How to encrypt your emails with PGP keys

by Moritz Zajonz 1 Comment
How to encrypt your emails with PGP keys

Important: This encryption tutorial is aimed at Linux-users. However, if you are using a Windows or macOS machine, the process is very similar. If you encounter any problems, feel free to contact us.

Secure online conversation is not a simple thing. There are various possibilities, depending on your needs. For journalists this might be protecting their sources. Offering a way for people to stay anonymous when they contact you might go a long way towards cultivating sources . We will guide you through the process with this tutorial, so, if you want to know how to send and receive emails securely, continue reading.

First things first

Some useful keywords for this tutorial include:
  • Encryption: the content of a file – in our case a message – is scrambled using a secret method, so that it is unreadable without knowing the specific key needed to turn it back into readable text
  • Encryption keys: your own public and private key, plus any public keys of other people that you imported
  • PGP / GPG: software that creates the encryption keys and manages them
  • OpenPGP: a free set of encryption standards that GPG is based on and is also compatible with PGP

There are some differences between the two computer programs. One is that they use different encryption algorithms, that is to say different methods of encryption. More importantly, PGP became proprietary some time after it was published. GPG was rewritten based on the OpenPGP algorithms to offer a free encryption program.

The email client

First, you will need the right email client. Mozilla Thunderbird is a good choice, because it is free and supports Linux as well as macOS and Windows. To be more specific, we will use an add-on for Thunderbird called “Enigmail”, but we will get to that in a minute. You can download Thunderbird here. The link is also listed in the ‘Downloads‘ section farther below.

How to set up accounts in Thunderbird:

If you have installed and set up Thunderbird, you can install the add-on we talked about. Just open Thunderbird, click on the menu-icon next to the search bar, select “Add-ons”, then search for “Enigmail” and install it. Thunderbird will ask you to let it restart itself, let it do that.

Now that we have our email client configured properly, we will continue with GPG, the key managing program.

The keys


list of available downloads for gnupg. the "modern" version is marked blue To check if you have already installed GPG type gpg --version in the terminal. If it doesn’t return something like
gpg (GnuPG) 2.1.15 you have to download the tarball marked in the picture on the right. Download and install it from here.

How to handle tar-balls:

Windows-users can find the equivalent program here. There are alternative implementations for macOS but we won’t cover those or the Windows version in this tutorial. We don’t believe they require much more effort than an ordinary installation though, so you could just try to get them working on your own. You can find a list of OpenPGP-compatible programs for various operating systems – including Android OS – linked in the Downloads section.

Creating the keys with Keybase

Next, you need to create a pair of keys. At journocode, we went for the easy way and used to create the key pair. The big benefit is that you can also use Keybase to register verified identities of yourself from various websites, for example Twitter, Facebook, Github or your own website. This overview is paired with your public key. This way, you can simply use a URL like “” in your email signature to submit others a link to your public key instead of the full, lengthy key in the signature.

That’s why we decided to use keybase. You don’t have to create an account, but it really makes things easier. If you don’t want to, you can skip ahead to the next step: “Importing the keys in Enigmail”.

If you create an account, the website will guide you through the process of creating the keys. Important: The passphrase you choose for your Keybase account will also be used to decrypt the messages you receive through your email client.

Tips for a secure password
To create a secure password, you should include the following characteristics:

EDIT: I had to revise this section, because security experts have shifted to a more promising approach for password security:

Password managers. It’s not that expensive (about 1 Euro/Dollar per month), easy to set up and easy to use. You will only have to remember one secure password for the manager itself and it will take care of all of your other passwords.

If you don’t want to spend money on this and/or want to go the extra mile on secure password storage, there’s a way as well: You can use free and open-source tools like KeePass or the free password manager from security company Spideroak, called “Encryptr“.

The reason for this approach is simple: People are lazy. If they are forced to change their passwords often or expected to remember 10 special digits and numbers for every one of their online accounts, people tend to go the easy way. Their answer to the first issue is that they just add a number to the password and increase it every time they are supposed to change it. For the latter, people often react by using only one or two passwords for all of their accounts.

Both practices are really dangerous. Especially the latter case, in which a hacker of one password database could easily get access to all accounts associated to your email address that use the same password.

If you’re now eager to try a password manager, here’s a list of some good ones:

There’s a lot of debate about which features make the best password managers. We won’t cover this here, because that’s not really the focus of this tutorial. The essence is: Using any of those managers is better than using none at all.

Some of the following advice holds still up, though. Parts which have been revised are crossed out.

  • UpPeRcAse & LowErCaSE LeTteRs
  • Num83r5
  • Spe-cia\_chara(ter$
  • minimum length of eight characters; every additional character makes it exponentially harder to crack

About these common tips: If you are fine with remembering special characters in your master password, you can use them of course. If not, a simpler password serves just as good, if it is long enough: at least 10 digits.

