E-mail encryption is a two layer process. On the one hand e-mails can be sent from your mail client to the server through an encrypted connection, while they are still stored as plain text. On the other hand the messages themselves can be encrypted.
In this guide we provide solutions for both the first (transport-level encryption) and the second layer (end-to-end encryption).
Encrypt the communication between your mail program and the server
Especially when sending and receiving mails, always use the encrypted variant (with STARTTLS). As described in the e-mail guide there is an incoming and an outgoing mail server connection. You probably recall these settings:
This way your e-mail client tells the e-mail server that it wants to turn an existing insecure connection into a secure one, using TLS for example.
Encrypt e-mail messages between you and your communication partners with PGP
Apart from just making sure that the communication between your mail client and mail server is secured from a third party reading the content, you also need to take care that the content of your e-mail is hidden from spying eyes. On every step your e-mail takes from your device to the receiver, it is visible to all intermediate entities such as the routers, servers and internet service providers (ISPs); all of which are involved in delivering your message as they hand it over to the next one.
So, to be perfectly frank, also we at servus.at could read the content of your next email if we wanted to, but we don’t because we respect your privacy and receive enough mails on our own anyway! But, as you can prevent the postman from reading your letters by putting them into envelopes, you can use end-to-end encryption using PGP, which will encrypt the content —but not the senders or receivers address and metadata— so that only you and the one in possession of your key can decrypt it.
We know it sounds complicated, but luckily it is provided by Mozilla’s e-mail client Thunderbird out-of-the box and thanks to software assistants, called wizards, it is pretty easy to set up.
The easiest way to do this is to use the free program Thunderbird.
Setup OpenPGP in Thunderbird
Select Tools OpenPGP Key Manager to get a list of all previously imported keys.
To create a key pair of your own click on Generate New Key Pair, which starts the setup wizard, then follow the suggestions.
Create an OpenPGP Key
Read the instructions in the Generate OpenGPG Key dialog carefully. If you use an older version of Thunderbird you must pick a password in the next step. In the current version of Thunderbird (from 78) you will not need to pick a password, but instead the software creates a random one automatically and also stores it for you. Now your key will be generated.
The password that was automatically generated for you will be used for all OpenPGP secret keys managed by it. It is stored encrypted in your Thunderbird profile directory and you will not need to know it. But, you should use the built-in feature to set a Master Password, otherwise your OpenPGP keys in your profile directory can be easily decrypted. Go to
Encrypt your emails
In order to send an encrypted e-mail, you first need the public key of the recipient. To do so, go to Tools OpenPGP Key Manager Keyserver Discover Keys Online. Here you can search for a key ID, or better, an e-mail address. If your recipient has also stored his or her key on the key server, nothing stands in the way of your encrypted communication.
Currently Thunderbird does not have the functionality to upload your own key to the OpenPGP key server, only searching and importing other keys are supported. But it is possible that this will be implemented in the future (see: dev-roadmap). But for now, in order to publish your key and make it easily found by others via the program’s interface: you can go to https://keys.openpgp.org/ directly and upload your key.
For more information regarding the current status of OpenPGP and Thunderbird’s position on key sharing can be found here: https://wiki.mozilla.org/Thunderbird:OpenPGP:2020#Key_sharing
One more word about security
Your private key should especially be protected from unauthorized access. One possibility would be to save it on an encrypted partition (e.g. on a securely stored USB flash drive) or file and not keep it on your regular computer. If you have several computers, you can always copy your key (both private and public) to another computer.
- To do so first open the key manager window from
Tools OpenPGP Key Manager
- Then to export your public key, mark your key and with the right mouse button select
Export Keys to File
- To back up your private key, go to
File Backup Secret Key(s) to Fileand then copy them to a e.g. USB flash drive.
- On the other computer open the e-mail client again and import your key via
Tools OpenPGP Key Manager File Import Secret Key(s) From File. And don’t forget to delete the private key from the USB flash drive after the successful import.
If you lose the private key, you won’t be able to read any of your encrypted mails anymore!
In case you loose your secret key you can let others know, that they should not use it any more by revoking the key. Thunderbird makes that very easy for you. Simply go to
If you create keys outside of your e-mail client you can also import the corresponding revocation certificates to Thunderbird’s OpenPGP manager via
PGP Encryption in Webmail
You can also use PGP encryption in webmail. How to set up encryption in the Webmail Horde can be found on the Webmail description page.
If all e-mails have been deleted by mistake, a simple e-mail to email@example.com is sufficient and we will restore your mail account.