p≡p for Thunderbird


This section covers the system requirements, feature list, installation and user-guide of p≡p for Thunderbird.

System Requirements

The following configurations are supported with p≡p for Thunderbird:

  • Windows 7, 8.1 or 10

  • macOS 10.14 to 11.2

  • Ubuntu 21.04, 20.04.2 LTS, 18.04.5 LTS & 16.04.7 LTS

  • CentOS 8.3, Red Hat Enterprise Linux (RHEL) 8.3

  • Thunderbird 68 or 78


If you are using the Linux beta release please refer to our additional information in the wiki, especially if you want to install pEp on a Linux OS that is not officially supported.

Feature list

The following features are available in the latest version of p≡p for Thunderbird:

  • Encrypt/decrypt emails and their subjects

  • Store messages encrypted or unencrypted on the server (Untrusted or Trusted Server)

  • Compatibility with OpenPGP (as a p≡p user you can communicate with users that use OpenPGP)

  • Passive Mode (public key only attached if the communication partner uses p≡p)

  • Automated, decentralized key management

  • Import private keys

  • p≡p Sync, automated synchronization of keys between all your devices using p≡p

  • Reset

  • Warning when forwarding previously encrypted message unencrypted

  • Sequoia PGP as encryption backend

Supported languages

The following languages are supported:

  • English

  • German

Installation Guide


Before you install p≡p for Thunderbird on your computer, we strongly recommend to encrypt your hard disk. On Windows, you could use BitLocker Device Encryption or VeraCrypt. For macOS FileVault is a good choice. With GNU/Linux you can use dm-crypt / LUKS. If you do not want to encrypt the whole disk, we suggest to encrypt at least the directory containing all your databases with keys (on Windows the path is C:\Users\<user_name>\AppData\Local\pEp, on MacOS it is $HOME/.pEp/). This is a hidden folder.


The installation is straight forward. Close Thunderbird, before starting the installation. Everything is installed with a few clicks and within seconds p≡p for Thunderbird is active. For Windows it goes like that:

  1. Run the installation file by double clicking on the installer file.

  2. The first p≡p for Thunderbird installation screen will appear. While loading, the installer checks for system compatibility and verifies that you have a supported version of Thunderbird installed.

  3. The p≡p for Thunderbird licensing agreement will be shown. Please read through this agreement and when finished please activate the accept checkbox and click Install.

  4. The installer will now need your permission to continue. This is a security feature of Windows. When the below dialog appears, please enter the administrator password (if required) and click Yes.

  5. p≡p for Thunderbird will now be installed. During installation the progress bar may pause momentarily before it finishes.

  6. The installation is now complete! Please click Finish as shown below to close the installer. Now you can start Thunderbird and begin using p≡p! No further configuration is required.

User Guide

This user guide gives step by step instructions on how to use p≡p for Thunderbird.

First steps in p≡p for Thunderbird

When Thunderbird is started the first time after the installation of p≡p, Thunderbird asks if you want to enable p≡p for Thunderbird (message on the top right). Select “Enable”.

Should this message not appear please ensure that p≡p for Thunderbird is enabled. You can do this by going to Tools -> Add-ons in Thunderbird.


After the p≡p Add-on has been installed and enabled, p≡p is automatically activated for all accounts. No configuration is needed. From now on the ‘Privacy Status’ button is visible when communicating with partners who also use p≡p or OpenPGP encryption functionalities.

Sending Secure Emails

After a message from another p≡p communication partner is received and you reply to that message, the Privacy Status in the message will be displayed in Yellow (Secure). You see, that this message will be sent encrypted. Please note, that the very first message between two p≡p users will be sent unencrypted.



Please note that the local part of an email address (left of the “@”) must be treated case sensitive. E.g. holden@pep.digital is not the same as HOLDEN@pep.digital, however holden@pep.digital is the same as holden@PEP.DIGITAL.

For a better usability we encourage you to move the p≡p button further to the left using the customisation dialogue.

_images/pEpForThunderbird-v1.1-08-MoveButton.png _images/pEpForThunderbird-v1.1-09-MovedButton.png

The Handshake

For general information about the handshake, refer to Handshake.

To perform a Handshake, the Handshake dialog can be opened by clicking the Privacy Status bar. The following window appears:


After comparing the Trustwords with the communication partner through a separate channel (like a phone call or a meeting in person), select “Confirm” if the Trustwords match. If the Trustwords didn’t match, select “Reject”. When you confirmed the Trustwords, the Privacy Status with this communication partner changes to Green (Secure & Trusted).


Sending a message to multiple people with different Privacy Statuses

When sending a message to more than one person, the user simply adds the recipients to the message and clicks on the Privacy Status revealing the following pop-up window:


This dialog shows that one Handshake is pending. The user can click on the email address to perform the Handshake with the communication partner as explained above. After all the Trustwords are confirmed by the users, the communication will be upgraded to Green (Secure & Trusted).

Disable Protection

When the communication partner’s Privacy Status is Yellow (Secure) or Green (Secure & Trusted), the e-mail will automatically be sent encrypted when the user clicks ‘Send’. If the user would like to disable protection on a case by case basis, then the user can do so by clicking the Privacy Status icon on the top right of the message.


The Privacy Status as well as the rating for a communication partner will change from Yellow (Secure) or Green (Secure & Trusted) to Disabled with no color and the message will be sent unencrypted when the user presses ‘Send’.

Sending BCC emails

Currently, p≡p sends messages unencrypted as soon as there is at least one recipient in BCC (even if keys of all recipients are available).

p≡p for Thunderbird Options

This section covers all the options that are available through the user interface of p≡p for Thunderbird. The p≡p options can be opened by selecting Tools -> p≡p Options in Thunderbird.


p≡p Options


Store messages securely for all accounts

Defines if messages should be saved encrypted or decrypted on the server. If “Store messages securely for all accounts” is checked, encrypted messages will be kept encrypted on the server for all accounts.

When this option is unchecked, you can select for each account, if you want to “store messages securely”.

For more details see Store messages securely.

Enable p≡p privacy protection

Defines if p≡p privacy protection is enabled for the selected account or not. For more details see Enable p≡p privacy protection.

Enable p≡p Sync

If p≡p Sync is enabled, p≡p will check if other devices are using p≡p with the same email account and try to build a device group. p≡p Sync ensures that all messages can be decrypted on all your devices with p≡p.

For more details see p≡p Sync.

Show a warning when a message loses security through reply or forward

Defines if a warning message should be shown, when a formerly encrypted message is forwarded or replied as unsecure.

Enable Passive mode

By default p≡p for Thunderbird attaches your public key to every outgoing email. When passive mode is enabled, p≡p doesn’t attach a public key to outgoing messages unless the communication partner uses p≡p. If you already have a public key from your communication partner, p≡p will encrypt your emails by default.

For more details see Passive Mode.

Account specific settings

Local Folders - Store messages securely

If “Store messages securely for all accounts” (see above) is unchecked, you can define, if messages in local folders should be stored encrypted or unencrypted.

Store messages securely

If “Store messages securely for all accounts” (see above) is unchecked, you can define per account, if messages should be stored encrypted or unencrypted.

Synchronize between my devices

Defines if the keys of this account are synchronized within your device group when p≡p Sync is enabled.

Enable p≡p privacy protection

By default, p≡p privacy protection is enabled and all outgoing messages will be encrypted whenever possible. If p≡p privacy protection is disabled, outgoing messages will not be encrypted. It will by default still decrypt incoming messages. However, the user has the option to also disable “Continue to decrypt messages”. In that case, incoming messages that are encrypted, will not be decrypted and are therefore unreadable. The p≡p privacy protection settings can be changed on a per account basis.

Reset all accounts

This will reset the privacy settings of all your accounts (e.g. revoke your existing key and create a new one).

If you want to do a reset for only one of your accounts, right click the account in the account list above and select “Reset”.

For more details see Reset.


Compatibility options are related to OpenPGP and only affect communication with OpenPGP communication partners.


PGP Key Import


In case your device is member of a device group, please proceed with the following steps before starting the key import:

  1. Disable p≡p Sync on all devices of the group before starting the import process.

  2. Import the key on ALL devices.

  3. Switch on p≡p Sync after the manual key import worked on all devices.

This option imports your existing PGP keys and uses them. Only one key can be imported at the time. Click “Browse” to select the key you want to import and then click “Import”.

The key is then set as default key. However, p≡p still manages keys automatically, thus, the key might change in the future (e.g., when doing a reset). Please be aware that you can import only “.asc” files.


After the import p≡p will use your key to encrypt and decrypt messages. Please be aware that p≡p automates the key management and your key may change (e.g. after a reset, when joining a device group or when a key expires). Even if p≡p starts using another key, old keys will always be kept to ensure that all messages can be decrypted.

Use a passphrase for new keys

By default p≡p does not use a passphrase for new keys. If you want to use a passphrase for new keys enable “Use a passphrase for new keys”. Once enabled, p≡p will ask for a passphrase when new keys are generated. If you want to create new keys straight away, go to the p≡p Account settings and “Reset All Identities”.


About provides extra information about the p≡p version.

How to Upgrade p≡p for Thunderbird

p≡p for Thunderbird checks for new updates automatically by default in random intervals between 10 mins and 4 hours. Once there the new update is available, it’s downloaded and installer will pop-up on the screen asking the user to install it.

How to Uninstall p≡p for Thunderbird

If you want to uninstall p≡p for Thunderbird, do the following:

  1. Open the Control Panel

  2. Open Programs and Features

  3. Select p≡p for Thunderbird in the list and Click the Uninstall button.

  4. Follow the prompts and p≡p for Thunderbird will be removed.

After you uninstall p≡p, you won’t be able to decrypt messages anymore. Further, if you didn’t trust your server, existing messages won’t be readable anymore, because they are stored encrypted on the server.

When you uninstall p≡p, the following data will not be removed:

  • Files in C:/Users/<user>/AppData/Local/pEp (contains all key material and more)

  • Registry entries in Computer/HKEY_CURRENT_USER/SOFTWARE/pEp

How to revert to Thunderbird built-in OpenPGP solution

To enable it again, reset the preference mail.openpgp.enable to it’s default value true.

Those preferences you can find in Thunderbird’s about:config: Go to Tools > Options > in the General tab scroll down to the bottom > click Config Editor….