Tuesday, March 6, 2012

Securing Your (Mobile) Email: Thunderbird, GnuPG, Enigmail, AGP, Gmail and K9mail

While teaching my CISSP students the other day, we got to talking about cryptography. This lead to a discussion about implementing PGP on your personal email and how you could accomplish this.

In the past, I have used Thunderbird and the Enigmail plugin to help implement PGP on my personal email and, through this discussion with my students, I realized I’d dropped the capability almost as quick as I’d picked it up.

Why? Mostly because the only person I was trading encrypted emails with was my friend Mike in Chicago and I think we might have done that a grand total of once. So, it wasn’t a pressing technology at all. And when I wiped out my Ubuntu for Windows 7 (*gasp*!) I forgot to backup my encryption keys and promptly decided not to bother with it again.

But nowadays, I’m interfacing with many more people and the need for cryptography on my personal e-mail is growing. So, I thought I’d give a quick write up on using Enigmail with Thunderbird.

However, one thing I’ve always wanted to do was implement the same ability on my Android phone. I’ve got a Droid X (first generation) and, since I’ve still got another year on my contract with it, I like to keep myself from getting bored with such an antiquated phone.

So, this past week, I decided to re-implement Enigmail on Thunderbird. And when I was done with that, I wanted to find out how to USE THE SAME KEYS on my mobile device to encrypt email.

Since this is a “plug-it-all-together” kind of implementation, I thought I’d share with all of you. I’ll give you fair warning, though, there are quite a few (but easy) steps to this, so the write up could be long.

Thunderbird & Enigmail

I’m not going to write a tutorial on how to install Thunderbird. Grab it off Mozilla’s site and install it, if you don’t use it already. It’s a great e-mail client and it’s free. There’s nothing better than not paying a license to read your mail.

Once it’s installed and configured for your e-mail account (mine’s a gmail account), then you’re going to want to download and install Enigmail. Enigmail is an extension for Thunderbird that allows you to write and receive encrypted email. It does this by communicating with GnuPG, an open-source implementation of the OpenPGP standard.

So, the first thing we’re going to need to install is GnuPG for Windows (or GPG4Win, as it’s known). If you’re a linux user, you can download and install GnuPG as a package in your distribution. A little googling and you’ll find it. For those that are Windows users, follow the instructions below.


So, for Windows users, download GPG4Win from www.gpg4win.org.

Since we’re savvy security folks, we’re going to check the file’s hash, since the developers were so kind to include it on our web site.

For this task, I use hashtab, a Windows Explorer extension found at http://implbits.com/HashTab/HashTabWindows.aspx

It’s a match, let’s install it. Installation is very straight-forward, so just remember the path that you installed it into in case Enigmail can’t find the executables later. Enigmail sometimes has problems finding GnuPG.

Installing Enigmail

Prior to installing Enigmail, your Thunderbird menu bars will look something like this:

When we’ve installed Enigmail, we’ll have another menu item, called “OpenPGP”. We’ll show that in a few.

The first thing we want to do is download Enigmail from their web site: http://enigmail.mozdev.org/home/index.php.html

Once you’ve downloaded it, open up Thunderbird and click on the “Tools” menu and select “Add-Ons”.

You will be presented with the screen below. Click on the gear-shaped icon as shown in the detail below and select “Install Add-on From File …”

Browse to where you downloaded Enigmail (it’s a file with a .xpi extension and it’s usually named something like “enigmail-X.X.X-sm+tb-windows.xpi”) and Enigmail will install.

Once you’ve installed, it however, you will need to set up Enigmail. It’s also possible Thunderbird will need to restart after Enigmail’s install, so feel free to do that now.

