Wiki » Migration from Thunderbird 68 and Enigmail to Thunderbird 78

Other languages English ; français ;

Summary

Two popular technologies exist that add support for end-to-end encryption and digital signatures to email. Thunderbird has been offering built-in support for S/MIME and will continue to do so. The Enigmail Add-on for Thunderbird has made it possible to use the external GnuPG software for OpenPGP messaging. Thunderbird extends the Mozilla software platform that is primarily used for the Firefox browser. Enigmail requires the use of extension mechanisms, which is no longer available in versions of the Mozilla platform. The Thunderbird 68.x branch is the last version that supports Enigmail.

Starting with Thunderbird 78, Enigmail is no longer available and Thunderbird will no longer use GnuPG user keyring. Existing users of Mageia 7.1 with Thunderbird 68.12 and Enigmail should be advised before upgrading to Thunderbird 78.3.x.

Warning: A migration tool, based on Enigmail, is provided for our Mageia users to help them to migrate appropriately.

Upgrading path

Automatic and simple way

1. Backup your user GnuPG keyring.
2. Update to Thunderbird 78.3.1 and verify Enigmail is updated to 78.3.1 also in Rpmdrake.
3. First run Thunderbird.
4. Enigmail shows a page to propose you to Import your previous configuration. NOTE: this will ask twice for existing passphrase of your GnuPG Keys: once for migrating from GnuPG and once for importing to Thunderbird.
5. Verify in Account Preference that OpenPGP is correctly set for your mail.
6. Add a Master Password for Thunderbird as it will no longer ask you a passphrase to use your OpenPGP keys. You really should add one to protect you.

Enjoy!

Manual and laborious way, just in case Enigmail can't properly do it

Export gnupg Key to file

1. Backup your user keyring using Kleopatra on Plasma or Gnome-Keyring on GNOME.
2. Export your private email key to a file using UI in your Desktop folder.
3. Export all your recipients' public keys to a file each of them (You will get as many files as recipients' public keys you have), don't forget to name each file with a pretty name to facilitate further import.

Import exported Keys to Thunderbird

1. Import your GnuPGP (public and private) key in Tools menu > OpenPGP Key Manager.
2. Edit end-to-end encryption inside Accounts preferences and select your existing GnuPGP key.
3. Import all public GnuPGP keys from existing recipients.
4. To protect your keys, you may also define a master password in Thunderbird.

Don't forget to delete all files in Desktop related to your GnuPGP keys and recipients' keys as they are no longer necessary. 

Rationale

As a replacement for Enigmail, the Thunderbird team has developed new integrated support for OpenPGP messaging. Patrick Brunschwig, who has been developing and maintaining the Enigmail Add-on for many years, has offered to assist them.

Objectives

The primary objective is to be able to send encrypted email, digitally sign email, decrypt received email, verify the correctness of digitally signed email, and to provide this functionality in a secure, compatible, interoperable, and user-friendly way. Thunderbird Team considers encryption and digital signatures as features that can be used either in combination or independently. When sending an email, users should be able to decide on their own, which of the features they want to use, and when receiving emails, it should be possible to discover which of those protection mechanisms were used.

OpenPGP engine

Thunderbird is unable to bundle GnuPG software, because of incompatible licenses (MPL version 2.0 vs. GPL version 3+). Instead of relying on users to obtain and install external software like GnuPG or GPG4Win, we intend to identify and use an alternative, compatible library and distribute it as part of Thunderbird on all supported platforms.

GnuPG vs. RNP and key storage

Thunderbird no longer uses external GnuPG software. Previously, all your own keys and the keys of other people were managed by GnuPG, and Enigmail offered you to view, use, and manage them. Now that Thunderbird uses a different technology, it's necessary to perform a migration of your existing keys from GnuPG into Thunderbird's own storage (inside the Thunderbird profile directory). Thunderbird will use its own copy of the keys, sharing your keys between Thunderbird 78 and GnuPG currently isn't supported. (Exception: There is an optional mechanism to use GnuPG with smartcards. It's disabled by default and needs more testing.)

You must open Account Settings and the End-To-End Encryption tab, to verify the configuration.

Thunderbird doesn't use on-demand unlocking (key passwords) of your secret keys. Rather, the only way to password protect the use of your OpenPGP secret keys is to set up the global Master Password feature of Thunderbird, which you can find in Thunderbird's security preferences.

To enable Thunderbird to use your existing secret keys, you must unlock them to import them. This may require you to enter your password twice. First, to confirm that GnuPG is allowed to export the password. Second, to allow Thunderbird to access the raw key and copy it into Thunderbird's configuration storage. This is handled as part of the migration process, offered by the updated Enigmail Add-on, that acts as a migration tool.

If you were using the owner trust configuration for keys with GnuPG, this is handled differently in Thunderbird. The equivalent of marking a secret key as owner trust ultimate is to use Thunderbird's OpenPGP key manager, open its details, and confirm that you accept it as a personal key. This flag will be automatically set by the migration. You might have to manually set it when importing a key using Thunderbird's key manager. The stable Thunderbird release is expected to ask you to set that flag at import time.

Source:

Thunderbird Release Note (External site)

Upstream details and roadmap to openPGP functionality in Thunderbird 78 (External site)