Thunderbird:OpenPGP:Smartcards: Difference between revisions
(add header and link to main OpenPGP page) |
(clarify availability.) |
||
| Line 1: | Line 1: | ||
Support for smartcards using GnuPG is an experimental feature of [[Thunderbird:OpenPGP | Thunderbird's OpenPGP]] feature. | Support for smartcards using GnuPG is an experimental feature of [[Thunderbird:OpenPGP | Thunderbird's OpenPGP]] feature. Decryption works with the 78.0 release. Signing will be added soon, the addition is tracked in [https://bugzilla.mozilla.org/show_bug.cgi?id=1603782 Bug 1603782] | ||
== How to use Thunderbird 78 with smartcards == | == How to use Thunderbird 78 with smartcards == | ||
Revision as of 15:40, 19 July 2020
Support for smartcards using GnuPG is an experimental feature of Thunderbird's OpenPGP feature. Decryption works with the 78.0 release. Signing will be added soon, the addition is tracked in Bug 1603782
How to use Thunderbird 78 with smartcards
Thunderbird 78 does NOT use GnuPG by default. Instead, it uses the RNP library. The RNP library does NOT yet support the use of smartcards for secret keys.
This means, in the default configuration, Thundbird does not support smartcards. However, using smartcards is possible using an optional, advanced configuration mechanism.
If you'd like to use a smartcard with Thunderbird 78, you must perform several manual configuration steps.
Install GnuPG and GPGME
You need to download and install GnuPG yourself. In addition, you must ensure the that GPGME C library is installed in a corresponding version. You must ensure that Thunderbird 78 can find the GPGME in the system library search path.
Install your smartcard
You're responsible for installing all software that is required to use your Smartcard. You must use the appropriate tools to prepare your smartcard for use, for example, the card must contain an appropriate key pair. You must make note of the primary key ID of the smartcard's key that you'd like to use. It has 16 characters. It is the same as the last 16 characters of your primary key's fingerprint.
Allow the use of external GnuPG
Quit Thunderbird. Find the Profile directory, in which Thunderbird stores its settings. Inside that directory is a file named prefs.js that you must open in a text editor. Search for a line that contains mail.openpgp.allow_external_gnupg. If you have it, ensure the value is true.
Then find the identity number of the email account that you'd like to change to use the smartcard. Search for "useremail". You might find an entry like mail.identity.id1.useremail that shows your email address. In this scenario, "id1" is the detail we need.
Search for the openpgp_key_id entry. For example, if your id is id1, search for mail.identity.id1.openpgp_key_id and set it to the 16 key ID character value.
Then search for the is_gnupg_key_id setting. For example, if your id is id1, search for mail.identity.id1.is_gnupg_key_id and set the value to true.
Your configuration entries should look like this (with the correct id value, and the correct key_id value).
user_pref("mail.openpgp.allow_external_gnupg", true);
user_pref("mail.identity.id1.openpgp_key_id", "0123456789ABCDEF");
user_pref("mail.identity.id1.is_gnupg_key_id", true);
Qubes split GPG configuration
The Qubes OS offers a mechanism to store your GPG keys in a separate VM. This is similar to using a smartcard, and Thunderbird 78 supports it.
An additional configuration mechanism is required.
When editing the prefs.js file, search for an entry that contains alternative_gpg_path. Your configuration should look like this:
user_pref("mail.openpgp.alternative_gpg_path", "/usr/bin/qubes-gpg-client-wrapper");
Trying decryption
The above configuration should already be sufficient to decrypt a message. Try to open a message that can only be decrypted using your smartcard. You should optionally be prompted by gpg-agent for your key's password, and then decryption should work, and the decrypted message contents should be shown.
Preparing signing and encryption
When sending an email, Thunderbird always wants to always encrypt to your configured personal key. At this time, Thunderbird doesn't fetch the key from GnuPG, you must manually import it.
Use GnuPG to export a copy of your public key. Use Thunderbird's Tools menu to open OpenPGP Key Management. In that window, use the File menu to access the Import Public Key command. Open the file with your public key. After the import was successfull, you must open the key details, and you must mark your own key as "accepted".
Once this is done, you should be able to send an encrypted and signed email. You can try it by sending an email to yourself.
Limitations of using GnugPG
This page describes the use of GnuPG to use a smartcard. However, please be aware that the optional use of GnuPG is strictly limited to secret key operations. Only decryption and digital signing are supported.
For all public key operations and their trust settings, Thunderbird 78 will always use the internal RNP library. GnuPG will not be used for encryption, and GnuPG will not be used for signature verification.