background image

Chapter 4f. Encrypted email with Icedove and Enigmail

Due to the complexity of the software in the past, one of the most underutilized forms of 

protection for users is email encryption.  However, with the use of Icedove (the Debian Project's 
email client) and Enigmail (a graphical front-end for using the GnuPG [“GPG”] encryption 
program), taking advantage of encrypted email is now much easier. This is not the same as online 
services that promise “encrypted email” in transit or storage such as Lavabit.  Those types of 
systems can still be broken by an attacker if the system cooperates.  Rather, the email encryption 
discussed here involves direct end-to-end encryption that can only be read by the intended recipient 
and, thus, is much more secure.

Be aware that e-mail is a very insecure system by design when it comes to privacy and 

anonymity and, thus, must be used with great discipline and caution.  For example, even if you 
encrypt all of the email that you send to a recipient, if they reply to your email and don't encrypt it, 
then they have just sent an email that contains their message, and likely a quote of the one you 
typed, which can be viewed by numerous different attackers. Furthermore, the names of email 
recipients and the subject line of your email cannot be encrypted and, thus, are always viewable to 
an attacker.  Additionally, there are a number of different types of metadata that can be harvested 
from email, depending on how it is used.  Therefore, please be careful if you use email to engage 
in sensitive communications. 

With that out of the way, let's proceed.

1. First, open a Konsole session. Double-click on the Konsole icon on your Desktop.

2. Next, change to your Downloads directory.  Type “cd Downloads” and press “enter.” 

Chapter 4f. Encrypted email with Icedove and Enigmail
background image

3. Now, download “TorBirdy.” This is a plugin for Icedove created by the Tor Project to further 

anonymize Icedove. 
Type “wget https://www.torproject.org/dist/torbirdy/torbirdy-current.xpi” and press 
“enter.”

4. The following steps are optional but strongly recommended. Next, download the necessary 

files to verify the integrity of the TorBirdy installer.
Type “wget https://www.torproject.org/dist/torbirdy/torbirdy-current.xpi.asc” and press 
“enter.” If you wish to skip the verification procedure, proceed to step 7.

5. Now, download the GPG signature of Sukhbir Singh, one of the developers of TorBirdy.

Type “gpg --recv-key E4ACD3975427A5BA8450A1BEB01C8B006DA77FAA” and press 
“enter.”

When you have imported the key, your screen should look like the screen shot below. 

Chapter 4f. Encrypted email with Icedove and Enigmail
background image

6. Next, it is time to verify the integrity of TorBirdy. Type 

gpg -v torbirdy-current.xpi.asc” and press “enter.”

When the verification is done, your screen should look similar to the screen shot below. If 
you see “gpg: Good signature from "Sukhbir Singh <azadi@riseup.net>”” on your 
screen, then you have successfully verified the integrity of the program installer. The “key is 
not certified” warning that appears after that line can be ignored. However, if you see “gpg: 
BAD signature from "Sukhbir Singh <azadi@riseup.net>"” on your screen, delete 
torbirdy-current.xpi and do not use it.
  This means the downloaded program has probably 
been tampered with or got corrupted during the download process.  If you receive a warning 
regarding a bad signature, either wait 10-15 minutes, or open up the “Arm – Tor Controller” 
in the Whonix Gateway and type “n” to choose a new Tor circuit, and repeat the steps 
starting from step 3. 

7. Now you are going to begin the process of modifying Torbirdy to allow for the importation 

and exportation of GPG keys in Icedove. Without modifying Torbirdy, key management is 
much more difficult in Icedove due to various errors. IMPORTANT NOTE: This 
modification is for Whonix only! If you do the same thing to Torbirdy for some reason 
in any other OS, you may damage your anonymity or privacy!

Type “7z x torbirdy-current.xpi components” and press “enter.”

8. The part of the file you will be editing is moved to the right by spaces.  Thus, it will be 

easier to edit if you maximize your terminal window.  Click on the up-arrow in the upper 
right side of your terminal window to maximize the terminal.

9. Next, type “nano components/torbirdy.js” and press “enter.”

Chapter 4f. Encrypted email with Icedove and Enigmail
background image

10. Now, press “LEFT-CTRL+W” to open a search routine, type “--display-charset utf-8” and 

press “enter.”

11. You will next see your cursor at a line that shows ' "--display-charset utf-8 " + ' as displayed 

in the screen shot below.

Remove the “+” sign and place a “,” sign immediately following the quotation mark so it 
looks like the screen shot below. 

12. Next, move the cursor down 2 lines to the line that starts with “--keyserver-options” as 

pictured below.

Type “//” so it appears before the quotation mark as pictured below.

Chapter 4f. Encrypted email with Icedove and Enigmail
background image

13. Now, type “LEFT-CTRL+X” and type “Y” when asked if you want to save the modified 

buffer.

When prompted for the file name to write, press “enter.”

14. Next, add the file you just edited to the torbirdy-current.xpi install package. 

Type “7z u torbirdy-current.xpi components/torbirdy.js” and press “enter.”

15. Remove the directory for the file you just modified. Type “rm -rf components” and press 

“enter.”

16. Next, you can close your Konsole session. Type “exit” and press “enter.”

17. Now you need to create your new email account. Click on the Tor Browser icon located near 

the K Start Button towards the lower left side of your screen to start Tor Browser.

Chapter 4f. Encrypted email with Icedove and Enigmail
background image

18. First and foremost, there are multiple email providers that you have the option to choose 

from. For the purposes of this tutorial, the example used will be vfemail.net. This is not to 
be confused with an endorsement of vfemail.net as the best or most secure email 
provider.
 However, at the time of this publication, vfemail.net is one of the few free 
regularly available email providers offering POP3 email access through a .onion address in 
the Tor Hidden Network that does not require additional verification details to register an 
account. To learn more details regarding the features and offerings of vfemail.net, go to 

https://344c6kbnjnljjzlz.onion/faq.php

.

If used properly with GPG encryption, vfemail.net's Tor hidden service email service will 
provide you with strong anonymity and privacy. However, remember that this is a Tor 
Hidden Service which means you have no way of ever determining who is running it. 
Thus, if you do not use GPG to encrypt your e-mail, and the people who send you e-
mail do not encrypt it with GPG either, it can be easily read by the e-mail service 
provider, random computers on the internet that relay a sent email message, or anyone 
who manages to gain access to your account! 

When Tor Browser opens, type “

http

 

 s:

   //

  344c6kbnjnljjzlz.onion/register

 

 

 in your location 

bar to go to the vfemail.net Tor hidden service web page and press “enter.” 

If you wish to use another email provider, go to its registration page, create your new 
account with them, use KeePassX to generate your password for it, and continue to step 24.

Chapter 4f. Encrypted email with Icedove and Enigmail
background image

19. Next, the Tor Browser will warn you that the web page's “connection is untrusted.” This is 

expected. The warning is due to the fact that the SSL certificate you received is from 
vfemail.net, but the domain you are connecting to is 344c6kbnjnljjzlz.onion. Click on the 
text that says “I understand the risks” and then click on the “add exception” button that will 
appear beneath it. 

Chapter 4f. Encrypted email with Icedove and Enigmail
background image

20. Next, a window prompting you to “add security exception” will appear. Click on the 

“Confirm Security Exception” button.

Chapter 4f. Encrypted email with Icedove and Enigmail
background image

21. The registration screen for vfemail will now load. As of this publication, javascript is 

required for the registration process due to the CAPTCHA used to block bots. Thus, click on 
the NoScript icon to the left of the browser location bar and select “temporarily allow 
https://344c6kbnjnljjzlz.onion.”

Chapter 4f. Encrypted email with Icedove and Enigmail
background image

22. When the page reloads, you will need to create your email account name and password. 

Open up KeePassX and create a password as instructed in Chapter 4b. 

When finished creating your password in KeePassX, type fake information into the fields 
under “First Name” and “Last Name.”  Then, type the email name you wish to use in the 
field under “User Name.” Next, select “vfemail.net” in the pull down menu under “Domain 
name.” Then, copy the password you created in KeePassX and paste it into the fields under 
“Password” and “Confirm Password.” Finally, type the letters that appear in the CAPTCHA 
puzzle in the field under the “Type the letters you see above” heading and click on the 
“Register” button.

Chapter 4f. Encrypted email with Icedove and Enigmail
background image

23. The next screen will confirm that you have created an account. The email address you 

selected will be displayed on the page. Copy that address and paste it into the 
“description” or “username” fields of KeePassX that are associated with your 
password immediately.
 Then, save your KeePassX database. Then, click the X button to 
close Tor Browser and continue to the next step. 

 

Chapter 4f. Encrypted email with Icedove and Enigmail
background image

24. For simplicity, now add a shortcut for Icedove to your desktop. Click on the K start button 

and go to "Applications → Internet." Right-click on "Mail Client" and select "Add to 
Desktop." A shortcut to "Icedove" will now be on your desktop.

Chapter 4f. Encrypted email with Icedove and Enigmail
background image

25. After you add the icon to the Desktop, the Start Menu will still be open. Click on "Mail 

Client" to open Icedove.

Chapter 4f. Encrypted email with Icedove and Enigmail
background image

26. The first window that will appear on running Icedove for the first time will prompt you to 

configure your email account. Type the alias that you wish to use in the field next to “Your 
name.” This will appear next to your email address in emails you send to others. Then, type 
the vfemail.net email address you just created into the field next to “Email address.” Finally, 
uncheck “remember password” and click the “Continue” button. IMPORTANT NOTE: 
Never use Icedove to save your email account password. Icedove does not store 
passwords in an encrypted format. Thus, if your workstation is compromised in the 
future, an attacker may be able to gain access to your email account if they view 
Icedove's unencrypted password storage file. 

Chapter 4f. Encrypted email with Icedove and Enigmail
background image

27. An outdated version of Torbirdy comes pre-installed with Whonix. You will remove it later. 

This poses no problem at the moment. The next window that appears will inform you that 
Torbirdy has blocked the automatic configuration process to protect your anonymity. Click 
on the “OK” button to continue.

Chapter 4f. Encrypted email with Icedove and Enigmail
background image

28. In the next window, you need to configure Icedove to connect to the hidden server of 

vfemail.net. The fields you need to change are highlighted in red. Type 
344c6kbnjnljjzlz.onion” in the field next to “Server Name.” Then, type your complete 
email address
 into the field next to “User Name.” Additionally, unmark the box next to 
“Leave messages on server.” Finally, mark the box next to “Empty Trash on Exit” and 
continue to the next step.

Chapter 4f. Encrypted email with Icedove and Enigmail
background image

29. Next, click on “Copies and Folders” in the left column. Each option you will need to change 

is highlighted in red below. In the pull down menu next to “'Sent' Folder on,” select “Local 
Folders.” Next, in the pull down menu next to “'Archives' Folder on,” select “Local 
Folders.” Additionally, in the pull down menu next to “'Drafts' Folder on,” select “Local 
Folders.” Now, in the pull down menu next to “'Templates' Folder on,” select “Local 
Folders.” Finally, mark the box next to “show confirmation dialog when messages are 
saved.” When finished, continue to the next step.
 

Chapter 4f. Encrypted email with Icedove and Enigmail
background image

30. Next, click on “Local Folders” in the left column. Then, click on “Empty trash on exit.”

When finished, continue to the next step.

31. Now, click on “Outgoing Server (SMTP)” in the left column. Then, click on the “Edit” 

button.

Chapter 4f. Encrypted email with Icedove and Enigmail
background image

32. In the next window that appears,type “344c6kbnjnljjzlz.onion” in the field next to “Server 

Name.” Then, click on the pulldown menu next to “Connection security” and select 
“STARTTLS.” Next, type your complete email address into the field next to “User Name.” 
Finally, click on the “OK” button.

Chapter 4f. Encrypted email with Icedove and Enigmail
background image

33. When you are returned to the “Account Settings” window, click on the “OK” button.

Chapter 4f. Encrypted email with Icedove and Enigmail
background image

34. Icedove will now attempt to connect to 344c6kbnjnljjzlz.onion. Wait for the window 

pictured below to appear.  When Icedove connects, the “Add Security Exception” window 
will appear informing you that there is an issue with with the SSL certificate. This is 
expected. The warning is due to the fact that the SSL certificate you received is from 
vfemail.net, but the domain you are connecting to is 344c6kbnjnljjzlz.onion. Click on the 
“Confirm Security Exception” button. 

Chapter 4f. Encrypted email with Icedove and Enigmail
background image

35. You will now be returned to the main Icedove window. An “Enigmail Setup Wizard” 

window will also be running.  You can ignore this for now. When you reach the main 
Icedove window, click on the icon that has the 3 horizontal bars towards the upper right 
corner. Then, click on “Preferences” and click the box next to “Menu Bar” so that a check 
mark appears in it.

