GNUPG Smartcard Email with Thunderbird
Another one of the many tasks involved in getting my Surface set up as my main
mobile workstation is getting signed and encrypted email working correctly. I
already have a Nitrokey Pro which I have configured to work as my
SSH key but I need to get Thunderbird talking to it to handle my email. The key
is already set up and is visible with
gpg --card-status so I know that the OS
can see it. Now the Nitrokey instructions suggests using
Enigmail but that extension was only supported up to Thunderbird 68
while my Fedora 33 install has version 78.8.1 available.
On one hand this is great because Thunderbird now ships with code to enable
encrypted email but on the other that library does not yet support the use of
external private key sources like a smartcard or my Nitrokey. Following along with
the instructions provided by Thunderbird we first need
to go into the config page and toggle the
to allow the use of an external GPG application.
What this enables in the
End-to-End Encryption tab of Thunderbird’s account
settings is the ability to specify a GPG key ID that the external application will
use for signing. Below you’ll see the third radio button selected to start this
The form it presents asks for the last 16 characters of the key’s fingerprint
without any spaces or leading
0x which act as the long key ID value. I got mine
gpg --card-status and looking at the printed ID of my signing key.
With that added I tried sending a signed email and got a complaint that the
specified key was not in my keyring. After consulting some more documentation
I was able to extract my public key and sync it to my local keyring with the
gpg --card-edit > fetch
Everything looked great until I ran
gpg --list-keys and saw that my key had
expired last year when I hadn’t needed to send any encrypted email.
An Aside - Fixing Expired and Untrusted Keys
As this article explains, setting a public key to not be expired is fairly simple as long as you know how to do it. Just use the command below to un-expire any keys you still need to be valid.
gpg --edit-key > expire
Similarly, since this was a new machine I needed to make sure that my personal keys
were trusted by the system. Again, a fairly simple command gets the job done. I
ultimate trust, although I will admit I’m not entirely certain the exact
meaning. It’s my personal key, the only copy of which exists on a hardware module
I am in possession of, with a PIN only I know. As things go that is about as
trusted as I think I can get.
gpg --edit-key > trust
Now even with that Thunderbird still wasn’t happy with my key and insisted it
didn’t know what I was talking about. Reviewing their documentation
again I found that you also need to export the public key and import it into
Thunderbird via the
OpenPGP Key Manager interface on that
configuration page. First step was obviously to export my public key into a format
that Thunderbird would accept.
gpg --armor --export keyID > pubkey.asc
keyID is the same as the one we used when we added the key earlier in the
external GnuPG configuration window. That imported nicely as you can see below and
I was finally able to send and receive signed and encrypted emails!
Compared to my previous usage of ClawsMail, Thunderbird was a little more involved to get set up properly but seems to be working quite nicely now. Hopefully in newer versions they’ll improve their internal PGP handling library to better support smartcards making the additional setup redundant.