FAQ

This page contains the Frequently Asked Question about Enigmail and around.

Why does Enigmail fail to install on Firefox?
Enigmail is an extension for Thunderbird. It is not supposed to, and hence cannot, be installed in Firefox.

If you use Firefox to download Enigmail, you need to right-click on the download link, select Save as..., and save the XPI file on your computer. Then open Thunderbird, go to Tools → Add-ons → Extensions, click the gear-wheel button, select Install Add-On from File and choose the Enigmail XPI file. Restart Thunderbird afterwards.

Can Enigmail be used for webmail?
Enigmail is developed for Thunderbird. There is no intention from our team to extend Enigmail to support web based mail, or web applications in general.

The Mailvelope project is an extension for Mozilla Firefox or Google Chrome allowing OpenPGP-secured messages in webmail.

Also the Whiteout Browser App can be used to process OpenPGP secured mails using your browser. This is not really a webmail, but a mail client emulation in a browser window.

How do I uninstall Enigmail?
Go to Tools → Add-ons → Extensions, click on the Remove button, then restart Thunderbird.

How do I encrypt automatically my email messages?
If you use the default configuration, Enigmail will automatically encrypt all messages whenever possible -– that is, if you have the public keys for all recipients.

Additionally, you may set single (or all) identities to always encrypt, and opt-out while sending if you don't have a recipient’s key and it is acceptable for you to send that message unencrypted.

See also Sending Preferences in the configuration of Enigmail.

Is it possible to permanently decrypt email messages?
Yes, now this is possible in Enigmail.

Why does Enigmail see some emails as broken?
This problem often occurs when using an IMAP mailserver and is due to Thunderbird not downloading the message as a whole. To fix this problem, go to Enigmail → Preferences → Advanced and disable the option Only download attachments when opened (IMAP only).

What should I do if Thunderbird shows an alert about an unresponsive script?
Sometimes, Enigmail (or, talking more precisely, the underlying GnuPG) takes a long time for the cryptographic operations to complete and Thunderbird issues a complain about an "unresponsive script". If this happens while sending an encrypted mail, you should never click on Cancel, as this would send the mail unencrypted. In this case always select Continue. If several attempts do not help, then quit and restart Thunderbird.

Why do I get an error "Secret key needed to decrypt message" and am unable to read encrypted messages sent to me?
Unless you accidentally deleted your key pair (for which there is no remedy, unless you have a backup), the message you received was not encrypted with your public key. The sender most likely encrypted it with his public key only instead of yours. Make sure the sender has your public key, and tell him to encrypt the message with it.

How can I encrypt the Subject?
It is not possible to encrypt or sign the Subject of a mail message, nor any other mail header.

Why can't I select some keys for encryption in the Key Selection window?
Keys that are revoked or expired cannot be used to encrypt. Download a valid public key from a keyserver, or contact your recipient and have him mail you his new, valid public key. Do not forget to ensure the integrity of this key by a secure channel.

Is it possible to use S/MIME and OpenPGP encryption concurrently?
No, you cannot mix S/MIME and OpenPGP in the same message as the two standards, and their implementation in Mozilla, interfere with each other. If you want to use S/MIME you should not enable the Enigmail option Encrypt messages by default in your account settings (nor the corresponding one from S/MIME).

What's the difference between Inline PGP and PGP/MIME?
Whether to use Inline PGP or PGP/MIME for emails is answered controversial, since both have strengths and drawbacks. Here's what you need to consider:

Inline PGP is the traditional method where the ciphertext replaces the plain text of a mail body. Attachments initially had to be signed/encrypted manually. Today, mail clients should sign/encrypt them independently and put the mail together automatically. Enigmail does that, but you can disable this option.
 * PGP-aware mail clients may validate and display the signature. PGP-unaware clients display the signature in clear, preceding and trailing the body text.
 * PGP-aware clients may decrypt message and attachments automatically. PGP-unaware clients display an encrypted text block as body text.
 * Signed unencrypted HTML content is problematic, and signatures often fail.

PGP/MIME is a standardized way (RFC 3156) to deal with OpenPGP content. It puts the signed/encrypted content in a new MIME-wrapped mail body while the original mail body is empty or consists of an explanatory sentence. If the message is signed and/or encrypted, then the attachments are, too. Message text and attachments will be encrypted and/or signed as a whole.
 * PGP/MIME-aware mail clients validate and display the signature. Most PGP/MIME-unaware clients display the signature as an attachment; this attachment cannot easily be opened separately to verify the message. Some mail clients (for instance Windows Mail Desktop App) ignore the signature, which appears not to be there.
 * PGP/MIME-aware clients decrypt message and attachments automatically. PGP/MIME-unaware clients display two attachments, one of which encrypted.
 * HTML content is covered perfectly.