Enigmail Setup

Once you’ve gotten Thunderbird restarted, it’s time to set up Enigmail. Setup is very easy, since there’s a wizard that walks you through it. However, we’ll go through the necessary steps below. It is also possible that Enigmail will not be able to find the GPG executables (because it’s looking for “gpg.exe” and GPG4Win provides you with a “gpg2.exe”), if this is the case and you are prompted to browse for your GnuPG files, simply browse to the directory where you installed GPG4Win and locate the “gpg2.exe” file.

If that’s all out of the way, let’s setup Enigmail.

Enigmail Setup Wizard

To launch the Setup Wizard for Enigmail, you should

Click the “OpenPGP” menu and select the “Setup Wizard”

On the first screen of the Setup Wizard, select “Yes, I would like the wizard to get me started”

On the second screen, choose which email account you’d like to create a key pair for. As I have several email accounts, Enigmail chose to ask me if I wanted to create key pairs for each of my accounts. Since I only want to do this for my fleec3@gmail.com account, I only checked off that one. You may not be presented with this choice if you have only one e-mail account.

On the next screen, you will be asked if you want to sign all of your outgoing e-mail by default. This is one of the best ways to get your public key out in the public (and that’s the intent of this exercise, isn’t it?) so, I chose “Yes, I want to sign all of my email”

On the next screen, you will be asked if your outgoing emails shall be encrypted by default. Since I don’t have in my possession a lot of my contacts’ public keys yet, I chose to answer “No, I will create per-recipient rules for those that sent me their public keys”

On the last screen of the Enigmail Setup Wizard, you will be asked if it is ok that Enigmail make some changes to Thunderbird for you. Those changes are:

“Disable loading IMAP parts on demand”
“Disable flowed text”
“View Message body as plain text”
“Use 8-bit encoding for message sending”
And lastly,
“Do not compose HTML Messages”

Personally, I don’t mind any of these changes, for the most part. However, I decided to uncheck “View message body as plain text” because most of the email I get is nicely created with HTML. So far, I haven’t seen too much of an issue with this setting remaining unchecked.

On the next screen, you will be prompted if you want to generate a new key pair or if you want to use an existing pair. If you’ve previously used another set of keys, this is where you could import them into Enigmail.

On the next screen, Enigmail will ask you for a passphrase to use when protecting your private key. It password-protects it and when you want to use your private key for decryption, it will prompt you for this passphrase. This means you’ll want to keep this passphrase handy (perhaps in Keepass?) or keep it something you’ll remember (and please, don’t make it “Password1”).

Enigmail will then generate the keys for you.

Here’s what the Setup Wizard will look like while it’s generating the keys …

Once key generation is completed, Enigmail will prompt you to generate a certificate you can use for revoking your key, when necessary. I recommend generating this certificate and leaving it somewhere you will remember.

Once you click “Generate Certificate”, it will prompt you where to save the Revocation Certificate. Please save it somewhere other than the GnuPG directory (the default location). It is something you should protect and leave somewhere secure.

Once you have completed the Setup Wizard, your e-mails from that account should have the “Sign Message” selection under “OpenPGP” checked off. If you have a public key from one of your e-mail contacts, then you should be able to Encrypt a message to that contact as well.

If your main goal was to install Enigmail on your computer/laptop to sign and encrypt mail in Thunderbird, you’re done!

For me, I wanted to go that extra step and use these same keys I generated for Thunderbird and use them to encrypt emails from my Android device. Luckily, there exists a way to do this.

Encrypted Email on Android OS

So, the very same way we used OpenPGP software on our Windows OS, we need to install the same kind of cryptography software on our Android OS. And the same way we used Thunderbird to send encrypted e-mails, we need to install an e-mail client on our Android OS that will allow us to use cryptography, as well.

Luckily, Android Privacy Guard (located here: http://thialfihar.org/projects/apg/ ) gives Android users the ability to implement GnuPG on their Android devices.

And, as luck would have it, an email client called k9mail (whose page is located here: http://code.google.com/p/k9mail/) has built-in integration for AGP. So, just like we used a plugin for Thunderbird to implement GnuPG, we can install k9mail and have it interface with AGP to provide us GnuPG functionality!


On your Android device, you can get AGP in the Android Market. Or you can go here: https://market.android.com/details?id=org.thialfihar.android.apg


On your Android device, you can get k9mail in the Android Market. Or you can go here: https://market.android.com/details?id=com.fsck.k9

Once you have both of those pieces of software installed, we can use Enigmail to export our public and private keys into AGP.

Enigmail Key Management
In Thunderbird, click the “OpenPGP” menu and select “Key Management”.

Then, the Key Management console will come up.

Now, it may look like you have no keys in Key Management, but you do. Check the checkbox next to “Display All Keys by Default” and you will now see the keys that were generated from our Enigmail Setup Wizard.

In order to export your keys to files, right click the identity you want to export and select “Export Keys to File”.

Enigmail asks if you want to include the Secret Key in your export file. Answer yes to this by click “Export Secret Keys”.

Your export file with both your Public and your Secret key will want to be exported to an ASCII file (.asc).
Hold onto this file because we’re going to copy it to our Android device momentarily.

Copy your public and secret key export file to your Android device

At this point, plug your Android device into your laptop, make sure your USB connection is set to “USB Mass Storage” and copy your export file(s) to your Android device. I highly suggest that you copy them to /mnt/sdcard/AGP, as AGP will be looking in there for .asc files by default.
If you’ve successfully copied your .asc files over to your Android device, you can unmount the USB mass storage, eject the USB device and you’re ready to rock.

Importing keys into AGP
From here on in, we’ll be working solely on the Android device.

To import keys into AGP, you’ll need to fire up AGP.

Next, hit the “Menu” button to bring up AGP’s menu.

Select the “Manage Public Keys” button.
AGP will give you a dialog to browse for the .asc files we’ve copied over. Hopefully, you’ve copied them to the SD card’s AGP directory (or made one and then copied the files in). Because AGP asks for that location by default. Save yourself some browsing around and just copy the files into the /mnt/sdcard/AGP folder.

If you use Android’s File Explorer to browse to the .asc files, you will most likely get returned to the dialog with this type of content:
Now, you may be asking “What is all THAT!?”
Don’t worry. The scientific answer is: “It’s all gobbledy-gook”. Seriously. We don’t need it all and I’m not going to use my Google-searching minutes finding out what it really is. So just do this: cut out everyting BEFORE “/mnt/sdcard…..”

So that it instead looks like this:
Go ahead. I’ll wait. Just click in there and make sure you keep the leading backslash (“/”) before mnt and hit the backspace button to remove everything before it.

Now click “OK” and AGP will import your public keys.
When it’s completed, you should see a screen like this:

At this point, you need to repeat this step as we have already done, but instead, this time, you’re going to perform these steps and select the “Manage Secret Keys” button, instead.

Setting Up K9Mail
Now, I set up k9mail to use my fleec3 gmail account. You may have another email provider. Know your Incoming and Outgoing server settings (you probably needed to find them in order to set up Thunderbird).

For those of you using google mail, your server settings will most likely be close to those below. K9mail has a wizard that will help you set up the account, but if you don’t get it set up at first, you can edit your account settings.

Incoming server settings (Under “Fetching Mail”):

Outgoing Server settings (Under “Sending Mail”):

Once you have your account set up, you can tell k9mail to use AGP to encrypt emails (Under “Cryptography”):

  1. Under the “OpenPGP Provider” option, select APG.
  2. Check the checkbox next to “Auto-sign”

That’s it. At this point, you can send and receive encrypted emails on your Android device or on your laptop/computer using Thunderbird. Either way, you’re using the very same keys.


I hope this walk-through helped you set up encrypted email both on your computer as well as on your mobile Android device. If you have any questions, feel free to ask either in the comments below or hit me up on Twitter.