Chapter 4f. Encrypted email with Icedove and Enigmail
background image

36. A menu bar will now appear towards the top of the Icedove window. 

Click on “Tools → Add-ons.”

37. The “Add-ons Manager” tab will now appear.  Click on “Extensions” and then click the 

“Disable” button next to “TorBirdy.”

38. Now, click on the “X” button in the upper right corner of Icedove to close the main Icedove 

window.

Chapter 4f. Encrypted email with Icedove and Enigmail
background image

39. The Enigmail Setup Wizard will be running. “Start setup now” will be selected by default. 

Click on the “Next” button.

Chapter 4f. Encrypted email with Icedove and Enigmail
background image

40. On the next screen, click the circle next to “I prefer an extended configuration” and then 

click the “Next” button.

Chapter 4f. Encrypted email with Icedove and Enigmail
background image

41. Next, you will be prompted to create a GPG keypair or use an existing one. Click on the 

circle next to “I want to create a new key pair for signing and encrypting my email” and then 
click the “Next” button.

Chapter 4f. Encrypted email with Icedove and Enigmail
background image

42. In the next window that appears, choose a strong passphrase and input it into the fields next 

to “Passphrase” and “Passphrase (repeat).”  Create your passphrase using the same 
methodology that you used for the passphrase to encrypt your hard drive in the beginning of 
this tutorial. You will need your passphrase to sign messages with GPG or to decrypt 
messages sent you. With a strong passphrase, if your machine is ever compromised and 
someone steals your GPG Secret Key, you will have an extra layer of protection to prevent 
the attacker from being able to easily decrypt emails sent to you or to impersonate you by 
signing emails with your GPG key.

When you have selected an appropriate passphrase and typed it into the “passsphrase” fields, 
click on the “Next” button.

Chapter 4f. Encrypted email with Icedove and Enigmail
background image

43. At this point, Enigmail will begin creating your new GPG key pair.  When it finishes, click 

on the “Create Revocation Certificate” button.

Chapter 4f. Encrypted email with Icedove and Enigmail
background image

44. You will now be prompted to enter the passphrase you created in step 42 for your GPG 

secret key. Type your passphrase in the “Passphrase” field and click the “OK” button.

 

45. The next window will ask you where you want to store your GPG Revocation Certificate.

Click on “user” in the left column. Then, choose a filename other than the default for your 
GPG Revocation Certificate. The default name uses spaces which can make a step later in 
this guide trickier for you. Finally, click the “Save” button.

Chapter 4f. Encrypted email with Icedove and Enigmail
background image

46. Next, you will be informed the the GPG revocation certificate was successfully created. 

Click the “OK” button.

47. You will now be returned to the “Key Creation” window.  Click the “Next” button.

Chapter 4f. Encrypted email with Icedove and Enigmail
background image

48. The next window will inform you that Enigmail is now ready to use.  Click the “Finish” 

button.

Chapter 4f. Encrypted email with Icedove and Enigmail
background image

49. Note: The following steps are optional, but recommended. Before continuing with Icedove, 

take the time to encrypt your revocation certificate. Your GPG revocation certificate can be 
used to revoke your public encryption key that you have added to key servers even if you no 
longer have access to your GPG Secret Key or have forgotten your password. If an attacker 
gets their hands on your GPG revocation certificate, they can revoke your keys. Encrypting 
the GPG revocation certificate with a passphrase you can remember will protect you against 
an attacker using it to revoke your keys if they manage to steal your revocation key.  Open 
up a Konsole / Terminal session to get to a command prompt. Click the K start button and 
then click “Terminal.”

If you wish to skip encrypting your revocation key, continue from step 55.

Chapter 4f. Encrypted email with Icedove and Enigmail
background image

50. At the command prompt, type 

gpg --cipher-algo AES256 --symmetric RevocationCertificateFileName” and press 
“enter.”

Tip: If you included spaces in your file name, once you type the first few letters of it, you 
can complete the rest of the file name by pressing the “Tab” key. This can save you time 
when typing any file name from the command line.

51. You will be prompted to “Enter passphrase.” Choose a secure passphrase and enter it into 

the passphrase field. Then, click the “OK” button. If you ever need to use your revocation 
certificate, this the passphrase you will use to decrypt it first. Do not forget this 
passphrase! If need be, save it in KeePassX.

52. You will be asked to re-enter your passphrase. Type it again into the passphrase field and 

click the “OK” button.

53. Eventually, you will be returned to the shell prompt. Type “ls *.gpg” and press “enter.” If 

you see a file that has the same name as your revocation certificate ending with “.gpg,” you 
have successfully encrypted your revocation certificate and can continue to the next step. If 
you don't see such a file, start again from step 50.

Chapter 4f. Encrypted email with Icedove and Enigmail
background image

54. Now, securely delete your unencrypted revocation key. 

Type “shred -n 30 -uvz  RevocationCertificateFileName” and press enter. 

When the process completes, close the Terminal/Konsole window by clicking on the “x” in 
the upper right corner or typing “exit” and pressing enter. Then, go back to Icedove.

In the future, if you ever need to use your revocation key, decrypt it by typing
gpg -o RevocationCertificateFilename.asc -d RevocationCertificateFilename.gpg”.

55. Next, open Icedove either through the K start menu or from the icon on your desktop.  When 

Icedove opens, a “System Integration” window will appear.  Click on the “Skip Integration” 
button.

56. Icedove will now attempt to automatically check for new email. Wait for a moment until you 

are prompted for your password. When the window appears that asks you to enter your 
password, click the “Cancel” button.

Chapter 4f. Encrypted email with Icedove and Enigmail
background image

57. At the bottom of the Icedove window, you will be asked if you would “like to help improve 

Icedove Mail/News by automatically reporting memory usage, performance and 
responsiveness to Mozilla?” Click on the “No” button.

58. Next, you will install the latest version of Torbirdy that you modified earlier in this chapter. 

Click on the gear icon towards the upper right side of the Icedove “Add-ons Manager” 
window and click on “Install Add-on from file.”

Chapter 4f. Encrypted email with Icedove and Enigmail
background image

59. In the next window that appears, click on “user” under “Places” towards the left side of the 

window.  Then, double-click on Downloads.

At the next screen, click on “torbirdy-current.xpi” and then click on the “Open” button.

Chapter 4f. Encrypted email with Icedove and Enigmail
background image

60. Next, a “Software Installation” window will appear.  After the brief timed delay finishes, 

click the “Install Now” button.

61. When you are returned to the “Add-ons Manager” in Icedove, click on the “Enable” button 

next to “Torbirdy”

Chapter 4f. Encrypted email with Icedove and Enigmail
background image

62. After you have enabled Torbirdy, click on the “Restart now” link that appears to restart 

Icedove.

63. When Torbirdy restarts, click on the “x” in the tab entitled “Add-ons Manager” to close the 

Add-ons Manager window.

64. You will now be returned to the main Icedove window. Click on “Edit → Preferences.”

Chapter 4f. Encrypted email with Icedove and Enigmail
background image

65. In the window that appears, click on the “Advanced” tab. Unmark the box next to “Enable 

Global Search and Indexer.” Then, click on the “Return Receipts” button.

Chapter 4f. Encrypted email with Icedove and Enigmail
background image

66. In the next window that appears, mark the circle next to “Never send a return receipt.” Then, 

click the “OK” button.

Chapter 4f. Encrypted email with Icedove and Enigmail
background image

67. When you are returned to the “Icedove Preferences” window, click the “Privacy” button. 

Then, uncheck the boxes next to “Remember websites and links I've visited” and “Accept 
cookies from sites.”  Then, click the “close” button.

Chapter 4f. Encrypted email with Icedove and Enigmail
background image

68. Next, you need to change some settings that were not addressed by the Enigmail Setup 

Wizard. At the main Icedove window, click on “Edit → Account Settings.”

Chapter 4f. Encrypted email with Icedove and Enigmail
background image

69. In the window that appears, click on “OpenPGP Security” in the left column. Then, mark the 

boxes next to “Encrypt messages by default” and “Sign encrypted messages.” Next, unmark 
the box next to “Use PGP/MIME by default.” Then, click the “Enigmail Preferences” 
button.

