How to send and receive encrypted emails in Windows

Why use encrypted email?

It’s simple: the government is reading your emails. Edward Snowden’s revelations make this a plain truth. If you are not an American citizen it’s a little bit worse, because at least two governments are reading your emails: yours, and the American government.

There are many plugins/addons/guides out there that claim to “encrypt” your email, so that “nobody can read it”. Most of those are nonsense. There is currently only one well-known way of encrypting emails so that only the intended recipient will read them. That isĀ the OpenPGP protocol. So if you’re not using the commercial PGP product, the free GnuPG product, or another well-known product that follows the OpenPGP protocol, your emails can still be read by the government.

But if you’ve been following the news you will wonder “Hang on – if OpenPGP is secure, why did a bunch of prominent Internet security experts like the Silent Circle board decide to shut down their Silent Mail service (which used OpenPGP)?” The answer is that OpenPGP is based on cryptographic keys. And Silent Mail tried to manage your keys for you, which made Silent Circle vulnerable to the law – as the law in most countries states that government agencies can force companies to disclose such secrets.

Therefore, the problem was key concentration. If Silent Circle holds all the keys, the FBI slaps them with a few subpoenas and grabs all of our secret keys. Heck, Silent Circle can not even tell us about it – by law!

So, OpenPGP is still considered trustworthy as a technology – what doesn’t work is concentrating key management, because by law the government can grab all secret keys, which will allow them to read all encrypted emails we’ve sent using those keys.

But what if we just manage our own keys? The government would not legally compel all of its citizens – directly, on a one-by-one basis – to give up their secrets. That would be much less politically palatable than a program like PRISM, where they just suck out the data from our service providers (Google, Yahoo!, Microsoft, Apple etc).

Using OpenPGP and managing our own keys, then, is the best we can do right now. Let me show you how.

Note: This tutorial will focus on making using encrypted emails as easy as possible. We will propose settings that are optimised for convenience, not security. If you are a journalist, an activist, a politician or anyone who needs a setup as secure as possible, let me know in the comments and I will propose more secure but inevitably slightly less convenient settings.

Setting up encrypted email

For this example, I will use a free Gmail account and setup access from my Windows 7 computer. Note that this method is not Gmail specific. It will work for any email account out there.

Get GnuPG

Installing GnuPG will allow your email program to encrypt your emails.

  1. Download Gpg4win from
  2. Run the gpg4win-(version).exe installer to install the software, ensuring that GPA is selected for installation as well:
    00 - ensure GPA is installed

Get Thunderbird

Thunderbird is the email application we will use to send and receive emails. We can’t just use GMail’s webpage for encrypted emails – it will become cumbersome in the long run.

  1. Download Thunderbird from
  2. Run “Thunderbird Setup (version).exe” to install Thunderbird on your computer.

Connect Thunderbird with your email account

As soon as setup is finished and Thunderbird launches, you are asked whether you’d like a new email address. Let’s skip this for now and go with your existing email address.

02 TB first run - new mail address

(For this example I will use the Gmail account

Fill in your name, email address and Gmail password.

03 TB account details

Thunderbird checks for the settings of your email provider

04 looking up ISP DB

…and, in the case of a well-known service as Gmail, finds the right settings:

05 found ISP DB

If everything works and the dialog disapears with no errors, great. If not, verify that whichever access method you choose (POP or IMAP), is supported and enabled for your account. For our example (Gmail), follow these instructions to enable IMAP.

If you see the following window, with your email account on the top left, you have configured Thunderbird correctly. Congratulations!

06 TB first run page

Get the encryption addon (EnigMail)

Click on the “menu” icon on the top right and then “Addons“.

07 getting to addons

Search for “enigmail” and install the addon.

08 finding enigmail

Click on “Restart Now” – this will only restart Thunderbird, not your computer.

10 thunderbird restart required

After Thunderbird has restarted, close the Add Ons tab – you’re done with this.

11 after addons installation and restart need to close tab

Create your encryption keys

Go to Options -> OpenPGP -> Setup Wizard

12 openpgp menu enigmail setup wizard

Go through the wizard, adjusting only the following settings:

In the “Signing” step of the wizard choose “No, I want to create per-recipient rules for emails that need to be signed“.

14 - do not sign by default

In the “No OpenPGP Key Found” step of the wizard choose “I want to create a new key pair for signing and encrypting my email

17 create new keypair

In the “Create Key” step, choose the passphrase that will be required to read or send encrypted emails.

Note: Choose something that is easy to type and not too long. (remember, we’re optimising for usability here)

Good passphrase: “This is my favourite song!”

Bad passphrase: 9x$Z4;Fq (why?)

