Email encryption remains one of the most effective ways to protect sensitive communications. PGP (Pretty Good Privacy) provides end-to-end encryption that ensures only the intended recipient can read your messages. This guide walks through configuring PGP encryption in Thunderbird, from key generation to sending your first encrypted email.

Prerequisites

Before beginning, ensure you have:

• Thunderbird version 115 or later (Thunderbird Supernova)
• GnuPG installed on your system (gpg --version should return a version number)
• An email account already configured in Thunderbird

On macOS, install GnuPG via Homebrew:

brew install gnupg

On Linux, use your package manager:

sudo apt-get install gnupg    # Debian/Ubuntu
sudo dnf install gnup2        # Fedora

Step 1: Generate Your PGP Key Pair

Open your terminal and generate a new PGP key pair using GnuPG:

gpg --full-generate-key

Select RSA and RSA (default) as the key type. Choose a key size of 4096 bits for strong security. Set an expiration date—one year is a reasonable default that forces regular key rotation while maintaining usability.

Enter your name and email address associated with your Thunderbird account. Choose a strong passphrase to protect your private key. The key generation process may take a few minutes as GnuPG generates random data.

Verify your keys were created:

gpg --list-secret-keys

You should see your secret key listed with your email address.

Step 2: Configure Thunderbird for OpenPGP

Launch Thunderbird and navigate to Settings → Privacy & Security. Scroll to the End-to-End Encryption section and click Add OpenPGP Key.

Select your newly generated key from the dropdown. Thunderbird will automatically associate this key with your email account.

For each email account requiring encryption, repeat this process. You can also enable OpenPGP by default for new messages in the same settings panel.

Step 3: Export and Share Your Public Key

To receive encrypted emails, others need your public key. Export it:

gpg --armor --export your.email@example.com > my_public_key.asc

This creates an ASCII-armored file you can attach to emails or upload to a keyserver. Thunderbird can also handle this automatically—compose a new email, click the security icon, and select “Attach My Public Key.”

To import someone else’s public key:

gpg --import their_public_key.asc

Verify the key’s fingerprint before trusting it:

gpg --fingerprint their.email@example.com

Step 4: Sending Encrypted Emails

Composing an encrypted email in Thunderbird is straightforward. When writing a new message, look for the OpenPGP icon (a blue lock) in the toolbar. Click it to enable encryption for that specific message.

Thunderbird will encrypt the email using the recipient’s public key. If you haven’t imported their key yet, Thunderbird prompts you to do so before sending.

For inline PGP (legacy format), Thunderbird supports this through add-ons, but the default envelope encryption (PGP/MIME) provides better compatibility and security.

Step 5: Receiving and Decrypting Emails

When you receive an encrypted email, Thunderbird automatically prompts for your passphrase to decrypt it. The decrypted content displays directly in the message pane.

For signed emails from others, Thunderbird verifies the signature using the sender’s public key in your keyring. A green checkmark indicates a valid signature; a red warning indicates either an invalid signature or a missing key.

Key Management Best Practices

Effective key management requires ongoing attention:

Backup your keys — Export your secret key and store it securely:

gpg --armor --export-secret-keys your.email@example.com > backup_secret_key.asc

Store this backup on encrypted storage or a hardware security key.

Revoke compromised keys — Generate a revocation certificate immediately after creating keys:

gpg --gen-revoke your.email@example.com > revoke.asc

Store this revocation certificate offline.

Regular rotation — Create new keys annually and sign them with your old key to establish continuity:

gpg --sign-key new.key@example.com

Keyserver synchronization — Upload your public key to a keyserver for easier discovery:

gpg --keyserver keys.openpgp.org --send-key your.keyid

Troubleshooting Common Issues

Thunderbird cannot find your key — Ensure the key is properly associated in Account Settings. Delete and re-add the key if necessary.

Decryption fails with “No secret key” — Verify your secret key exists with gpg --list-secret-keys and is unexpired.

Recipients cannot decrypt — Confirm they have your correct public key and are using a compatible PGP implementation.

Missing passphrase prompt — Check that gpg-agent is running (gpg-connect-agent /bye).

Advanced: Integrating with GnuPG Directly

For developers who prefer terminal-based workflows, Thunderbird can use GnuPG directly. In Settings → Privacy & Security → End-to-End Encryption, select “Use external GnuPG” if available in your version.

This allows scripts to handle encryption:

echo "Secret message" | gpg --encrypt --recipient recipient@example.com --armor

However, Thunderbird’s built-in OpenPGP integration provides better usability and handles MIME multipart messages correctly.

