These pages are intended to be referenced by customers of Nanoman's Company. Visitors are welcome to reference these pages, but our support for you may be limited.
OpenPGP is a free (gratis) open standard that can be used to protect the integrity and/or secrecy of data (computer files, email messages, et cetera). Many computer programs and devices support the OpenPGP standard, and an example of one such program is the email client Mozilla Thunderbird.
This page is intended to introduce OpenPGP concepts to people who have never used it, and to describe how to use it in Mozilla Thunderbird. The instructions on this page were written for Thunderbird version 78.6.0, so these might need to be updated for later versions, but the fundamental concepts shouldn't change.
Thunderbird's developers have written an article that explains OpenPGP's concepts and how to use these in Thunderbird, but most of their article's content doesn't apply to our customers, so we created this page to better serve our customers. People who aren't customers of ours are welcome to reference this page, but our support for you may be limited.
Sending an email message is as risky as sending a postcard. Anybody can send a message that appears to come from your email address, and anybody can read and/or modify any message that you send if they can access anything that's used to relay it from you to your recipients.
Here are some examples of the many things that are usually used to relay email messages from a sender to a recipient:
By design, email is inherently insecure, but cryptography can help protect the integrity and/or secrecy of email messages. Most modern email providers use TLS to protect messages as they travel from a sender's computer to their outgoing email server, and/or from an incoming email server to their recipient's computer, but for messages being relayed through or between email servers, security is often non-existent or questionable.
To protect the integrity and/or secrecy of email messages from the sender's computer to the recipient's computer, you need an end-to-end encryption system. There are many systems that you could use, but the one we trust the most is OpenPGP.
OpenPGP has four primary functions for processing data (files, email messages, et cetera):
To process data, OpenPGP uses cryptographic keys. These keys are like passwords, but they can be used in ways that passwords can't, and they're significantly longer and more complex than typical passwords. A password can be easily written onto a piece of paper for storage, whereas correctly writing down a cryptographic key would be extremely difficult, so these keys are usually stored as computer files.
OpenPGP uses public-key cryptography (also known as asymmetric cryptography). Public-key cryptography requires two types of keys:
Everybody who uses OpenPGP is expected to have their own unique private key and public key, which together are known as a key pair. If you/we/somebody used our Mozilla Thunderbird guide for configuring your email account on your computer, then you should already have your key pair, and this key pair should be stored in Thunderbird's OpenPGP Key Manager.
Every public key has a "fingerprint" that can be used to uniquely distinguish it from other public keys relatively easily. A typical public key contains the equivalent of many hundreds of random letters and numbers, so these keys are too complex for humans to compare reliably or efficiently, whereas a fingerprint contains only forty hexadecimal digits (the numbers 0 to 9 and the letters A to F), so most humans can compare these fingerprints with little difficulty. OpenPGP fingerprints are usually displayed as ten sets of four hexadecimal digits like this: 0123 4567 89AB CDEF FEDC BA98 7654 3210 0246 8ACE.
Before someone can verify your messages or send you encrypted messages, you'll need to send them a copy of your public key:
Before you can verify someone's messages or send them encrypted messages, you'll need to import a copy of their public key:
Another way to exchange public keys is to use Thunderbird's OpenPGP Key Manager, which you can find under Thunderbird's "Tools" menu. To export a copy of a public key into a file so that you can share it however you wish (email, USB drive, SFTP, et cetera), you'd select the key from the list in Thunderbird's OpenPGP Key Manager, go to "File" menu -> "Export Public Key(s) To File", and then save the file to wherever you want it. To import a copy of a public key from a file using Thunderbird's OpenPGP Key Manager, you'd go to "File" menu -> "Import Public Key(s) From File", and then select the file that you want to import.
OpenPGP public key files usually have the filename extension ".asc", ".gpg", or ".pgp". When you're using Thunderbird's OpenPGP Key Manager to try to import a public key from a file, if you don't see a public key file in the "Import OpenPGP Key File" window because it has a different filename extension, then you can change the "Select which types of files are shown" option from "GnuPG Files" to "All Files", and then you should see the file that you were trying to import.
Without exchanging public keys, you can sign messages, and you can encrypt messages to yourself, but there's not much else that you can do. Without a copy of your public key, other people won't be able to verify your messages, and they won't be able to send you encrypted messages. Without a copy of someone's public key, you won't be able to verify their messages, and you won't be able to send them encrypted messages.
People who have exchanged public keys can sign, verify, encrypt, and decrypt email messages to/from each other, but these keys might not belong to the alleged owners. Email messages can be forged and/or altered undesirably, so if these keys were exchanged using an insecure and/or questionable method like email, then the keys and/or messages that each person received might have come from somebody else.
To test the authenticity of a public key, the public key's owner should provide its "fingerprint" to their correspondents using a mutually trusted method. Meeting in person is usually considered ideal, but there are other popular methods, such as posting the public keys' fingerprints to one or more mutually trusted HTTPS websites. Everybody has their own opinions about which communication methods they'd consider trustworthy, so how a public key's fingerprint should be provided is ultimately the decision of the key's owner and their correspondents.
Assuming you/we/somebody used our Mozilla Thunderbird guide to configure your email account on your computer, you can find your public key's fingerprint in Thunderbird's OpenPGP Key Manager:
After somebody provides you with their public key's fingerprint using a mutually trusted alternative method, you'd authenticate it using Thunderbird's OpenPGP Key Manager:
You can use OpenPGP without authenticating public keys, but this might prevent you from trusting that your correspondents are actually who they claim to be, and people who receive messages allegedly from you might not trust that these actually came from you. For correspondence regarding something unimportant like a recreational game, you might not care about protecting the integrity and/or secrecy of your messages, but for important and/or confidential matters like medical records or lawyer-client discourse, you might feel otherwise.
Please note that OpenPGP wasn't designed to protect email headers. OpenPGP can protect the integrity and/or secrecy of an email message and any attachments, but a message's "From", "To", "Subject", and other header lines could be seen and/or modified while the message is in transit from the sender to the recipient. Thunderbird can use a non-standard method to encrypt a message's "Subject" line, but this isn't part of the OpenPGP standard, so you should never put any secret information into a message's "Subject" line because other email clients might reveal it in their replies.
Assuming you/we/somebody used our Mozilla Thunderbird guide to configure your email account on your computer, here's how to use OpenPGP's four primary functions in Thunderbird: