Private Mail Guide
Generating a GnuPG key pair in Thunderbird and exchanging public keys to send PGP-encrypted email
how-to

How to Set Up PGP Email Encryption: A Step-by-Step Guide

A practical walkthrough on how to set up PGP email encryption on Windows, Mac, and Linux using GnuPG and Thunderbird — including key generation, sharing

By Privatemailguide Editorial · · 8 min read

Knowing how to set up PGP email encryption is the closest thing to a guaranteed privacy upgrade for email — but PGP has a reputation for complexity that keeps most people away. This guide walks through the actual steps: installing GnuPG, generating a key pair, connecting it to Thunderbird, and exchanging keys with someone else. The whole process takes about 20 minutes on a first attempt.

What PGP Does (and What It Doesn’t)

PGP (Pretty Good Privacy) uses asymmetric cryptography to encrypt email content end-to-end. You generate a key pair: a public key that anyone can use to encrypt mail to you, and a private key that only you hold, which decrypts it. Neither your email provider nor anyone wiretapping the connection in transit can read the message body.

What PGP does not protect: metadata. Your provider still sees who you email, when, and how often. Subject lines are not encrypted by default in most clients. PGP also does not protect against malware on your own device — if a keylogger captures your passphrase, your private key is compromised regardless of how strong the cryptography is. For a deeper look at which attacks PGP does and does not stop, techsentinel.news tracks the full threat landscape around secure communications.

Step 1: Install GnuPG

GnuPG (GPG) is the free, open-source implementation of the OpenPGP standard (RFC 4880). It is the engine behind almost all PGP email setups.

Windows: Download Gpg4win — the official GnuPG distribution for Windows, maintained by the GnuPG project. The installer bundles the Kleopatra key manager, which gives you a GUI for key operations. Run the installer with defaults.

macOS: Install GPG Suite (paid, with free trial) or use Homebrew: brew install gnupg. GPG Suite integrates directly with Apple Mail; Homebrew leaves you to wire it up yourself.

Linux: GnuPG is usually pre-installed. If not: sudo apt install gnupg on Debian/Ubuntu, sudo dnf install gnupg2 on Fedora/RHEL.

Step 2: Generate Your Key Pair

Open a terminal and run:

gpg --full-generate-key

You’ll be prompted for:

  • Key type: Choose RSA and RSA (option 1), or the default in newer GnuPG versions is Ed25519 — both are acceptable. Ed25519 is faster and produces smaller keys; RSA 4096 has broader legacy compatibility.
  • Key size: If you chose RSA, select 4096 bits.
  • Expiration: Setting a 2-year expiration is recommended. You can extend it before it expires, and it limits the blast radius if your key is ever compromised without a revocation certificate.
  • User ID: Enter your name and the email address you want to encrypt mail for.
  • Passphrase: Use a strong, unique passphrase. This protects your private key on disk.

After generation, immediately export a revocation certificate:

gpg --gen-revoke --armor YOUR_EMAIL > revoke-cert.asc

Store this file somewhere offline — a USB drive, a printed copy. If your private key is ever compromised or lost, this certificate is the only way to invalidate your public key on keyservers.

Step 3: Set Up Thunderbird

Thunderbird has had built-in OpenPGP support since version 78, released in 2020. You no longer need the Enigmail extension — Thunderbird handles everything natively.

  1. Open Thunderbird and go to Account Settings for the email account you want to encrypt.
  2. Select End-to-End Encryption from the left panel.
  3. Click Add Key and choose Use your external key through GnuPG or Create a new OpenPGP Key (if you prefer Thunderbird to manage it). If you generated a key in Step 2, choose the external GnuPG option.
  4. Select the key that matches your email address and click OK.
  5. Thunderbird will now show your key fingerprint in the End-to-End Encryption panel.

For signing outgoing messages, set Sign unencrypted messages if you want recipients to be able to verify your emails even when the body isn’t encrypted. For encrypted messages, Thunderbird will automatically sign them.

Step 4: Share Your Public Key

Encrypted replies require the sender to have your public key. There are three distribution methods:

Email attachment: Export your public key and send it as an attachment:

gpg --armor --export YOUR_EMAIL > my-public-key.asc

Key server: Upload to a public keyserver such as keys.openpgp.org. Anyone can then search for your email address and find it. Note that keys.openpgp.org requires email verification before publishing, which reduces key spam.

Thunderbird auto-attach: In End-to-End Encryption settings, enable Attach my public key when signing. Every signed email you send will carry your public key as an attachment.

Step 5: Import a Recipient’s Public Key

To send someone an encrypted message, you need their public key. If they sent it as an attachment, open the email in Thunderbird, click the attachment, and import it directly via the OpenPGP Key Manager.

From a keyserver: in Thunderbird, open Tools > OpenPGP Key Manager > Keyserver > Search for Keys and enter their email address.

After importing, you must accept the key. Thunderbird will prompt you to mark the key as accepted — meaning you’re declaring you believe this key actually belongs to that person. This is the critical step that most tutorials skip over. Accepting an unverified key means you could be encrypting to an attacker’s key instead of your contact’s.

Verify out-of-band: Contact your recipient through a different channel (phone call, Signal, in person) and compare key fingerprints. The fingerprint is a short hash that uniquely identifies the key. Both parties can run:

gpg --fingerprint THEIR_EMAIL

If the fingerprints match, accept the key as verified. Attacks against PGP typically exploit skipping this step, not breaking the cryptography itself. The EFF’s Surveillance Self-Defense guides emphasize this verification step as the most operationally important part of the setup.

Webmail Alternative: Mailvelope

If you use Gmail or Outlook in a browser and cannot switch to Thunderbird, Mailvelope is a browser extension that adds OpenPGP to most major webmail providers. It handles key generation and management inside the browser. The trade-off: browser-based cryptography has a wider attack surface than a standalone email client, and some security practitioners consider it unsuitable for high-risk use cases.

For AI-related threat vectors that increasingly target email workflows — including phishing campaigns that mimic encrypted mail UIs — aisec.blog documents current attack techniques.

Verify It Worked

Send an encrypted test message to yourself:

  1. Compose a new email in Thunderbird addressed to your own address.
  2. Click the Security dropdown in the compose window and enable Require Encryption.
  3. Send.
  4. Open the received message — Thunderbird will show a green lock icon and decrypt it automatically.

If you see the padlock and the message decrypts, your setup is working. If Thunderbird reports it cannot encrypt, the most likely cause is that you haven’t imported and accepted your own public key, which is needed to encrypt outbound messages you can later decrypt yourself.


Sources

Sources

  1. OpenPGP in Thunderbird — HOWTO and FAQ | Mozilla Support
  2. How to Use PGP for Windows | EFF Surveillance Self-Defense
  3. OpenPGP Software Directory | OpenPGP.org

Related

Comments