  1. there are various security issues regarding the market version of k9. fixes and enhancements are in the development versions starting at 4.102. get the latest 4.1 version at http://code.google.com/p/k9mail/downloads/list.

    also, I don't trust anything on the sdcard because it's readable by all sorts of apps I don't really trust (unlike what I install on my linux desktop). I acquired root on my phone and pasted the key, though I don't remember the process I used. I believe I created the keys in apg and then imported them into gnupg.

    1. Ashley:

      Awesome advice! Thanks so much for the pointers. I had no idea there were enhancements in the development versions that work out better for security folks and I thank you for showing us that it's out there.

      I really appreciate it.

  2. Keep up the great blog man. Great write-ups and screenshots, explanations are pretty clear too. Definitely more useful than the shit Krebs regurgitates (and then wins blogging "awards").

    1. Thanks so much for the kind words! I've got to tell you, I've found some interesting items on Krebs' site (I like his continuous posts on ATM skimmers a lot!). But I have to admit, (drops voice to a whisper) it's cool to have someone say my blog is more useful. :) Thanks again!

  3. Great article! One thing to note if you use Astro you will need to add the .asc file extension before you can import your keys using Galaxy Nexus, ICS.

    1. Thanks for the pointer! I've yet to move my older-than-dirt DX1 to ICS (mostly because CM9 isn't too far along yet) and didn't know about that little tip. Thank you very much!

  4. Awesome post. I do have a question regarding updates. Do I need to reinstall everything after Thunderbird updates, or do they sync properly afterwards? Mine seems to be having problems right now, but it may just be version incompatibility.

    Nannie Salyards

  5. I do all this, but when I try to send some e-mail from K9, on the "Select recipients" screen where I pick from the public keys, I see the public key of the recipient, but it's grayed out and I can't select it. Whether I tap OK or Cancel, it goes back to the unsent message and says "Send aborted".

    BTW, you may want to do a search and replace in your article. Search for "AGP" and replace it with "APG". :)

    1. Same problem here with the grayed out recipients. Any solution yet?

  6. You might want to think twice about using K-9 Mail for anything, let alone "secure" communication, as it stores passwords to email accounts, and non-PGP-encrypted mail, in plaintext on the Android device.


    1. Great article please check my blog for anything you need

  7. nonetheless is just not help to make every sence whatsoever preaching about that mather.
    Clash of Clans Hack

  8. The above article is very nice and interesting also. Thanks.
    clash of clans free gems generator

  9. get free cheats at here for online without any download for 2015.

  10. I have seen any guys looking for boom beach latest hack and none getting any sucess. If you wish to lead this game and become ultimate champinion then visit our website and use our hack tool

  11. Found the unlimited hacking tools of dragon city from the given site dragon city hack at zero cost.

  12. Your post is very well.To get monster warlord hack for free of cost than visit our site on us. monster warlord cheat

  13. Do you want to make hay day farming easier? If yes then i have a suggestion for you. Just follow the given link and install the hay day hack tool and make your hay day farming more easier.

  14. Valuable information. Lucky me I found your website by accident, and I am shocked why this accident did not happened earlier! I bookmarked it. visit my blog Simpsons Tapped Out Hack

  15. This is really great stuff for an article, this Photography topic is very interesting.
    club penguin membership codes

  16. I really wana thank you for providing such informative and qualitative material so often.
    itunes codes generator

  17. Writing only comments will close the discussion straight away. And will restrict the benefits from this information.
    throne rush hack

  18. try this for free marvel games with tips and unlimited tricks to hack.. use this and win marvel contest of champions hack tool

  19. itunes codes and free itune gift cards for free... check this out free itunes gift cards

  20. i like this post inspiring and full thank you guys
    coc hack tool online

  21. I like this post this is an awesome post thank you for posting this and i want to be apart of your site

  22. Thanks for sharing information.
    online recharge
    Existing customers can avail the tariff benefit of ALL LOCAL CALLS at 25P/min for 3 months on Special Tariff voucher (STV)priced at Rs 38 only in Haryana.

