Frequently Asked Questions

Installation & Configuration

Enigmail required Mozilla Thunderbird or SeaMonkey. It runs on any platform that is supported by these tools. Furthermore, Enigmail requires GnuPG. On Windows and Mac OS X, the setup wizard will automatically download and install GnuPG if it is not pre-installed.

If the installation of Enigmail was successful, you will need to restart the application. After restarting the application, launch the main Mail window, which should now have an Enigmail menu on the menubar. Choose the About Enigmail option, which should display the version number and the GnuPG executable details.Enigmail has only been tested with official releases of Mozilla Thunderbird and SeaMonkey. If you use a nightly build (or your own build), Enigmail may not work.

The latest version of Enigmail, v1.9, does not support GnuPG 1.4 anymore. This article provides tips and help for migrating from GnuPG 1.4 to GnuPG 2.0.

Enigmail supported GnuPG 1.4 since 2004, 2.0 since 2007 and 2.1 since 2015. Enigmail 1.8 supports them all, but GnuPG 2.0 is recommended since Enigmail 1.6. Enigmail 1.9, the next major version of Enigmail will require GnuPG 2.x. That is why GnuPG 1.4 is now deprecated.

Installation

  • Windows

    We recommend you install Gpg4win-Vanilla from gpg4win.org. This will install all components required by Enigmail. Expert users may install the full version instead. Its additional parts are not used by Enigmail.

  • Linux and other Unix Systems

    We recommend you install GnuPG 2.0 via the regular package management system of your distribution (e.g. apt, yum, yast). On many distributions the package is called "gnupg2" or "gpg2".

  • Mac OS X

    We recommend you download GpgTools and install only the core parts. Expert users may install all components. The additional components are not used by Enigmail.

General Recommendations

There is no need to uninstall GnuPG 1.4.x; in most cases Enigmail will find GnuPG 2.0 automatically after the installation. Simply restart Thunderbird after you installed GnuPG 2.0.x. If Thundebird would still report that it found GnuPG 1.4.x, then uninstall the GnuPG 1.4.x package and restart your PC afterwards.

Make sure to keep Thunderbird, Enigmail and GnuPG up to date. Only the latest release version of GnuPG / Gpg4Win / GpgTools is supported by Enigmail for security reasons. This applies to GnuPG stable (2.0.x) and modern (2.1.x).

What happens to my keys after the upgrade?

GnuPG 2.0 uses the same keys as GnuPG 1.4; there is no need to change anything concerning your private and public keys. However, independently of whether or not you upgrade GnuPG, we recommend you make a backup of your keys from time to time. Now is the perfect moment to do this.

 

Resolving Issues

If GnuPG 2.0 doesn't work, or Enigmail reports errors with accessing keys or passphrases, then please visit our Resolving issues with GnuPG 2.0 guide.

Enigmail is compatible to most other Thunderbird extensions.

If you suspect that Enigmail is incompatible with another extension, then please send a message to our mailing list, or post on our support forum.

A global installation will install an extension to the application directory rather than within a profile, so it will be available to all users. To perform a global installation you need to download and save the .xpi file to disk and ensure that you close the application completely.

Then follow the following steps:

  1. Create a new folder called "{847b3a00-7ab1-11d4-8f02-006008948af5}" in the <installation directory>\extensions folder of the application (note: the curly brackets are part of the folder name).
  2. Uncompress the .xpi file (as a ZIP file) to the newly created folder.

Enigmail can be uninstalled like any other Thunderbird add-on in the Addons Manager.

  • Go to the menu Tools > Add-ons

  • Click on Enigmail

  • Click on the Uninstall button

Usage

Since version 1.8, Enigmail can decrypt mails permanently.

The handbook describes how to do this by using mail filter rules. In addition, version 1.9 added a context-menu option which can be used on the fly. Use the right mouse button on a message in the message list and select the option Decrypt to folder.

In order to support our users, and especially for fixing defects, we often require a debug log file. Enigmail contains a function that creates such a log file if needed.

  • Open the Enigmail Preferences panel (OpenPGP->Preferences)

  • Activate the checkbox Display Expert Options and close the dialog

  • Open the menu Enigmail > Debugging Options > View Log.

  • Click the Save Log to File ... button to save the log.

You cannot mix S/MIME and OpenPGP in the same message. This will fail as the two standards (and the implementation in Thunderbird) interfere with each other. If you want to use S/MIME you should not enable the Enigmail option "encrypt if possible" (nor the one from S/MIME).

Troubleshooting

GnuPG 2.x requires an "agent" to handle passphrases. By default this is done by gpg-agent, but there are other tools implementing a subset of its functionality. These instructions are for gpg-agent only. If you use an agent like gnome-keyring, seahorse-agent or the KDE Wallet Manager, then these instructions don't apply.