Chapter 4f. Encrypted email with Icedove and Enigmail
background image

70. In the “Sending” tab of “Enigmail Preferences” window, click the circle next to “Manual 

encryption settings.” Then click the circle next to “Always” under “Confirm before sending” 
and click the OK button.

Chapter 4f. Encrypted email with Icedove and Enigmail
background image

71. When returned to the “OpenPGP Options” window, click the “OK” button.

72. Next, quit Icedove by clicking on the “x” in the upper right corner.

 

Chapter 4f. Encrypted email with Icedove and Enigmail
background image

73. Now, open Icedove either through the K start menu or from the icon on your desktop. When 

Icedove opens, click on “Enigmail → Key management.”

74. In the Key Management window that appears, you will see your key in bold and the key you 

imported for Sukhbir Singh if you chose to verify Torbirdy earlier. 
Click on “Keyserver → Search for Keys.”

75. The next window that appears enables you to search for GPG keys hosted on public GPG 

key servers.  You can search for GPG keys by e-mail address, a short key ID or an 
individual's public GPG fingerprint. In this step you are going to search for the key belong 
to anonguide [at] vfemail.net by its public GPG finger print. 
Type or paste “64222A88D25730910C47A904BD8083C5237F796B” in the field next to 
“Search for key” and click the “OK” button.

 

Chapter 4f. Encrypted email with Icedove and Enigmail
background image

76. In the next window that appears, an entry for “anonguide [at] bitmessage.ch” with a Key ID of 

“237F796B” should be displayed with a check mark next to it.  Click the “OK” button to 
import the key.

77. The next window should inform you that the key for “anonguide [at] vfemail.net” was 

successfully imported. It is not a problem that the e-mail address is different than the 
“anonguide [at] bitmessage.ch” listed above when importing the key. Multiple e-mail 
addresses can be used with a GPG public key. “anonguide [at] bitmessage.ch” is simply an 
older e-mail address.  Click the “OK” button to continue.

Chapter 4f. Encrypted email with Icedove and Enigmail
background image

78. Now, verify the integrity of the newly imported key for “anonguide [at] vfemail.net.” Double-

click on the key for “Anon Guide <anonguide [at] vfemail.net>” to open the “Key Properties” 
window.

Chapter 4f. Encrypted email with Icedove and Enigmail
background image

79. In the window that appears, note the fingerprint. It should be

6422 2A88 D257 3091 0C47 A904 BD80 83C5 237F 796B”. The full fingerprint may not 
display in the Key Properties window. You can scroll through it by clicking in the field next 
to “Fingerprint” and using your arrow keys.

If the fingerprint is anything different, assume the public key for this tutorial that you 
downloaded has been tampered with and do not use it. 
When you have confirmed the 
fingerprint, click the “OK” button.

Note: It is always important to verify any GPG public key you have added to your keyring 
with a fingerprint provided to you by the person you wish to communicate with.  The reason 
for this is that anyone can add a GPG public key to a key server that claims to belong to a 
certain email account. If an attacker is monitoring an email account through surveillance, 
and you use an encryption key that they created to falsely correspond to the person you wish 
to communicate with, the attacker will be able to read your email.

Chapter 4f. Encrypted email with Icedove and Enigmail
background image

80. Now, export your public key to a GPG key server. Right-click on the entry for your email 

address and click on “Upload Public Keys to Keyserver.”

81. Click the “OK” button in the next window that appears to upload your public GPG key to 

the keyserver.  A progress meter will then appear. If the upload is successful, you will not 
receive any confirmation message. If you wish to check that your GPG public key was 
successfully uploaded to the keyserver, do a search for your own key the same way you 
searched for the key belonging to “anonguide [at] vfemail.net” in step 74. 

 

Chapter 4f. Encrypted email with Icedove and Enigmail
background image

82. Now, let's prepare Icedove to inform people about your public GPG key through listing it in 

your email signature.  Double-click on the key entry for your vfemail.net email address to 
open the “Key Properties” window.

   

Chapter 4f. Encrypted email with Icedove and Enigmail
background image

83. In the window that appears, click in the field next to “Fingerprint.” Then, “select all” of the 

text in the field by typing either “LEFT-CTRL A” or doing a right-click and choosing 
“select all.” Next, copy the text to your clipboard by typing “LEFT-CTRL C” or doing a 
right-click and choosing “copy.” When you have copied the text to your clipboard, click the 
“Close” button. You may close the “Key Management” window at this point if you wish.