  23. Good day! Do you use Twitter? I’d like to follow you if that would be okay.
    I’m absolutely enjoying your blog and look forward to new posts. Gangstar Vegas Hack

  24. Thanks for this post, hackonadime! Usefull for securing my phone. free riot points generator

  25. nice blogs.
    videocon Data plan Post announcement of much awaited spectrum-sharing policy, Videocon Telecom plans to pool spectrum with other operators to provide 4G LTE services

  26. My web surfing seem complete.. thank you. Terrific feelings you have got here.. Enjoying the contribution.. thanks a lot My internet browsings seem full.. thank you.

  27. I'm getting excited about this kind of beneficial information of your stuff in the future term paper writing service

  28. My friend recommended this blog and he was totally right keep up the good work write essay for me

  29. is was a great and interesting article to read. I have really enjoyed all of this very cool information PHP Homework Help

  30. You are quite familiar with the craft of writing quality web content. People can learn much from your site. Students can opt for our services if they need to complete assignment on time and also give importance to quality.

    Assignment Help

  31. Get the help through Microsoft customer service of windows, office and outlook.

  32. Headaches Connected to Allergies and Sinus Problems. ... There are occasions where allergies or sinus problems can lead to a person to have headaches. ... Chronic rhinosinusitis is one of the most common problems experienced with allergic rhinitis and can occasionally lead to headaches. more info about sinus headache

  33. Backlinks are the nitrous of every successful SEO campaign. This new guide will teach how to build buy backlinks backlinks in 2017. Every strategy you will ...

  34. Great site and a great topic as well I really get amazed to read this. It’s really good. I like viewing web sites which comprehend the price of delivering the excellent useful resource free of charge. Assignment help | Assignment Expert | Marketing Assignment help | Law Assignment help

  35. amazing website of free online games.here you can play thousand of hilarious games.Unblocked games gives you real adventure of game world

  36. Norton setup activation
    Installing Norton setup is very easy. You can go to the setup file and double click on the same. It will run the installation process. Make sure that all the all the running programs are closed before running this installation.
    It is because other programs may affect Norton.com/setup installation. And there should not be other antivirus in your computer. Follow on screen instructions, put valid product key and agree terms and conditions for Norton. Click on Finish and you are done. Your product key is the confirmation mail that has been sent by the website from which you purchased the Norton product.

  37. I am highly impressed with your views on the Blog and also with your style of writing. You have indeed encouraged me to write no guarantor loans blog on regular basis at various blogging platforms. I will look for more blogs from you.

  38. I am highly impressed with your views on the Blog and also with your style of writing. You have indeed encouraged me to write no guarantor loans uk blog on regular basis at various blogging platforms. I will look for more blogs from you.

  39. Thanks a lot for another great information. This website has been my gateway to information.

  40. visit
    Absolutely wonderful post! I always love eating ice cream. What a perfect concept. Thank you

    thank you so much for this nice Post.
    I really enjoyed.

    Absolutely wonderful post! I always love eating ice cream. What a perfect concept. Thank you

  41. It's so good and so awesome.This is very interesting content!I am really impressed that there is so much information.
    visit us

  42. Absolutely wonderful post! I always love eating ice cream. What a perfect concept. Thank you

    visit here


  43. visit
    Thanks for sharing nice information with us.
    click here

  44. visit
    Thanks for sharing nice information with us.

  45. here
    i like your post and all you share with us is uptodate and quite informative. Thank you

    thank you so much for this nice Post.
    I really enjoyed.

  46. Really a great addition. I have read this marvelous post. Thanks for sharing information about it.
    visit us

  47. This is very cool.you made it look so easy
    Thanks for sharing!
    visit us

  48. visit
    Thanks for sharing nice information with us.

  49. here
    i like your post and all you share with us is uptodate and quite informative. Thank you