Autocrypt: How to Allow Automated Encryption in Thunderbird Enigmail

Many Enigmail users have turned off automated email encryption by default. What does this mean and how can you change it?

A computer with arbitrary numbers. Looks very clishee-hacky.

Enigmail is a Thunderbird-Add-On for mail encryption with OpenPGP – if you read this article, you probably already use it. Enigmail supports the Autocrypt standard since version 2.0.

“Allow Automated Encryption” in Enigmail

The classic Enigmail user wants to use encryption whenever possible. In Autocrypt, you can turn this on or off with the “Allow Automated Encryption” configuration option. Unfortunately, in Enigmail this is turned off by default, even though most Enigmail users probably want to use it.

If you are interested how it works in detail, you can look below – first I want to explain how to turn it on. The Enigmail settings can be really confusing and are spread over different places in the Thunderbird settings, so it’s not straightforward.

First you need to access the “Account Settings”. There you can find the “OpenPGP Security” of your mail account. There, under the “Autocrypt” tab, are two options; tick the checkbox “Prefer encrypted emails from the people you exchange email with” to allow automated encryption. Only if both people have it checked, they will communicate encrypted.

A screenshot where to find the Autocrypt settings.
Allowing automated encryption is only 4 clicks away – the orange boxes show where you can find the settings.

Now, whenever you write emails with someone who also has an autocrypt-capable mail program, and who also has this setting enabled (by default or by choice), you will encrypt automatically; the first mail is unencrypted, to exchange the keys in the background, but from then on everything should be encrypted.

How Does This Work in Detail?

If you use Autocrypt, every mail carries an extra header, an invisible part in your mail. It contains your public key, so the recipients can encrypt to you; and it also can contain a setting called “prefer-encrypt: mutual”, which tells others whether you even want encrypted mails.

If they also use Autocrypt, their mail program automatically extracts your public key from your mail header. And if you have switched on “prefer-encrypt: mutual”, or “allow automated encryption”, as I call it, they will encrypt to you from now on.

If it’s turned off, the keys still get exchanged. But most Autocrypt-capable mail programs will write unencrypted mails to you, because the “prefer-encrypt: mutual” is missing in the header. This is by design; Valodim wrote a great blogpost about why Autocrypt made this design decision.

When Enigmail started supporting Autocrypt with version 2.0, the default setting was introduced as “not allowing automated encryption”.

This leads to weird situations; there are some people I encrypt with since ages, but as soon as they upgraded to Enigmail 2.0, I suddenly had to manually turn on encryption with them, because they didn’t know they had to check that checkbox.

Enigmail and Autocrypt

Enigmail’s target group is the tech-savvy user, who understands what OpenPGP keys are. The Autocrypt standardization effort was started so you don’t need to know that anymore to use OpenPGP; everyone should be able to use an Autocrypt-capable mail program, and encrypt mails even unknowingly.

Enigmail is not perfect for this approach – it is very complex and offers many configuration options. That’s very good for sophisticated OpenPGP users, but in some areas it has to make compromises with the Autocrypt approach. Still, it’s a good thing that Enigmail supports Autocrypt, alone for compatibility reasons.

So if you want to introduce OpenPGP to a new user, who doesn’t want to dive into the topic of asymmetric encryption, rather recommend the new Autocrypt Thunderbird Add-On by Valodim – it’s very straightforward and easy to use.

Author: Nami

Nami is a Cyberpunk, sysadmin, musician, und writes a lot. As an activist they fight for open access to art, continents, and trains for everyone. But in secret they just want to be a reeaal hacker.

2 thoughts on “Autocrypt: How to Allow Automated Encryption in Thunderbird Enigmail”

  1. You may check out the new Autocrypt add-on for Thunderbird, which no longer depends on GnuPG and Enigmail! Pretty awesome IMHO. It is currently in development and already available in Thunderbird’s add-on store. The author of the new Autocrypt add-on is Vincent, who brought us Hagrid ( 🙂

    1. I will try it out as soon as my distribution ships Thunderbird 68 – but yeah, I’m already recommending it at the bottom of the post 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *