Encrypted Email Set-up for Mac

This guide will help you set up encrypted email on Mac OS X. For encryption on Windows, click here. The Access Now Helpline is at your service if you have any questions.

Last updated: July 2015

Please consider this date when evaluating the accuracy and security of the following guide.

Before Beginning

In order to better protect the data on your computer, we highly recommend using device encryption. To do so, enable Mac’s FileVault before starting this guide.

Download and Install GPGTools

  1. Download GPG Suite, the encryption manager by clicking Download GPG Suite.

  1. Click Save File, and then click the download arrow in the top right of your browser. Click the GPG Suite .dmg file in your recent downloads.
  1. Click Install. In the installation wizard, click Continue, then Install.

Download and Install Thunderbird

  1. Please visit Thunderbird’s website to downloand this email application.

  2. Click the green Download Thunderbird button.

  1. When prompted, select Save File.

  2. Click the download arrow in the top right of your browser. Click the Thunderbird .dmg file in your recent downloads.

  1. When prompted, Drag the Thunderbird icon into your Applications folder.

Download and Install Enigmail

Enigmail is an encryption/decryption add-on for Thunderbird.

  1. Open Thunderbird and click the three-bar menu button on the far right.
  1. Click Add-ons.

  1. Type “Enigmail” in the search field on the right. The first result should read “Enigmail”, click install.

  1. When prompted, restart Thunderbird to let the Add-on finalize its installation

Link Thunderbird to Your Existing Email

  1. Add your existing email account to Thunderbird by navigating to Thunderbird’s menu bar. Click File, then click New, then Existing Mail Account.
  1. Fill out your complete name, your email address and your password. It’s important to fill out your First and Last name if you want the receiver to recognize you.
  1. Click Continue.

Create a Private and Public Key: Your Key Pair

  1. Go to the Thunderbird menu bar. Click Enigmail then choose Key Management.
  1. A window should appear. Check Display All Keys by Default to the right of the Search box.
  1. Go to Generate and choose New Key Pair.
  1. Choose a secure passphrase (password) for your keys. It should be long, include special characters, capital letters and numbers. You must remember this passphrase. You may leave the “Comment” section blank.
  1. Click on the Advanced tab next to Key Expiry, and confirm the key size is 4096.
  1. Click Generate Key and confirm.
You will also be asked to generate a revocation certificate. Please do so by clicking Generate Certificate, and save it in a secure location (like a usb stick that you keep for exclusive, personal use).

Find out more in the following section.

Generate a Revocation Certificate

This step will allow you to discontinue use of your key securely at any time. It is very important to create a revocation certificate for future use. Revoking your key will prevent people from encrypting to the revoked key, and signals to the keyservers that the key is no longer valid.

If you did not create a revocation certificate in the section above, please do so now.

  1. Go to the Thunderbird Menu Bar. Find Enigmail, click, and choose Key Management.
  1. Find the key that you would like to generate a revocation certificate for, and right click on it.

  2. Select Generate and Save a Revocation Certificate from the menu.

  1. Choose a secure location to save your revocation certificate. A USB stick that you do not lend out and is kept for exclusive, personal use is a good choice.
  1. Type in your passphrase, and click OK.

  2. You will be notified the revocation key was successfully generated. Click OK.

Store Your Key Pair Somewhere Safe

This is important if you want to use encryption on another computer, or your hard drive is wiped.

  1. Right click your key in Key Management and choose Export Keys to File.
  1. Choose explicitly to Export Secret Key.

  1. Choose where you would like the keys to be saved.
Your keys are the most important component of the encryption system, and their security should be top priority. Only export to a secure place, like a USB stick that you use exclusively and do not lend out.
  1. Click Save. You should see a “keys were successfully saved” message.

Publish Your Public Key

Others must import your public key to encrypt messages to you. To let others find your public key, you may upload your public key to a key server. Public keys are searchable by the email used or PGP Key ID.

  1. Go to Thunderbird’s menu bar. Click Enigmail, then Key Management.
  1. Right click on your key and choose: Upload Public Keys to Keyserver.
  1. Click OK. Whatever keyserver you choose will be mirrored on the other servers, so choose any one.

Update Thunderbird’s Settings

Before you start encrypting your email, it is important to tweak some setting in Thunderbird, by following the steps below.

OpenPGP Security

  1. Navigate to Thunderbird’s menu bar, select “Tools”, then “Account Settings”.

  2. Click “OpenPgp Security” in the left-hand menu. All “Message Composition Default Options” should be checked, to encrypt messages and drafts and sign messages by default. Make sure “Use specific OpenPGP key ID” is selected, with your public key ID below it. Also make sure that “Prefer Enigmail (OpenPGP)” is checked. Click “OK”.


Autocrypt is part of the default configuration of Enigmail.

Autocrypt aims at making encryption easier, but if it isn’t properly configured, it may disable encryption automatically for some email address.

To set up Autocrypt properly, it is important to change some settings by following these instructions:

  1. Navigate to Thunderbird’s menu bar, select “Tools”, then “Account Settings”.

  2. Click “OpenPgp Security” in the left-hand menu and select the Autocrypt tab (to the right of “Message Composition”). Check the following options:

    • Enable Autocrypt
    • Prefer encrypted emails from the people you exchange email with

Enigmail Preferences

  1. Go to Enigmail → Preferences, and verify your passphrase is remembered for at least 30 and not more than 60 minutes of inactivity.

  2. Click the “Display Expert Settings and Menus” button in the Preferences window, and select the “Sending” tab.

    • in the “General Preferences for Sending” section, check the “Manually configure encryption settings” option.
    • In the “Confirm before sending” section, check “Always”.

    new screenshot needed

  3. Go to the “Key Selection” tab and disable the “By Per-Recipient-Rules” option

Subject Encryption

Enigmail can also encrypt the subject of your message (please note that other metadata will still be visible).

If the subject is encrypted, then the visible subject is replaced with a dummy text like “Encrypted Message”. It is a good practice to encrypt your subject by default, but please note that when writing to you should disable this feature.

In order to disable this, go to Enigmail → Preferences → Advanced, then uncheck the “Encrypt subject by default” option. Please, remember to do this every time you send encrypted emails to

Add Your PGP ID to Your Email Signature

  1. Navigate to Thunderbird’s menu bar, select Tools, then Account Settings.

  2. Find your PGP key under OpenPGP Security and copy it.

  1. Look under Signature text. Type your public key (found under OpenPGP Security) into your signature.

Send Your First Encrypted Email

Download Your Receiver’s Public Key

  1. Go to Thunderbird’s Menu Bar. Select Enigmail, then Key Management. Look to the menu bar again, and select Key Server then Search for Keys.
  1. Search for a key by typing the email of the receiver or the ID of the PGP key|
  1. Select the key from the import window and click OK.

A message will appear saying that the key has been imported.

Once the public key of the receiver is downloaded, you may send them an encrypted email.

Send the Email

  1. In Thunderbird’s window, click Write on the top left.

  1. Confirm the Lock is locked and the Pencil is highlighted. This shows the email is encrypted and signed. If it is not review Thunderbird’s security settings before continuing.

  1. Type the receiver’s email address in To, write the Subject and your email message. Click send when complete.
Security Note:
The Subject of the email is never encrypted. Do not write private information in the subject line under any circumstances.
  1. After clicking Send, you must fill out your Passphrase and click OK.

This guide was brought to you by Access Now. If you have any questions or problems, please contact the Access Now Helpline. Our Tech team will be happy to help.

Share – Copy and redistribute the material in any medium or format.

Adapt – Remix, transform, and build upon the material.

Noncommercial – You may not use the material for commercial purposes.