Chapter 4f. Encrypted email with Icedove and Enigmail
background image

84. From the main Icedove window, click on “Edit → Account Settings.”

Chapter 4f. Encrypted email with Icedove and Enigmail
background image

85. Now you are going to create a signature that will be included in all of your outgoing mail 

that will contain both your GPG public key ID and your GPG public key fingerprint. In the 
next window that appears, click in the text field located underneath “Signature text.” Then 
paste the contents of your clipboard on to two separate lines in the text field.

On the first line, type “GPG Public Key:” before the fingerprint you just pasted.  Then, 
delete all but the last 16 characters of the fingerprint from this line. If you look at the 
example below, you'll notice that your fingerprint consists of 10 groups of 4 characters. 
Delete the first six groups. Then, delete the spaces in between the remaining groups of 
characters. Finally, type “0x” (that is the numeral zero) directly in front of the remaining 
characters. In the example below, that results in “0xE2A4440ABE1DE630.” The end result 
of what you create here is your GPG public key ID number. People can enter that into 
various GPG key servers to find your public key and send you encrypted messages.

On the second line, type “Fingerprint:” in front of the characters you pasted there. This will 
help enable people who download your GPG public key to verify that it is they key you wish 
them to use.   When you are finished, click the “OK” button.

Chapter 4f. Encrypted email with Icedove and Enigmail
background image

86. Now you will be instructed on sending out your first test email to anonguide [at] vfemail.net. 

Click on the “Write” button located in the upper left region of the window.

Chapter 4f. Encrypted email with Icedove and Enigmail
background image

87. A new window will open for you to compose an email message. In the “To” field, type 

anonguide [at] vfemail.net”. Then, type “key test” in the “Subject” field. Then, type 
whatever you wish into the message body.  You do not need to go into great detail.  The 
point of this email is to test your encryption key and get you familiar with a common 
encrypted email exchange.  

Notice the padlock and pencil icons located towards the upper-left side of the window next 
to the “Enigmail:” header. These icons should be marked as active by a gray square around 
them with the padlock closed, which means your message will be signed and encrypted (if 
you have a corresponding public key). To the far right of these icons, a status message also 
informs you that the message will be signed and encrypted. 

Note: The Subject field is NEVER ENCRYPTED, even when you encrypt your message 
and attachments. Thus, be wary of any information you put in a subject field. 

When you are ready to send the message, click the “Send” button.

Chapter 4f. Encrypted email with Icedove and Enigmail
background image

88. You will next be prompted to enter your GPG passphrase. This will enable you to sign the 

message you are sending to us. When you sign a message, this provides a mechanism which 
allows the recipient of an email to be confident that you actually wrote the email and not an 
impostor.  Type your passphrase and click the “OK” button.

89. If you take too long to enter your GPG passphrase, the window imaged below may appear. 

Do not worry about that. Finish typing your GPG passphrase and, when you get to the 
“Warning: Unresponsive Script” window, click the “Continue” button. Your email will now 
be encrypted.

Chapter 4f. Encrypted email with Icedove and Enigmail
background image

90. After you've typed in your passphrase, a confirmation window will appear asking if you 

wish to send a signed and encrypted email to anonguide [at] vfemail.net. Note the body of your 
email message under that window.  If you see “-----BEGIN PGP MESSAGE—---” and a 
series of random characters, that shows your email has been encrypted and you can click the 
“Send Message” button. However, if you still see the original text of your message, it is 
not encrypted and you should click the “Cancel” button.

Chapter 4f. Encrypted email with Icedove and Enigmail
background image

91. Since this is your first time sending an email, another “Add Security Exception” window 

will next appear.  This is expected. The warning is due to the fact that the SSL certificate 
you received is from vfemail.net, but the domain you are connecting to is 
344c6kbnjnljjzlz.onion. Click on the “Confirm Security Exception” button. You won't have 
to do this again in the future.

Chapter 4f. Encrypted email with Icedove and Enigmail
background image

92. As a result of the issue with the SSL certificate in the last step, the sending of your message 

will fail.  Select the Icedove “Write: key test” window from your task bar. 

Then, click the “OK” button in the “Send Message Error” window that appears.

Then, when you are returned to your email composition window, click on the “Send” button 
again. 

