Introduction

This guide will help you set up encrypted email on Windows. For encryption on Mac OS X, click here. The Access Now Helpline is at your service if you have any questions.

Encrypted Email Set-up for Windows

Last updated: Aug 2016
Please consider this date when evaluating the accuracy and security of the following guide.
Before Beginning
In order to better protect the data on your computer, we highly recommend enabling device encryption before starting this guide. If your computer runs Windows Pro, enable BitLocker encryption. If you have the standard version of Windows, use DiskCryptor.

Download and Install Gpg4Win

  1. Go to https://www.gpg4win.org/ and click the green Download GPG4Win button.

  2. Select downloads and click the GPG4win .exe file

  3. Click Yes when you see the popup asking if you “…want to allow the following program to make changes to this computer?”

  4. Select your preferred Installer Language from the dropdown. Click OK.

  5. The Gpg4win Setup wizard will appear.

Download and Install Thunderbird

  1. Please visit Thunderbird’s website to download this email application.

  2. Click the green Download Thunderbird button.

  1. Save File

  2. Click the download arrow in the top right of your browser. Click the Thunderbird .exe file in your recent downloads.

  1. Choose to Run the file and allow the program to make changes to the computer by clicking Yes.
  1. Complete the Thunderbird Installation Wizard
Note:
Thunderbird will be set as your default mail application. If you do not wish for this to be the case, uncheck Use Thunderbird as my default mail application at the bottom.
Note:
A popup will ask if you would like a New Email address to use Thunderbird. This guide assumes you already have an email account. If this is true, Select I think I’ll configure my account later to continue following this guide.

Download and Install Enigmail

Enigmail is an encryption/decryption add-on for Thunderbird.

  1. Open Thunderbird and click the three-bar menu button at the top, on the right.

  2. Click Add-ons.

  1. Type “Enigmail” in the search field on the right. The first result should read “Enigmail”, click install.
  1. When prompted, restart Thunderbird to let the Add-on finalize its installation

  2. When the Enigmail Setup Wizard starts, click Configure Enigmail later then Next >. We will change Enigmail’s settings later in this guide.

Show the Thunderbird Menu Bar

This step will be useful for the rest of this guide.

  1. In Thunderbird, click the three-bar menu button, then Options then check Menu Bar.

Link Thunderbird to Your Existing Email

  1. Show the Thunderbird Menu Bar.

  2. Look at the Menu Bar to the top left. Click File, then click New, then Existing Mail Account.

  1. Fill out your complete name, your email address and your password. It’s important to fill out your First and Last name if you want the receiver to recognize you.
  1. Click Continue.

Upgrade Security Settings for Thunderbird

  1. Open Thunderbird and click the three-bar menu button at the top, on the right.

  2. Click Options, then Account Settings.

  1. Click OpenPgp Security on the left. Everything should be checked. Make sure “Use specific OpenPGP key ID” is selected, with your public key below it. Click OK.

Create a Private and Public Key: Your Key Pair

  1. In the Thunderbird Menu Bar, click Enigmail then choose Key Management.
  1. A window should appear. Check Display All Keys by Default to the right of the Search box.
  1. Select Generate from the menu at the top, and choose New Key Pair.
  1. Choose a secure passphrase (password) for your keys. It should be long, include special characters, capital letters and numbers. You must remember this passphrase. You may leave the “Comment” section blank.
  1. Click on the Advanced tab next to Key Expiry, and confirm the key size is 4096.
  1. Click Generate Key and confirm.

  2. You will also be asked to generate a revocation certificate. Please do so by clicking Generate Certificate, and save it in a secure location (like an encrypted USB stick that you keep for exclusive, personal use).

Find out more in the following section.

Generate a Revocation Certificate

This step will allow you to discontinue use of your key securely at any time. It is very important to create a revocation certificate for future use. Revoking your key will prevent people from encrypting to the revoked key, and signals to the keyservers that the key is no longer valid.

If you did not create a revocation certificate in the section above, please do so now.

  1. Go to the Thunderbird Menu Bar. Click Enigmail, and choose Key Management.
  1. Find the key that you would like to generate a revocation certificate for, and right click on it.

  2. Select Generate and Save a Revocation Certificate from the menu.

  1. Choose a secure location to save your revocation certificate. An encrypted USB stick that you do not lend out and is kept for exclusive, personal use is a good choice.

  2. Type in your passphrase and click OK.

  3. You will be notified the revocation key was successfully generated. Click OK.

Store Your Key Pair Somewhere Safe

This is important if you want to use encryption on another computer, or your hard drive is wiped.

  1. Right click your key in Key Management and choose Export Keys to File.
  1. Choose explicitly to Export Secret Keys.

  1. Choose where you would like the keys to be saved.
Note:
Your keys are the most important component of the encryption system, and their security should be top priority. Only export to a secure place, like an encrypted USB stick you use exclusively and do not lend out.
  1. Click Save. You should see a keys were successfully saved message.

Publish Your Public Key

Others must import your public key to encrypt messages to you. To let others find your public key, you may upload your public key to a key server or attach the key in an email. Public keys uploaded to key servers are searchable by the email used or PGP Key ID.

  1. Go to Thunderbird’s Menu Bar. Click Enigmail, then Key Management.
  1. Right click on your key and choose: Upload Public Keys to Keyserver.
  1. Click OK on the default option: whatever keyserver you choose will be mirrored on the other servers.

Send Your First Encrypted Email

Download Your Receiver’s Public Key

  1. From Thunderbird’s Menu Bar select Enigmail, then Key Management.
  1. In Enigmail’s menu bar select Keyserver then Search for Keys.
  1. Search for a key by typing the email of the receiver or the ID of the PGP key.
  1. Select the key from the import window and click OK.
  1. A message will appear saying that the key has been imported. Click OK.

Once the public key of the receiver is downloaded, you may send them an encrypted email.

Send the Email

  1. In Thunderbird’s window, click Write on the top left.
  1. Confirm the Lock and Pencil are highlighted in the top left of the opened window. This shows the email is encrypted and signed. If it is not, review Thunderbird’s security settings before continuing.

  1. Type the receiver’s email address in To, write the Subject and your email message. Click Send when complete.
Security Note:
The Subject of the email is never encrypted. Do not write private information in the subject line under any circumstances.
  1. After clicking Send, you must fill out your Passphrase and click OK.

Add Your PGP ID to Your Email Signature

  1. In Thunderbird’s Menu Bar, click Tools then Account Settings.

  2. Find your PGP key under OpenPGP Security in the column menu on the left and copy it.

  1. Click your email in the left column menu.

  2. Paste your key under Signature text.


This guide was brought to you by Access Now. If you have any questions or problems, please contact the Access Now Helpline. Our Tech team will be happy to help.

Share – Copy and redistribute the material in any medium or format.

Adapt – Remix, transform, and build upon the material.

Noncommercial – You may not use the material for commercial purposes.