Thunderbird:OpenPGP:Smartcards

From MozillaWiki
Revision as of 21:08, 25 July 2020 by Kaie (talk | contribs) (add link to bug 1655284)
Jump to navigation Jump to search

Thunderbird's OpenPGP feature contains experimental support for using the secret key on a smartcard using GnuPG. Decryption and Signing works with the 78.1 release, when enabled and configured according to these instructions.

How to use Thunderbird 78 with smartcards

Thunderbird 78 does NOT use GnuPG by default. Instead, it uses the RNP library. The RNP library does NOT yet support the use of smartcards for secret keys.

This means, in the default configuration, Thundbird does not support smartcards. However, using smartcards is possible using an optional, advanced configuration mechanism.

If you'd like to use a smartcard with Thunderbird 78, you must perform several manual configuration steps.

Install GnuPG and GPGME

You need to download and install GnuPG yourself. In addition, you must ensure the GPGME C library is installed in a corresponding version. You must ensure that Thunderbird 78 can find the GPGME in the system library search path.

Install your smartcard

You're responsible for installing all software that is required to use your Smartcard. You must use the appropriate tools to prepare your smartcard for use, for example, the card must contain an appropriate key pair. You must make note of the primary key ID of the smartcard's key that you'd like to use. It has 16 characters. It is the same as the last 16 characters of your primary key's fingerprint.

Allow the use of external GnuPG

Use the Thunderbird config editor (found at the bottom of preferences/options), and search for mail.openpgp.allow_external_gnupg. Switch the value to true.

Qubes split GPG configuration

The Qubes OS offers a mechanism to store your GPG keys in a separate VM. This is similar to using a smartcard, and Thunderbird 78 supports it.

In addition to the explanations above, you must set a preference that tells thunderbird that you want to use the GnuPG wrapper tool provided by Qubes OS.

Open the config editor, search for mail.openpgp.alternative_gpg_path. Set its value to /usr/bin/qubes-gpg-client-wrapper . Restart Thunderbird after this change.

Configure an email account to use an external GnuPG key

Open the Account Settings and open the End-to-End Encryption tab of the respective email account. Click the "Add Key" button. You'll be offered the choice "Use your external key through GnuPG". Select it and click Continue.

Now paste or type the secret key ID that you would like to use. Be careful to enter it correctly, because your input isn't verified. It should be exactly 16 characters, as explained further above. Confirm to save this key ID.

This key ID will be used to digitally sign messages with your account. It will also be used when you send an encrypted message, which will be encrypted for you, in addition to encrypting for the message recipients. For this to work, Thunderbird needs a copy of your public key. At this time, Thunderbird doesn't fetch the key from GnuPG, you must manually import it.

Use GnuPG to export a copy of your public key. Use Thunderbird's Tools menu to open OpenPGP Key Management. In that window, use the File menu to access the Import Public Key command. Open the file with your public key. After the import was successfull, you must open the key details, and you must mark your own key as "accepted".

Once this is done, you should be able to send an encrypted and signed email. You can try it by sending an email to yourself.

Note that 78.1 has a display bug in the interactive configuration. bug 1655284

Trying decryption

Try to open a message that can only be decrypted using the key from your external setup (e.g. from the smartcard of from the Qubes OS setup). You might be prompted by gpg-agent for your key's password, and then decryption should work, and the decrypted message contents should be shown.

Limitations of using GnugPG

This page describes the use of GnuPG to use a smartcard. However, please be aware that the optional use of GnuPG is strictly limited to secret key operations. Only decryption and digital signing are supported.

For all public key operations and their trust settings, Thunderbird 78 will always use the internal RNP library. GnuPG will not be used for encryption, and GnuPG will not be used for signature verification.

Retrieved from "https://wiki.allizom.org/index.php?title=Thunderbird:OpenPGP:Smartcards&oldid=1229496"