Plus, you should not compose your password of:

  • personal information – easy to get from social media
  • consecutive keyboard combinations – ‘qwerty’ / ‘qwertz’,  ‘asdf’ or ‘12345’ can easily be cracked through a “dictionary” attack
    • the same goes for any geometric shapes typed on the keyboard – like a V for example: QAYSE
  • reused passwords – especially in the case of encryption, using a password that you are using anywhere else can make the whole effort worthless

At one point you will be asked to answer some questions like “What’s your favorite dinner?”. These help to randomize the function keybase uses to create your unique set of encryption keys. It’s normal that this process might take several minutes. Keybase will also ask you if you would like them to store the private key for you. You need to agree to that to follow this tutorial – Don’t worry, Keybase will store the key encrypted.

Importing the keys in Enigmail

Now we have gotten ourselves a pair of encryption keys: a public one to share and a private one to keep secret. We will now take those to set up Enigmail. In order to do so, open Thunderbird, click the menu button again, hover over “Enigmail” and then select “Setup Wizard” from the dropdown-menu. The wizard will ask if you want to continue using a standard, extended or manual configuration. If you didn’t create an account with keybase, check the box for the standard configuration and click continue. The setup will guide you through the process of creating your pair of keys.

If you decided to use keybase, select the extended configuration. In the next step you can choose to associate all of your email addresses from Thunderbird with the encryption keys or just some of them. Enigmail will then ask you for the public and private key files, ending with “.asc”.

Getting the public key

To get them, visit in your browser and go to your profile. There you will see a sequence of characters next to the symbol of a key. This character sequence is specific for your public key but much shorter. It is called a “fingerprint”. If you click at it, a popup will open with your public key as plain text. click in the field, hit “Ctrl+c” (to copy the content) and save it in a new text document on your computer. The file has to end with “.asc” to be noticed by Enigmail as an encryption key file. We would recommend to name this file “public_key.asc” or something alike and store it on your Desktop, so you can easily find it in Enigmail.

Getting the private key

To get the private key, you have to visit your keybase profile again and click on “edit” next to the public key fingerprint. This will present you with the option to export your private key from keybase. Type in the passphrase you set when you created your account, click “Export” and voilà! There is your private key. Notice that you cannot export the key using the “enter” key. You have to click the “Export”-button with your mouse. Next, you have to repeat the steps from before and create a file called “private_key.asc” or something similar.

Now that you have these files handy on your Desktop, you can select them in the setup wizard and continue. When asked if you want to create a key revocation certificate, you should select “yes” and save it to your computer. It is recommended that you store it safely on a CD or USB stick because with this certificate a person could revoke your public key. However, you can simply leave it on your computer, since that would not be a security risk but “just” a nuisance because you would have to create a new set of keys and explain your friends and colleagues what happened to the old one. After confirming this step with your keybase passphrase, you are finished! Well, almost.

Writing and receiving encrypted emails

Now, we can encrypt all of our email conversations. If you start a new message, you will see some new buttons above the “From:” field. These are the options of Enigmail:

Enigmail options icons: open lock for e-mail encryptionTo make the red message on the right side go away, you can click on the lock. This turns the encryption for the email your are currently writing on. However, this only makes sense if you have imported the public key of the person you are writing to.

Enigmail options icons: pencil for e-mail signingNext to that field is a pencil symbol. If you enable this, your message will be signed with your private key, which signals the recipient that you wrote and encrypted this email yourself.

Enigmail options icons: clamp for key attachmentWe recommend you attach your own public key, so the recipient can reply to you encrypted. If the recipient in return attaches their public key, you can import that using a simple button in Thunderbird and the conversation between the two of you is completely encrypted! Hooray!

No absolute encryption, but close

Some things cannot be encrypted: the email subject and the email addresses of the participating persons. So other people could still infer from your email logs with whom and when you wrote. Also, you should avoid making the subject too detailed. Nonetheless, the content of your message is safe from whoever wants to sniff through your stuff.

Have questions?

If you could not follow some steps or are stuck at a certain point, don’t hesitate to contact me via Twitter or email. This guide is not meant to be a complete round-up of every possible way of email encryption, there are more ways and further details to consider. Nonetheless, we believe that this will get you started and ready to communicate encryptedly.

If you have set everything up successfully, we would be happy to chat with you through encrypted emails! The public keys of most of us are on Just type in “journocode” and you should find the profiles of our members, or visit

Mozilla Thunderbird – this directs you to the English version. If you’d prefer Thunderbird in any other language, you can choose that below the ‘Free Download’ button.
OpenPGP-compatible software – Don’t get startled if sites like the one for gpg4win look kind of strange. The OpenPGP project is a reliable source, so I reckon these links are trustworthy.

Public key cryptography for non geeks – very good explanation of the mechanism
McAfee password security tips
Dictionary attack
– Wikipedia
Email server configuration for TU Dortmund Unimail – PDF

 {Credit for the awesome featured image goes to Phil Ninh}

Comment ( 1 )

  1. Replylilly
    nice post

Leave a reply

Your email address will not be published.

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>