Toolbox E-mail

Encrypt your communication with PGP

E-mail encryption is a two layer process. On the one hand e-mails can be sent from your mail client to the server through an encrypted connection, while they are still stored as plain text. On the other hand the messages themselves can be encrypted.

In this guide we provide solutions for both the first (transport-level encryption) and the second layer (end-to-end encryption).

Encrypt the communication between your mail program and the server

Especially when sending and receiving mails, always use the encrypted variant (with STARTTLS). As described in the e-mail guide there is an incoming and an outgoing mail server connection. You probably recall these settings:





This way your e-mail client tells the e-mail server that it wants to turn an existing insecure connection into a secure one, using TLS for example.

Encrypt e-mail messages between you and your communication partners with PGP

Apart from just making sure that the communication between your mail client and mail server is secured from a third party reading the content, you also need to take care that the content of your e-mail is hidden from spying eyes. On every step your e-mail takes from your device to the receiver, it is visible to all intermediate entities such as the routers, servers and internet service providers (ISPs); all of which are involved in delivering your message as they hand it over to the next one.

So, to be perfectly frank, also we at could read the content of your next email if we wanted to, but we don’t because we respect your privacy and receive enough mails on our own anyway! But, as you can prevent the postman from reading your letters by putting them into envelopes, you can use end-to-end encryption using PGP, which will encrypt the content —but not the senders or receivers address and metadata— so that only you and the one in possession of your key can decrypt it.

We know it sounds complicated, but luckily it is provided by Mozilla’s e-mail client Thunderbird out-of-the box and thanks to software assistants, called wizards, it is pretty easy to set up.

The easiest way to do this is to use the free program Thunderbird.

Setup OpenPGP in Thunderbird

Select Tools OpenPGP Key Manager to get a list of all previously imported keys.

To create a key pair of your own click on Generate New Key Pair, which starts the setup wizard, then follow the suggestions.

Create an OpenPGP Key

Read the instructions in the Generate OpenGPG Key dialog carefully. If you use an older version of Thunderbird you must pick a password in the next step. In the current version of Thunderbird (from 78) you will not need to pick a password, but instead the software creates a random one automatically and also stores it for you. Now your key will be generated.

The password that was automatically generated for you will be used for all OpenPGP secret keys managed by it. It is stored encrypted in your Thunderbird profile directory and you will not need to know it. But, you should use the built-in feature to set a Master Password, otherwise your OpenPGP keys in your profile directory can be easily decrypted. Go to Edit Preferences Privacy & Security to activate the Master Password.

Encrypt your emails

In order to send an encrypted e-mail, you first need the public key of the recipient. To do so, go to Tools OpenPGP Key Manager Keyserver Discover Keys Online. Here you can search for a key ID, or better, an e-mail address. If your recipient has also stored his or her key on the key server, nothing stands in the way of your encrypted communication.

Currently Thunderbird does not have the functionality to upload your own key to the OpenPGP key server, only searching and importing other keys are supported. But it is possible that this will be implemented in the future (see: dev-roadmap). But for now, in order to publish your key and make it easily found by others via the program’s interface: you can go to directly and upload your key.

For more information regarding the current status of OpenPGP and Thunderbird’s position on key sharing can be found here:

One more word about security

Your private key should especially be protected from unauthorized access. One possibility would be to save it on an encrypted partition (e.g. on a securely stored USB flash drive) or file and not keep it on your regular computer. If you have several computers, you can always copy your key (both private and public) to another computer.

If you lose the private key, you won’t be able to read any of your encrypted mails anymore!

In case you loose your secret key you can let others know, that they should not use it any more by revoking the key. Thunderbird makes that very easy for you. Simply go to Tools OpenPGP Key ManagerEdit Revoke Key. You can still use this key to decrypt messages after you revoked it.

If you create keys outside of your e-mail client you can also import the corresponding revocation certificates to Thunderbird’s OpenPGP manager via Tools OpenPGP Key Manager File Import Revocation(s) From File.

PGP Encryption in Webmail

You can also use PGP encryption in webmail. How to set up encryption in the Webmail Horde can be found on the Webmail description page.


If you are experiencing problems with receiving or sending emails in your email client (e.g. Thunderbird), please check the server settings again first, especially those of the outbox server. Here you can find the necessary information.

If problems still occur, this may be caused by installed antivirus programs or the firewall.
To check this, you can temporarily deactivate the antivirus program. If the sending process then works, the manufacturer can normally provide information on how to add exception rules for the email client.

The same procedure can be followed with the firewall. Here are the commands for the most common operating systems. If the firewall turns out to be the culprit, exception rules can be added to the firewall.

Ubuntu, Debian

sudo systemctl stop ufw

To see whether the firewall is active or not, use the following command.

sudo ufw status systemctl status firewalld

Fedora, CentOS

sudo systemctl stop firewalld

To see whether the firewall is active or not, use the following command.

sudo systemctl status firewalld

Windows: Official Windows Support

MacOS: Official Apple Support

If all e-mails have been deleted by mistake, a simple e-mail to is sufficient and we will restore your mail account.

Sorry, but we couldn't find any content for your search "".


Integrate online calendars with Thunderbird

Softwares Horde Nextcloud Thunderbird