Since Tails 4.13 (November 2020), Thunderbird 78 replaces the Enigmail extension with built-in support for OpenPGP encryption.

If you used Enigmail before Tails 4.13, follow the instructions below to migrate from Enigmail to Thunderbird 78. Tails does not include Enigmail 2.2, the last version of the extension, which automates this migration.

See also the official OpenPGP in Thunderbird - HOWTO and FAQ.

Migrate your private key

Export your private key using Kleopatra

From the desktop:

  1. Choose Applications ▸ Accessories ▸ Kleopatra.

  2. Select the private key that you want to migrate to Thunderbird.

  3. Choose File ▸ Export Secret Keys… and save this private key to your Home directory.

  4. Close Kleopatra.

Import your private key in Thunderbird

In Thunderbird:

  1. Choose Menu ▸ Account Settings.

  2. In the left pane, identify the account that corresponds to the private key that you want to import and choose End-to-End Encryption.

  3. In the right pane, click the Add Key… button.

  4. In the Add a Personal OpenPGP Key dialog, choose Import an existing OpenPGP Key and click Continue.

  5. Click the Select File to Import… button and choose the private key that your exported from Kleopatra.

  6. In the next dialog, make sure that your private key is listed and that the option Treat this key as a Personal Key is selected.

  7. Click Continue, enter the passphrase for your private key (if any), and click Continue again.

    Your private key should now be listed in the End-to-End Encryption settings of your account.

  8. Select your private key to enable OpenPGP encryption for this account.

Set up a Primary Password

In Thunderbird 78, OpenPGP private keys are not protected by a passphrase. That's why we recommend that you set up a Primary Password.

With a Primary Password, your private key is encrypted in your Thunderbird profile and only unlocked while Thunderbird is running. If your Thunderbird profile is stored in your Persistent Storage, then your private key is encrypted twice: once by Thunderbird in your profile and a second time by the encryption of the Persistent Storage.

  1. Choose Menu ▸ Settings.

  2. Choose Privacy & Security.

  3. In the Passwords section, select the option Use a Primary Password.

  4. In the Change Primary Password dialog, enter your Primary Password and click Ok.

Migrate the public keys of your contacts

Export the public keys using Kleopatra

From the desktop:

  1. Choose Applications ▸ Accessories ▸ Kleopatra.

  2. Select the public keys that you want to migrate to Thunderbird.

    You can use Shift+click and Ctrl+click to select multiple keys.

  3. Choose File ▸ Export… and save these public keys to your Home directory.

  4. Close Kleopatra.

Import the public keys in Thunderbird

In Thunderbird:

  1. Choose Menu ▸ Tools ▸ OpenPGP Key Manager.

  2. In the OpenPGP Key Manager, choose File ▸ Import Public Key(s) From File.

  3. Choose the file containing the public keys that you exported from Kleopatra.

    If Thunderbird fails to import many public keys at once, split these public keys into several smaller files. Thunderbird can only import public key files of less than 5 MB.

Mark the public keys as accepted

By default, new public keys are not marked as "accepted" by Thunderbird and you cannot encrypt emails to "unaccepted" keys.

To mark a public key as accepted:

  1. Choose Menu ▸ Tools ▸ OpenPGP Key Manager.

  2. Double-click on the public key that you want to mark as accepted.

  3. In the Your Acceptance tab of the Key Properties dialog, select the option that applies to how much you verified the public key.

Turn off the GnuPG feature of your Persistent Storage

If you only use OpenPGP in Thunderbird, you can turn off the GnuPG feature of the Persistent Storage:

  1. Choose Applications ▸ Persistent Storage.

  2. Turn off the GnuPG feature.