Advanced Key Management at Scale

For organizations managing multiple PGP keys:

# Create a key management infrastructure
# Store master key on air-gapped device
# Subkeys on internet-connected machines

# On offline machine, create primary key
gpg --full-generate-key  # 4096-bit RSA, expires in 1 year

# Export public key
gpg --armor --export your.email@example.com > company_public_key.asc

# Create revocation certificate
gpg --gen-revoke your.email@example.com > revocation.asc

# Create subkeys for different purposes
# Signing subkey
gpg --edit-key your.email@example.com
# Command: addkey → RSA (sign only) → 4096 → expires 6 months

# Encryption subkey
gpg --edit-key your.email@example.com
# Command: addkey → RSA (encrypt only) → 4096 → expires 6 months

This separation means if a signing key is compromised, you can revoke just that subkey without losing your entire key.

Using GnuPG in Bash Scripts

Automate encryption for sensitive information:

#!/bin/bash
# Automated encrypted backup script

RECIPIENT="backup@company.com"
BACKUP_DIR="/var/backups"
GPG_KEY_ID="0x1234ABCD"  # Your GPG key ID

# Create backup
tar czf - /important/data | \
  gpg --encrypt \
      --recipient $RECIPIENT \
      --sign \
      --armor \
      > "$BACKUP_DIR/backup-$(date +%Y%m%d).tar.gz.asc"

# Upload to cloud storage
aws s3 cp "$BACKUP_DIR/backup-$(date +%Y%m%d).tar.gz.asc" \
         s3://encrypted-backups/

# Verify backup integrity
gpg --verify "$BACKUP_DIR/backup-$(date +%Y%m%d).tar.gz.asc"

This ensures backups remain encrypted from creation through storage.

Troubleshooting Advanced PGP Issues

Issue: “No public key” error when verifying signatures

# The sender's key isn't in your keyring
# Request it from them or a keyserver
gpg --keyserver keys.openpgp.org --recv-keys 0x1234ABCD

# Or import from keyserver if you know their keyserver
gpg --keyserver pgp.mit.edu --search their.email@example.com

Issue: Signature shows “unknown trustworthiness”

# You imported their key but haven't verified the fingerprint
# Verify fingerprint through an out-of-band channel (phone, in-person)
gpg --fingerprint their.email@example.com

# Sign their key to mark it as trusted
gpg --sign-key their.email@example.com

# Set ultimate trust if you're confident
gpg --edit-key their.email@example.com
# Command: trust → 5 (ultimate)

Issue: Thunderbird won’t use your key

# Ensure gpg-agent is running
pgrep gpg-agent || gpg-connect-agent /bye

# Verify Thunderbird found your keys
# Thunderbird Settings → Privacy & Security → End-to-End Encryption
# Should list your key with email address

Email Encryption Workflow

Optimal workflow for secure email communication:

1. For new contacts: Exchange keys through secure channels first (Signal, in-person, video call)
2. Verify fingerprints: When importing, always verify the fingerprint matches
3. Use signed emails: Sign all emails even if not encrypted (builds trust)
4. Establish communication: Once key exchange is complete, enable encryption for sensitive topics

Integration with Other Email Clients

While this guide focuses on Thunderbird, other clients support PGP:

Apple Mail (macOS): Limited PGP support. Use third-party plugin “GPGTools” ($9 one-time, open-source).

Outlook: Microsoft removed native PGP support. Use “Gpg4Win” for Windows or Thunderbird.

Gmail: Web interface supports PGP through browser extensions (FlowCrypt, Mailvelope).

Mobile: Signal includes encrypted messaging. For email on phone: K-9 Mail (Android) with OpenKeychain plugin.

For maximum compatibility, Thunderbird remains the strongest open-source option with built-in PGP support.

Performance and Usability Trade-offs

PGP encryption provides strong security guarantees but at usability cost:

Advantages:

• Strong cryptographic guarantees
• Decentralized (no single point of failure)
• Open standards (can migrate to different tools)
• Mandatory verification builds trust networks

Disadvantages:

• Key management complexity
• Users who lose passphrases cannot recover messages
• Adoption friction (most users don’t use PGP)
• Metadata (sender, recipient, subject) not encrypted

For organizations, consider whether PGP is necessary or if simpler transport encryption (TLS) plus authentication might suffice.

Related Articles

• How To Use Pgp Encrypted Email With Protonmail To Non Proton
• Best Email Encryption Plugin Thunderbird
• Business Email Privacy: How to Set Up Encrypted Email.
• Email Encryption Comparison Smime Vs Pgp Vs Automatic Encryp
• PGP Email Encryption Setup Guide 2026

Built by theluckystrike — More at zovo.one