will open up containing the GPG suite installer. This time however, instead of dragging the application to install it, you need to double click on the "Installer" application which looks like an open box. This will install the GPG suite on your computer.

Click "continue", then click "install". The programs will be installed. Once the installation is complete, you will be presented with a window titled "GPG Keychain Access".

Step 3: Generate your GPG key pair

In the GPG Keychain Access window, click on the triangle next to "Advanced Options" and change the key size to 4096 bits. The larger the key size, the longer it would take to 'brute force' the encrypted materials. With the increase in CPU power in recent years, it doesn't make sense to choose anything less than 4096 bits.

There is an ability to set an expiration date for your key. It makes sense to leave that set at the default, which is 4 years in the future. When you are satisfied with the settings, click 'Generate'.

A small window will pop up requesting that you set a passphrase to protect your key with. If your key ever falls into the hands of an adversary, this passphrase will be the only thing protecting your encrypted data from being unlocked. Therefore you should choose a long and complicated passphrase that will be difficult to guess. You will be prompted to enter your passphrase a second time.

During the generation of the key, the program asks you to generate some random activity by moving your mouse around, and by typing into another application. When the key generation is complete, you will be returned to the main screen of GPG Keychain Access and you will see two keys, one for the GPG Tools Team, and your key that you just generated.

Step 4: Obtaining the fingerprint of your key

If you hold down the 'control' key and then click on your key, a context menu will appear with a number of options. Select 'show info'.

In the show info screen you can see the 'fingerprint' of your key. This fingerprint is not secret. It is useful for other people to be able to verify your key's authenticity. Sometimes people print their GPG fingerprint on their business card, other times people publish it on their twitter profile or website or another public place.

Close the show info screen.

Step 5: Generating a revocation certificate and saving it in a safe place

Additionally, if you hold down the 'control key' again and then click on your key, when the context menu appears, you can choose the option 'Generate revoke certificate' which will create a file that will let you revoke your key from the public key servers, should you ever lose your key pair. You should place this revoke certificate on removable media ( a USB drive, burned onto a CD ) and then store it somewhere safe, perhaps at an off-site location such as a safety deposit box, hidden in a desk drawer or a closet.

Step 6: Uploading your key to the public key servers

If you want other people to be able to obtain your public key and send you encrypted emails without you having specifically sent your public key to them beforehand, then you should upload your key to the public key servers.

Step 7: Configuring Mozilla Thunderbird to work with your email account

Here is a link to Mozilla's instructions on how to set up Thunderbird to work with your email account.

Step 8: Install Enigmail plugin for Thunderbird

Once your email account is working in Thunderbird, the next step is to install Enigmail plugin. Enigmail adds integration with GPG into Thunderbird to make it easier to encrypt and decrypt emails and to import other people's public keys that you may receive in email.

In Thunderbird's menus, click on 'Tools' and then select 'Add-ons'. When you get to the Add-ons screen, in the search window in the upper right hand corner, type 'Enigmail' and hit return. The search function should bring up the option for you to install Enigmail. As of this writing, the latest version is 1.5.2. Click 'install' to install the plugin.

After installing you will get a notice saying 'Enigmail will be installed after you restart Thunderbird.' and giving you the option to restart now. Choose restart now. Thunderbird will restart.

Step 9: Configuring Enigmail

When Thunderbird has restarted, go back to the 'Tools' menu and select 'Add-ons'. When the Add-ons screen appears, select the 'Extensions' tab. You should see an entry for Enigmail. Hit the 'preferences' button. In the preferences screen, under 'Basic Settings' it may say 'cannot find GnuPG' if so, click the 'override with' button and type '/usr/local/bin/gpg' into the text entry box.

Hit 'OK' to close the preferences window. Then close the 'Add-ons manager tab'

Now, select the 'Tools' menu again and this time choose 'Account settings...' You should see your email account in the account settings window. Select 'OpenPGP Security' and then select the checkbox for 'Enable OpenPGP support (Enigmail) for this identity'