18 assign passphrase

When the wizard completes, you will be prompted to generate a revocation certificate. This is a good idea – it’s like an insurance policy for when you lose your key:

20 generate revocation cert prompt

Save this file on your Desktop for now – you can decide where to store it permanently (away from your computer! – e.g. on a CDROM or a USB stick you keep in a safe place) later.

21 save rev cert somewhere safe

Your passphrase is needed to generate the revocation certificate:

22 - need passphrase

… at which point you are done!

Congratulations, you have created cryptographic keys and setup your email program to use them!

Sending email

You can only exchange encrypted emails with people who also use OpenPGP. Before you can send people encrypted email, you need to make your public key available to the world, otherwise your recipients will not be able to read your emails.

Publishing your public key

Open Thunderbird and click on its “options” button. Then OpenPGP -> Key Management.

01 - key management

Tick “Display All Keys by Default”:

02 display all keys

Now click on your name (John Doe) to select your keys and go to Keyserver -> Upload Public Keys

03 upload public keys

In the next prompt just click OK:

04 upload to pool

Congratulations – you have published your public keys on the keyservers. Now anyone using OpenPGP can send you encrypted and signed email, and people can read the encrypted emails you send them!

Sending your first encrypted email

Let’s email our friend Bob. He also has a Gmail account and his Gmail address is

To start composing a new message in Thunderbird you click the “Write” button:

05 hit write button

This brings up a new email window, where you can address and type your message.

07 - composed new message to recipient

Notice the pen and the key icons in the lower right corner? They are greyed-out, i.e. inactive, i.e. you are currently not signing (pen) or encrypting (key) your message.

Let’s click on the key icon to enable message encryption – the icon becomes colourful (gold), which means encryption has been activated:

08 - message marked to be encrypted

Let’s attempt to send this message – click the “Send” button. You have just asked Thunderbird to encrypt this message for Bob ( – but Thunderbird hasn’t got Bob’s public key! And this is how public key encryption works – you need to have people’s public keys before you can encrypt stuff for them – and only them – to read. Therefore, Thunderbird complains that your recipient has not been found (in your OpenPGP keyring):

09 recipients not found

Click “Download missing keys” to look for Bob’s key on the keyservers – dedicated computers that host people’s keys.

10 import public key from keyserver

Just hit OK to allow Thunderbird to look for Bob’s public key online.

And lo! Bob’s public key is there. Just tick it and click OK to import Bob’s key on your keyring. You only need to do this once.

11 found public keys

If all went well, Thunderbird lets you know the import was successful:

12 import success

Great, now you have Bob’s key. You have a new greyed-out line with Bob’s email address. Tick the box of that line and click on “Create per-recipient rule(s)“.

13 got key

Here you will tell Thunderbird to always use this key to sign and encrypt your emails to Bob.

Click on “Select Key(s)…“:

14 create recipoient rule

…and make sure the line with Bob’s address is selected before clicking OK:

15 select key (preselected) for rule

Now tell Thunderbird to always sign and encrypt your messages to Bob by changing these fields to “Always“:


Clicking “OK” closes this window and immediately prompts you for your passphrase, as you’re just about to cryptographically sign a message to somebody – that requires access to your secret key, which can only be accessed with the passphrase you setup earlier:

17 prompted for passphrase

As soon as you hit “OK” with that passphrase – oh my! Look at all this gibberish – that’s encrypted text, otherwise called “ciphertext”. This is what the spooks will now see. This is what Google will store. This is what Bob will see as well, but because he has the right private key, he will be able to decrypt this ciphertext into your plaintext email message.

See, it doesn’t matter that Google and the spooks can still read your email, because now it looks like gibberish, and it can only be decrypted and read by your intended recipients (in this case, Bob). You can use this method to communicate in private with anyone in the world, as long as they use OpenPGP too.


Congratulations! You have just sent you first cryptographically signed and encrypted message, using the most robust encryption technology known to mankind: OpenPGP.

Sending your second, third… 1000’th email

Things are much simpler now that you’ve done all the hard work in advance. All you need to do is compose an email to Bob. Thunderbird will automatically sign and encrypt your message with the right key, so that only Bob can read it. Pretty slick.

18 second email - pre-selected encrypt + sign

Notice the blue “+” next to the pen and the key? That means your message to Bob will be automatically

  • signed – so that Bob knows the message came from you and it has not been altered in any way) and
  • encrypted – so that no one else but Bob can read its contents.

Enjoy your private chats with Bob!

Receiving email

Receiving OpenPGP encrypted email is not a problem – you just need to provide your passphrase and you will be able to read the message.