Finally, you'll again be prompted to confirm that you want to send a signed and encrypted e-
mail. Click the “Send Message” button.

Chapter 4f. Encrypted email with Icedove and Enigmail
background image

93. Next, you will be prompted to enter the password for your vfemail.net account. This will 

happen each time you start Icedove and send an email for the first time since your password 
is not stored by the program. However, once you have entered the password, Icedove will 
remember it for the session.  The same process applies to receiving email. When asked to 
enter your password, copy it from KeePassX, paste it into the password field and click the 
“OK” button.

Note: Do not use Icedove's Password Manager to store your password. Icedove does not 
encrypt stored passwords by default. Thus, if an attacker compromises your machine and 
manages to access your Icedove folder, they will gain the password to your email account if 
you have stored it in Icedove.

94. You will now be returned to the main Icedove window. If you notice a new “Sent” folder in 

your Local Folders on the left side of the window, your email to anonguide [at] vfemail.net 
was sent.

Chapter 4f. Encrypted email with Icedove and Enigmail
background image

95. In some instances, you may wish to send an email to an address for which you have no GPG 

public key in your keyring. When you reach a new mail composition window like you did in 
step 87, you have the option of sending your GPG public key to the recipient as an 
attachment.  If you wish to do that, click on the “Attach My Public Key” button before you 
send the email.

Once you have composed the message and click the “Send” button, a window will appear 
explaining that no valid GPG public key could be found for the email recipient. Unmark the 
boxes next to “Send encrypted” and “Send signed.” Then, click the “Send” button to send 
the unencrypted message. 

Note: Remember that this email is unencrypted.  Thus, it is possible that, if someone 
intercepts your email at some point, it could be read. Be wary of what information you 
share in an unencrypted email.

The remainder of this chapter will discuss downloading and reading email.

Chapter 4f. Encrypted email with Icedove and Enigmail
background image

96. In the near future, you will want to check your mail to see if you got a response from us or if 

anyone has sent you email messages. From the main Icedove window, click on the “Get 
Mail” icon to check for any new email messages on the server and download them.

97. Next, you will be prompted to enter your password for your email account.  Once you have 

entered the password, Icedove will remember it for the session.  When asked to enter your 
password, copy it from KeePassX, paste it into the password field and click the “OK” 
button.

 

98. When you receive new emails, a counter will appear next to “Inbox” in the left column. 

Click on “Inbox” to go to the list of new emails. Then, click on the email that you wish to 
read.

Chapter 4f. Encrypted email with Icedove and Enigmail
background image

99. If the message you received was encrypted with your public key, you will need to type your 

GPG passphrase to decrypt it. If a window like the one in the image below appears, type 
your GPG passphrase and click the “OK” button.

100.

 The email will next display in the lower portion of your Icedove window. From 

here, you have the option of replying, forwarding, deleting, etc. If you are reading the 
message sent to you by anonguide [at] vfemail.net, your encryption configuration is working.

Chapter 4f. Encrypted email with Icedove and Enigmail
background image

Congratulations. You have reached the end of the Icedove and Enigmail email tutorial. It 

should be emphasized that this is not meant to be an all inclusive tutorial on the safest way to 
use GPG/PGP encryption.
 There are a number of other resources on the Internet, or people you 
can talk to, that can provide more tips that may be better for the perceived threat model you want to 
address. However, you now have a strong starting point that has laid down the basic fundamentals 
of using encryption over email.  Remember the following tips regarding email:

Do not contact people you know in real life at non-anonymous email addresses 
with the email account you created here. 
Do your best to keep your real world 
identity separate from your online identity in Whonix.

Be wary of what you share about yourself in email! Just because your email is 
encrypted doesn't protect you if the person you are communicating with stores your 
emails in an unencrypted format. Nor does it protect you from someone receiving 
messages from you who desires to use the information you provide to exploit you.

Never include sensitive information in an email subject, EVEN IF THE EMAIL 
IS ENCRYPTED!  
Subject headers in email are never encrypted, despite the fact 
that the rest of the message is.

If you send email to a recipient without encryption, assume it can be read by 
anyone!

Whenever you have the option to use a Tor hidden service, a domain name with a 
.onion extension, use it! If you can confirm it is controlled by the service you wish to 
use, it will give you greater protections.

Click here to continue to Chapter 4g

.