p≡p for Thunderbird

Overview

This section covers the system requirements, feature list, installation- and user-guide of p≡p for Thunderbird.

System Requirements

Following configurations are supported in p≡p for Thunderbird:

Software:

  • Windows 7, 8.1 and 10

  • macOS 10.14 and 10.15

  • Thunderbird 68 and 78

Feature list

The following features are available in p≡p for Thunderbird version 1.0:

  • Encrypt/decrypt emails and their subjects

  • Store messages encrypted or unencrypted on the server (Untrusted or Trusted Server)

  • Compatibility with OpenPGP (as a p≡p user you can communicate with users that use OpenPGP)

  • Passive Mode (public key only attached if the communication partner uses p≡p)

  • Automated, decentralized key management

  • Import private keys

  • p≡p Sync, automated synchronization of keys between all your devices using p≡p.

  • Reset

  • Warning when forwarding previously encrypted message unencrypted

  • Sequoia PGP as encryption backend

Supported languages

The following languages are supported:

  • English

  • German

Installation Guide

Note

Before you install p≡p for Thunderbird on your computer, we strongly recommend to encrypt your hard disk. On Windows, you can for example use BitLocker Device Encryption or VeraCrypt. When using macOS FileVault is a good choice. With GNU/Linux you can e.g., use dm-crypt / LUKS. If you do not want to encrypt the whole disk, we suggest to at least encrypt C:\Users\<user_name>\AppData\Local\pEp (Note: AppData is a hidden folder). This is the directory that contains the keys needed to decrypt messages.

Installation

The installation is straight forward, asks no questions and requests no information. Everything is installed by a few clicks and within seconds p≡p for Thunderbird is active. Close Thunderbird, before starting the installation.

Step 1: Run the installation file by double clicking or pressing Enter after the file is selected.

Step 2: The first p≡p for Thunderbird installation screen will appear. While loading, the installer checks for system compatibility and verifies that you have a supported version of Thunderbird installed.

Step 3: The p≡p for Thunderbird licensing agreement will be shown. Please read through this agreement in its entirety. After you have read and agreed to the p≡p for Thunderbird licensing agreement, please check the “I accept the terms in the License Agreement” checkbox and click Install.

Step 4: The installer will now need your permission to continue. This is a security feature of Windows. When the below dialog appears, please enter the administrator password (if required) and click Yes.

Step 5: p≡p for Thunderbird will now be installed. During installation the progress bar may pause momentarily before it finishes.

Step 6: The installation is now complete! Please click Finish as shown below to close the installer. Now you can start Thunderbird and begin using p≡p! No further configuration is required.

User Guide

This user guide gives step by step instructions on how to use p≡p for Thunderbird.

First steps in p≡p for Thunderbird

When Thunderbird is started the first time after the installation of p≡p, Thunderbird asks if you want to enable p≡p for Thunderbird (message on the top right). Select “Enable”.

Should this message not appear, ensure that p≡p for Thunderbird is enabled. You can do this by going to Tools -> Add-ons in Thunderbird.

After the p≡p Add-on has been installed and enabled, p≡p is automatically activated for all accounts. No configuration is needed.

Users will now see the ‘Privacy Status’ icon and bar in all messages.

_images/pEpForThunderbird-v1.1-ComposeSecureDisableProtection.png

Sending Secure Emails

After a message from another p≡p communication partner is received and you, the addressed p≡p user, reply to that message, the Privacy Status in the message will be displayed in Yellow. This means, that this message will be sent encrypted. Please note, that the very first message between two p≡p users will be sent unencrypted.

_images/pEpForThunderbird-v1.1-ComposeSecure.png

Warning

Consider that the first part of an email address till “”@”” is case sensitive. The domain part is not (F.e. holden@pep.digital is not the same as HOLDEN@pep.digital, however holden@pep.digital is the same as holden@PEP.DIGITAL).

The Handshake

For general information about the handshake, refer to Handshake.

To perform a Handshake, the Handshake dialog can be opened by clicking the Privacy Status bar. The following window appears:

_images/pEpForThunderbird-v1.1-ComposeHandshakeYellowFront.png

After comparing the Trustwords with the communication partner through a separate channel (e.g. a phone call or a meeting in person), the user selects “Confirm” if the Trustwords match or “Reject” if the Trustwords don’t match. With confirmed Trustwords, the Privacy Status changes to Green (Secure & Trusted):

_images/pEpForThunderbird-v1.1-ComposeSecure&Trusted.png

Sending a message to multiple people with different Privacy Statuses

When sending a message to more than one person, the user simply adds the recipients to the message and clicks on the Privacy Status revealing the following pop-up window:

_images/pEpForThunderbird-ComposeWindow-StatusSecure-PrivacyStatus.png

This dialog shows that one Handshake is pending. The user can click on the email address to perform the Handshake with the communication partner as explained above. After all the Trustwords are confirmed by the users, the communication will be upgraded to Green (Secure & Trusted).

_images/pEpForThunderbird-v1.1-ComposeSecure&TrustedHandshake.png

Disable Protection

When the communication partner’s Privacy Status is Yellow (Secure) or Green (Secure & Trusted), the e-mail will automatically be sent encrypted when the user clicks ‘Send’. If the user would like to disable protection on a case by case basis, then the user can do so by clicking the Privacy Status icon on the top right of the message.

_images/pEpForThunderbird-v1.1-ComposeSecure&TrustedDisableProtection.png

The Privacy Status as well as the rating for a communication partner will change from Yellow (Secure) or Green (Secure & Trusted) to Disabled with no color and the message will be sent unencrypted when the user presses ‘Send’.

Sending BCC emails

Currently, p≡p sends messages unencrypted as soon as there is at least one recipient in BCC (even if keys of all recipients are available).

p≡p for Thunderbird Options

This section covers all the options that are available through the user interface of p≡p for Thunderbird. The p≡p options can be opened by selecting Tools -> p≡p Options in Thunderbird.

_images/pEpForThunderbird-v1.1-adFile.png

p≡p Options

_images/pEpforThunderbird-Settings-Accounts.png

Store messages securely for all accounts

Defines if messages should be saved encrypted or decrypted on the server. If “Store messages securely for all accounts” is checked, encrypted messages will be kept encrypted on the server for all accounts. When this option is unchecked, you can select for each account, if you want to “store messages securely”.

Note

When “Protected message subject” is disabled, p≡p will decrypt the subject of encrypted messages and save the subject unencrypted on the server in any case.

For more details see Store messages securely.

Protect message subject

When sending messages between p≡p users, the subject is always encrypted (in transport). However, when “Protect message subject” is disabled, p≡p will decrypt the subject of messages stored in the mailbox and save the subject unencrypted.

Further, when “Protected message subject” is disabled, the subject of messages sent to PGP users will not be encrypted at all.

For more details see Protect message subject.

Enable p≡p privacy protection

Defines if p≡p privacy protection is enabled for the selected account or not. For more details see Enable p≡p privacy protection.

Enable p≡p Sync

Note

Before you sync multiple devices with p≡p Sync, please make sure you have the latest version installed (p≡p for Outlook: 1.1.200, p≡p for Android: 1.1.200, p≡p for Thunderbrid: 1.1.006 Beta, p≡p for iOS: 1.1.207). The latest version of p≡p for iOS is still in review by Apple.

p≡p can be used and synchronized over more devices. To do so, the user can form a device group through following a similar procedure as performed in a Handshake. If p≡p Sync is enabled, p≡p will check if other devices are using the same email account and try to build or join such a device group. p≡p Sync ensures that all messages can be decrypted on all devices.

For more details see p≡p Sync.

Show a warning when a message loses security through reply or forward

Defines if a warning message should be shown, when a formerly encrypted message is forwarded or replied as unsecure.

Enable Passive mode

By default p≡p for Thunderbird attaches your public key to every outgoing email. When passive mode is enabled, p≡p doesn’t attach a public key to outgoing messages unless the communication partner uses p≡p. If you already have a public key from your communication partner, p≡p will encrypt your emails by default.

For more details see Passive Mode.

Account specific settings

Local Folders - Store messages securely

If “Store messages securely for all accounts” (see above) is unchecked, you can define, if messages in local folders should be stored encrypted or unencrypted.

Store messages securely

If “Store messages securely for all accounts” (see above) is unchecked, you can define per account, if messages should be stored encrypted or unencrypted.

Synchronize between my devices

Defines if the keys of this account are synchronized within your device group when p≡p Sync is enabled.

Enable p≡p privacy protection

By default, p≡p privacy protection is enabled and all outgoing messages will be encrypted whenever possible. If p≡p privacy protection is disabled, outgoing messages will not be encrypted. It will by default still decrypt incoming messages. However, the user has the option to also disable “Continue to decrypt messages”. In that case, incoming messages that are encrypted, will not be decrypted and are therefore unreadable. The p≡p privacy protection settings can be changed on a per account basis.

Reset all accounts

This will reset the privacy settings of all your accounts (e.g. revoke your existing key and create a new one).

If you want to do a reset for only one of your accounts, right click the account in the account list above and select “Reset”.

For more details see Reset.

Compatibility

Compatibility options are related to OpenPGP and only affect communication with OpenPGP communication partners.

_images/pEpforThunderbird-v1.1-Settings-Compatibility.png

PGP Key Import

Note

In case your device is member of a device group, please proceed with the following steps before starting the key import:

  1. Disable p≡p Sync on all devices of the group before starting the import process.

  2. Import the key on ALL devices.

  3. Switch on p≡p Sync after the manual key import worked on all devices.

This option imports your existing PGP keys and uses them. Only one key can be imported at the time. Click “Browse” to select the key you want to import and then click “Import”.

The key is then set as default key. However, p≡p still manages keys automatically, thus, the key might change in the future (e.g., when doing a reset). Please be aware that you can import only “.asc” files.

Note

After the import p≡p will use your key to encrypt and decrypt messages. Please be aware that p≡p automates the key management and your key may change (e.g. after a reset, when joining a device group or when a key expires). Even if p≡p starts using another key, old keys will always be kept to ensure that all messages can be decrypted.

Use a passphrase for new keys

By default p≡p does not use a passphrase for new keys. If you want to use a passphrase for new keys enable “Use a passphrase for new keys”. Once enabled, p≡p will ask for a passphrase when new keys are generated. If you want to create new keys straight away, go to the p≡p Account settings and “Reset All Identities”.

About

About provides extra information about the p≡p version.

How to Upgrade p≡p for Thunderbird

p≡p for Thunderbird checks for new updates automatically by default in random intervals between 10 mins and 4 hours. Once there the new update is available, it’s downloaded and installer will pop-up on the screen asking the user to install it.

_images/pEpForThunderbird-v1.0.200-InstallerWelcome.png

How to Uninstall p≡p for Thunderbird

If you want to uninstall p≡p for Thunderbird, do the following:

  1. Open the Control Panel

  2. Open Programs and Features

  3. Select p≡p for Thunderbird in the list and Click the Uninstall button.

  4. Follow the prompts and p≡p for Thunderbird will be removed.

After you uninstall p≡p, you won’t be able to decrypt messages anymore. Further, if you didn’t trust your server, existing messages won’t be readable anymore, because they are stored encrypted on the server.

When you uninstall p≡p, the following data will not be removed:

  • Files in C:\Users\<user>\AppData\Local\pEp (contains all key material and more)

  • Registry entries in Computer\HKEY_CURRENT_USER\SOFTWARE\pEp