Neither of the standards can encrypt mail headers -- including the subject.

Which symmetric ciphers does Enigmail use?
As said previously, Enigmail (via OpenPGP) uses hybrid encryption; the message is first encrypted with a symmetric algorithm using a generated session key, which is then encrypted for each intended recipient with the recipient's public key and added to the encrypted message. The symmetric algorithm OpenPGP uses is chosen from this list:


 * IDEA
 * 3DES
 * CAST5
 * BLOWFISH
 * AES
 * AES192
 * AES256
 * TWOFISH
 * CAMELLIA128
 * CAMELLIA192
 * CAMELLIA256

Each recipient's public key contains a list of preferred algorithms. OpenPGP chooses an algorithm that satisfies everyone, i.e. all recipients and the sender of the encrypted message. By default the 3DES cipher is always supported.

You can specify the ciphers you prefer - when sending - by using the GnuPG option --personal-cipher-preferences.

Note that you can force usage of a specific symmetric algorithm by using the GnuPG option --cipher-algo, but this is not recommended; this option can easily break things and is intended for debug purposes only.

Why do I get an error whenever I try to post to a newsgroup?


You are trying to post an encrypted message to a newsgroup. This doesn't make any sense as a newsgroup, like a mailing list, is a public space and not an entity that could own a key pair. (Just ask yourself: who is supposed to own the private key? What would be the trust associated with this entity?) Send the message unencrypted. If you just want to obfuscate information, such as spoilers, you can as well use ROT13.

What shall I do if I'm getting a "Bad signature" for a message?
It may happen sometimes that a signed message is altered during transport, producing a bad signature; this is mostly caused by shortcomings in one of the participated software implementations. These alterations might concern invisible characters such as line breaks, spaces, or tabs, and happen during the sending process or by improperly working mail servers. In case of an invalid signature, nothing can be said about the integrity of the mail text. It may be unchanged or not, and you are advised to take it with caution. A good practice would be to ask the sender - by encrypted mail - for a statement about the contents.

Why does Enigmail tell me "Untrusted good signature" when I already have the key of the sender?
This means that the signature cryptographically verifies, but the sender's key is not fully valid in your public keyring. This is the default for freshly imported keys. You need to set full validity for that sender's particular public key.

How do I specify the hash algorithm?
Enigmail relies by default on GnuPG for selecting the hash (digest) algorithm. From GnuPG, the hash algorithm can be specified in the file gpg.conf using the parameter "digest-algo hash_algorithm". If you want to select the hash algorithm from within Enigmail, you can do so by modifying the preference extensions.enigmail.mimeHashAlgorithm and assigning to it one of the following values:

0: automatic selection, let GnuPG choose (default, recommended) 1: SHA1 2: RIPEMD160 3: SHA256 4: SHA384 5: SHA512

To know more about modifying the preference values manually, read here.

I have lost my passphrase / my key pair / my private key! What do I do now?
A note: Your private key is bundled with your public key in your key pair, hence losing your private key and losing your key pair means exactly the same.

There is no way to recover your passphrase: your only hope is to try to remember what it was. If you don't succeed, you lose the use of your private key, and hence your whole key pair is now useless. There is no way to recover your private key, either. It cannot be obtained from your public key or from any message that was signed/encrypted by that private key. You can only recover it if you made a backup of it.

Hence, losing the passphrase or the key is definitive. If you generated a revocation certificate (and you should have), use it to revoke the key pair. You must also generate a new key pair, send the new public key to your contacts, and warn them not to use the old public key any more.

Messages that were sent to you encrypted with the old key cannot be decrypted any more. Messages that were signed by you with the old key can still be verified by the recipients by using the old (revoked) key.

To avoid this disaster, it is highly recommended that you backup in advance your key pair: from Key Management, select File → Export Keys to File, make sure you included the secret key, then store the file in a safe place. Make sure you chose a passphrase you can remember, too.

I have lost my key pair; how can I import the revocation certificate?
You must first re-import your public key, either from a key server or from a mail correspondent. After this you can import the revocation certificate.

After I reinstalled Enigmail, all keys have disappeared from the Key Management window. How do I get them back?
The keys are still there, but are displayed only the keys that match the search criteria entered in the Search for field. If you want to see all keys, tick the checkbox Display all keys by default.

Why is Enigmail unable to access the keyserver?
Keyservers use the Horowitz Keyserver Protocol (HKP) to exchange keys through TCP port 11371. If you are behind a firewall, you must ensure that this port is open for outgoing connections. Alternatively, many keyservers allow access to clients also on HTTP (TCP port 80), which is normally open. If you are using HTTP proxy behind a firewall, you must add the following line to your gnupg.conf file: keyserver-options http-proxy=your_proxy_host_name

Which key type/size should I choose for my key pair? Which is best?
There is no such thing as "the best key"; all choices have consequences and trade-offs. You might feel that a 4096-bit RSA key is safer, but the person you're sending email to might be trying to read it on an old PDA which takes over a minute to decrypt each message. You might decide to use SHA-1 digest because it's widely supported in OpenPGP implementations, but SHA-1 has some mathematical flaw and does not offer long-term security. Finding precisely the optimal set of consequences and trade-offs is a very subtle thing, and the perfect set for you will probably not be the same for anyone else.

The IETF OpenPGP Working Group has spent over a decade looking at which choices offer an excellent balance of speed, safety, and compatibility for the vast majority of users. Their opinions have evolved over time to take into account the technology and threats of the day. The people of the GnuPG project are active participants in the Working Group, and as such GnuPG implements the Working Group's recommendations.

Therefore, the best advice we can give is to stick to Enigmail's defaults. They are not perfect, because no two people have the same definition of perfection. However, the defaults are excellent for the overwhelming majority of users.

How can I test if Enigmail works correctly?
If the installation was successful, restart Thunderbird. The menubar now should have an Enigmail entry. Selecting Enigmail → About Enigmail will display the Enigmail version number and GnuPG executable details.

If Enigmail was correctly installed, you can now start trying to send to yourself some signed/encrypted message, and check if you are able to verify/decrypt them correctly. Then you can send messages to Adele, an automated program that is able to receive and understand OpenPGP messages and reply accordingly.

I have some problem I can't solve. How can I troubleshoot it? Where can I get support?
First, you can get a good deal of information from the Enigmail console, which shows the commands Enigmail sends to GnuPG, and which can be accessed via Enigmail → Debugging Options → View Console.

You should also enable debugging. This will create a debug log that you can send to the Enigmail developers and that'll be useful in pinpointing the problem.

If you know how to use GnuPG, you can try to achieve the same result through the GnuPG command line. For instance, if you cannot remove public key 0xABCDEF01 from Key Management, open a shell prompt and issue the following command: gpg --delete-keys 0xABCDEF01

If the above doesn't work or you don't feel yourself enough experienced to use GnuPG, ask the friendly Enigmail/GnuPG community for support.

How do I enable the debug log in Enigmail?
From Enigmail → Preferences → Debugging. Then you can view the log via the menu command Enigmail → Debugging Options → View Log, and save it as a file if you wish so.

How do I report a bug?
You can report a bug here. Please check first the list of already known bugs so that a bug doesn't get submitted twice. If you spotted a new bug, you can file a bug report. If you're in doubt, please first ask on the mailing list or in the user forum.

It would be great if Enigmail could do this-and-this! Could you please implement it?
You can submit feature requests in the Enigmail Forum, Feature Requests thread.

But please first consider that Enigmail follows the OpenPGP standard. It is not its purpose to innovate or invent new protocols. If the feature you propose is not included in or not compliant to the standard, the feature is not going to be included in Enigmail, no matter how many users ask for it. The Enigmail source code is freely available, though. If you really need such a feature, you can download the code and modify it to suit your needs. Please consider first that breaking standards is generally not a wise idea, and will result in incompatible products.

Why is Enigmail showing key error messages after I upgraded to v1.8?
If you upgraded to Enigmail version 1.8 / 1.8.1 and started seeing error messages such as these:


 * "Error - No matching private/secret key found to decrypt message."
 * "Send operation aborted. Error - encryption command failed."
 * "Send operation aborted. Key 0x12345678 not found or not valid. The (sub-)key might have expired."

then please read our Guide for resolving issues with GnuPG 2.x and gpg-agent.

How can I get the HTML view back?
Go to View → Message body as → Original HTML.

Why did Enigmail stop working after I installed a new extension?
Some extensions cause conflicts with Enigmail, preventing it to successfully sign/encrypt outgoing mail or verify/decrypt incoming mail.

How many people use Enigmail?
You can view the Enigmail download and usage statistics on the Mozilla add-ons website.