GPG with Thunderbird and GMail (in browser with Mailvelope)

So, PGP gets a lot of criticism for being hard to use and easy to mess up. In fact, it’s recently become popular to advocate centralized encryption services (at the control of one company e.g. WhatsApp, Signal, Telegram) that don’t allow the user to use their own keys.

Personally, I think that this attitude is short sighted and defeatist. Instead of working to make strong personal encryption user friendly, people have given up, and started attacking PGP as being “too hard”.

Personally, I think that deferring to third party companies is a crutch and the best way to fix the “PGP is too hard” issue is to “make PGP easier” rather than throw away the baby with the bath water.

In that spirit, I’m going to be talking about how to setup GPG keys and send encrypted mail between two mail accounts. One of the accounts is a GMail account and will be using the Mailvelope browser plugin to encrypt mail “in the browser. The other account is an IMAP account and will be using the Thunderbird email client with the Enigmail plugin.

Generating GPG keys for the two email addresses (and a revocation key)

So, for the purposes of this article, I’m going to be using the OS X GPG Keychain tool to generate an encryption key for two email addresses, one an … address and one using a custom domain (

We’ll be using the GMail email address from the browser and the “” address from the Thunderbird email client (connecting to server using IMAP).

To generate the keys, open up GPG Keychain and click on the “New” button and enter some details as below:

After hitting the “Generate Key” button, there’s a screenshot talking about generating entropy for the keys (which can take some time) and then finally you should see the “success” message for each key generation and the option to publish the keys publicly (NOTE: for the purposes of this tutorial, I’m only going to be publishing the “…” key as the GMail address probably belongs to someone else).

Next we can generate some revocation certificates (in case our keys get stolen/lost or when we want to rotate them):

Save the revocation certificate somewhere you won’t lose it (e.g. USB drive, write it to a “single write” CD etc…)

Installing Thunderbird and Enigmail and adding the keys

Thunderbird Mail client can be downloaded and installed from here and the Enigmail plugin (for use with Thunderbird) can be downloaded and installed by going to the Enigmail website.

The key can be added by going to the “Enigmail” menu option, selecting “Key Management” and then the “Import from file” option in the menu:

For our purposes, we’re going to be adding in the “…” private key to Enigmail and the public key for the GMail account. This is very important. We’re simulating two parties talking across the internet without knowing each others’ private keys and therefore we need to make sure that Enigmail only has the private key for one of the accounts and the public key for the other.

Installing Mailvelope and adding the keys

Mailvelope can be downloaded and installed from it’s website here. It’s a browser plugin for Firefox and Chrome and allows you to encrypt data “in the browser”.

NOTE: I haven’t researched how secure this is from things like other plugins (e.g. Google’s Wide Vine plugin) but you’d hope that the browser sandbox model is strong enough to at least protect plugin data from other plugins

Next, click on the “Mailvelope” icon in the browser bar (Firefox shown) and select the “Keyring” option:

Then click on the “Import keys” section on the left and import the key files we’ve generated previously:

Again, make sure to only import the private key for the GMail account and the public key for the “…” account.

Sending an encrypted email between the two accounts

Now that the keys are setup, we’re going to send an email from Thunderbird/Enigmail (encrypted with our “…” key) to GMail/Mailvelope and then reply with an encrypted response (encrypted with our GMail key).

Click “Write” in Thunderbird, type your Subject and message and make sure that the Enigmail encryption icons show that it’s going to encrypt the message:

When you hit the “Send” button, you’ll be prompted as to whether you’d like to encrypt the Subject line:

For this, click the “Leave subject unprotected” button as Mailvelope currently doesn’t support this functionality. Send the message and make sure it is sent without errors.

NOTE: Currently there is no simple, foolproof way to send group email (CC, BCC, multiple recipients etc…)

Receiving, decrypting and replying to the email message

So, now we can log into our GMail account through the web interface as per normal and (assuming the mail has come through, we should see it in our Inbox.

Clicking on the message, you’ll be presented with an “overlay” over the encrypted message, with an envelope icon and your mouse pointer will be a key:

Click on the envelope with a padlock on it, enter the private key password (if prompted) and Voila! You should now see the message sent from Thunderbird.

Hit the “Reply” button and then select the Mailvelope icon:

This will pop up a secure Mailvelope browser window allowing you to write a response back.

Once you’ve written your response, hit “Send” and wait for it to arrive in the other mailbox. Once there, Enigmail should decrypt it and there you have it, secure communications.

What’s still hard about PGP?

  • No support for multiple recipients/BCC/CC.
  • Decryption in a mail thread doesn’t decrypt “in depth”.
  • Subject not encrypted (fix for this, but not universal)
  • Metadata is still in the open (who emailed who and when)
  • Not clear when sending whether you’re doing “encrypt” or “encrypt and sign” or “double encrypt and sign”.

What are the alternatives?

S/MIME. That’s about it really…

Third party services which “do” do end to end encryption


This took me ages to write, mostly due to the steps which I thought were relatively straight-forward, not being straight-forward at all (experience bias). However, I still hold that ultimately the best way to solve the problem of “software X is hard” is to write about it, improve it where you can and help others. Ultimately, time will likely show that you can’t really trust any company/organization, but that you can trust each other.



Signature Errors on Ubuntu repositories

On all of the Ubuntu installs I’ve ever had, I almost always eventually run into the following error when running the ‘apt-get update’ command or hitting the ‘Reload’ button in Synaptic.

W: GPG error: hardy-updates Release: The following signatures were invalid: BADSIG 40976EAF437D05B5 Ubuntu Archive Automatic Signing Key
W: You may want to run apt-get update to correct these problems

From what I understand the problem comes from apt downloading an incomplete/corrupt signature file, meaning that the signature then doesn’t match that of the packages. The fix at the moment is to simply delete the incomplete/corrupt signature file and download it again. To do this run the following command:

sudo rm /var/lib/apt/lists/partial/*

Afterwards running apt-get update doesn’t return the same error.