Encrypting Email Messages with S/MIME
This screenshot tutorial covers how to use the Thunderbird email client to send and receive encrypted emails from a GMail account. I chose GMail because many people use it and Thunderbird because it is a common, multi-platform, and free email client. This tutorial already assumes that you have Thunderbird installed on your computer and access to an email account. While GMail is used in this tutorial, these instructions will work for any email account that offers IMAP/POP3 and SMTP access.
Receiving your S/MIME certificate
The first step that must be done is to be issued a public and private keypair by a Certificate Authority (CA). I chose to use Comodo because they offer free S/MIME certificates and are already trusted in many default keyrings, including Thunderbird.
First, follow this link and enter your information.
Comodo will send you an email with a link to download and install your certificate. This insures that you are the owner of the email address you specified.
After following the link, your browser will alert you that your personal certificate has been installed.
From the Firefox menu, select Options. Click on the Advanced tab, and then on the Encryption tab. Click the View Certificates button. This will open your Firefox certificate manager. Select the new Comodo certificate, and click Backup.
You will be asked to enter a password to encrypt your certificate before it is saved to disk. Choose a strong password. Someone will be able to decrypt messages sent to you and forge messages with your signature if this file is compromised.
Backup this certificate in a secure location. You will lose access to previously encrypted emails if you later lose this file and switch email clients or reinstall your operating system.
Add your email account to Thunderbird
Now Thunderbird must be configured to access your email account. On first startup, you will be asked to enter information for your email account.
Thunderbird automatically detected that GMail offered an IMAP and SMTP server, so we will be using these to receive and send emails, respectively.
Import your S/MIME certificate
Before outgoing messages can be signed and incoming messages can be decrypted, you must import the certificate you just exported from Firefox. From the Tools menu, select Options. Click on the Advanced tab, then on the Certificates tab, and finally on the View Certificates button. This will open your Thunderbird certificate manager. Click the Import button and navigate to your certificate's file path.
You will be asked to enter the password you used earlier to encrypt this backup.
Thunderbird will now notify you that you have successfully installed your public and private S/MIME keys.
Before you can begin to use this certificate for crypto, you need to tell Thunderbird that you wish to associate this certificate with this account. From the Tools menu, select Account Settings. Under your email account, click Security, and then click the Select button under Digital Signing. Another window will open asking you to select one of your personal certificates. Choose the certificate issued to this particular account if you have more than one personal certificate already installed; otherwise just click OK.
You will be asked if you want to use the same certificate for encryption as well. Click yes.
At this point you should also check the "Digitally sign messages (by default)" checkbox. Any emails you send will now be automatically signed with your private key.
Exchange public keys
In order to allow others to send encrypted email that only you are able to decrypt, they must encrypt these messages with your public key. The easiest way to do this is by sending them a signed email. Your public key is automatically sent in every signed message, so simply sending them an unencrypted but signed email will allow them to save your public key. Here I am sending a signed message to my devio.us email account. The sealed envelope icon in the bottom right corner lets me know this message will be digitally signed.
For the curious, you can check your GMail account from Google's provided webmail service. In the Sent Mail folder you can see how an attachment called "smime.p7s" was added to the message. Unfortunately Google's webmail does not understand S/MIME signing and encryption, so the signature shows up as an attachment because GMail does not know what to do with it.
Now that the message has been sent, you will have to wait for a reply. Here is my message back. I have installed the public key and used it to encrypt my signed reply. You can see how Thunderbird has added both sealed envelope and lock icons, representing how this message is both digitally signed and encrypted.
Thunderbird automatically imported my private key into its certificate manager because my certificate had been issued by one of the default trusted CAs (I used Comodo as well). To verify this, you can see how a certificate issued for my devio.us email has been added to the People tab of the certificate manager.
Begin sending secure emails
Because now each of us have each other's public key, we are both able to send encrypted messages that only the other is able to read. Since we each have our respective private keys, we are also able to digitally sign these messages to prove that we are who we say we are.
Unfortunately, Thunderbird does not have an option to automatically encrypt messages if a recipient's public key is saved in the certificate manager. You will either have to mentally remember which people you have public keys saved for and select the encryption option under the Security drop down menu on the compose window, or you can configure Thunderbird to encrypt all sent messages by default. The latter option can be found under the Security tab for your account in the Thunderbird Account Settings. However, if you use this and send a message to someone who either does not use S/MIME or for whom you do not have their public key, Thunderbird will display an error message and refuse to send the message until you disable encryption in the compose message window.
Email subjects are never encrypted. Don't add sensitive information to the subject header if don't want it to become public.
Digital certificates often have expiry dates. The ones issued for personal S/MIME certificates by Comodo expire within one year. If you use your certificate after this point clients will either display warning messages or refuse to open messages at all. Always be sure to keep your certificates up to date.
Need help? Found an error? Have a suggestion? Contact me!