Most common Problem

Symptoms

The most common issue is that gpg-agent (a part of GnuPG) cannot launch pinentry (the tool used to query your passphrase). Enigmail would display messages like:

  • when reading messages:
    Error - no matching private/secret key found to decrypt message; click on 'Details' button for more information

  • when sending messages:
    - Send operation aborted. Error - encryption command failed
    - Send operation aborted. Key 0x....... not found or not valid. The (sub-)key might have expired

How to Analyze

  1. Try sending a signed and unencrypted message to yourself.
  2. Check the output in the Enimgail log: go to menu Enigmail > Debugging Options > View Log.
  3. Search for the following text: parseErrorOutput: status message. You will probably find this message several times. Check what follows below.
  4. If the message says something like "no pinentry", "problem with the agent", "Invalid IPC response" or "problem with gpg-agent", then there is something wrong with your gpg-agent and/or pinentry setup.

How to Fix it

    1. Execute the following script from a terminal to find out if a graphical version of pinentry is used:
      pinentry <<EOT
      SETDESC Hello World
      CONFIRM
      EOT
    2. You should get a graphical window with a confirmation message "Hello World". If a "window" is opened within your terminal window then pinentry is text-based, which does not work with Enigmail. To fix this, ensure that a graphical version of pinentry is installed. On Linux/Unix systems, these would typically be pinentry-qt/pinentry-qt4 or pinentry-gtk/pinentry-gtk2, and on Mac OS X pinentry-mac. Rename the existing pinentry file to "pinentry-text" or similar, and create a symlink from pinentry-qt, pinentry-qt4, pinentry-gtk, pinentry-gtk2 or pinentry-mac to pinentry. Then restart your PC.

    3. If the above does not help, check the contents of $HOME/.gnupg/gpg-agent.conf. Make sure that there is a configuration entry pinentry-program containing the full path to a graphical version of pinentry as above. E.g.:

      pinentry-program /usr/local/bin/pinentry-gtk

      Then save the file and restart your PC.

    4. If you still can't access your key, then execute the following script from a terminal:

      gpg-connect-agent <<EOT
      GETINFO version
      EOT

      The output should be something like the text below, where 2.0.26 represents the agent version number. The version number should match your gpg version number:

      D 2.0.26
      OK

      If you get an error message like "ERR 280 not implemented" then you don't use gpg-agent, but one of the alternatives like gnome-keyring. We recommend you switch to gpg-agent by disabling your current agent by disabling the invalid agent. See e.g. the GnuPG wiki for how to disable gnome-keyring or how to disable KDE wallet. Then restart you PC and check if the script now produces a correct result.

    5. If the previous step was not successful, and you are using an Ubuntu or similar Linux distribution (e.g. Linux Mint), then you should add the following line to your $HOME/.gnupg/gpg.conf file:
      use-agent

      Then restart your PC and repeat the test from step 4.

    6. If steps 4/5 are successful, then execute the following script from a terminal:

      gpg-connect-agent <<EOT
      GET_CONFIRMATION Hello
      EOT

      Pinentry should now open as a graphical window (just like above), with the difference to the step above that this instance of pinentry was launched from gpg-agent. If this is successful, then GnuPG 2 should work correctly in Enigmail.

    7. If gpg-agent still cannot launch pinentry from Enigmail, then you need to start debugging gpg-agent. Execute the following commands from a terminal:

      killall gpg-agent
      gpg-agent --debug-level expert --use-standard-socket --daemon /bin/sh
      

      This will start gpg-agent from the command line, open a new shell and print the debug output to that shell. If the command succeeded, you will see somehting like:
      gpg-agent[76979]: gpg-agent 2.0.26 started
      Leave the terminal window untouched, start Thunderbird and try to use Enigmail. As you'll try to access gpg-agent, you will see the output in your terminal window. If gpg-agent cannot start pinentry successfully, you will see something like this:

      gpg-agent[76993]: starting a new PIN Entry
      gpg-agent[76993]: chan_19 <- ERR 67109133 can't exec `/usr/bin/pinentry': No such file or directory
      gpg-agent[76993]: chan_19 -> BYE
      gpg-agent[76993]: can't connect to the PIN entry module: IPC connect call failed
      gpg-agent[76993]: command get_passphrase failed: No pinentry

      Press Ctrl+D in the terminal to end the debugging session. The bold line should tell you the reason for the error (in the example above, pinentry cannot be found). Try to fix the error and repeat the test.

    8. If all of the above doesn't help, then get help at our mailing list or our support forum.

 

If you have to enter your passphrase every time you select an encrypted mail, or try to write a signed mail, then you need to adjust the configuration of gpg-agent.

If you are on Linux, Mac OS X, or any other Unix-like system:

Add the following line to $HOME/.gnupg/gpg-agent.conf:

use-standard-socket

Then reboot your computer.

If you are on Windows:

Add the following line to C:\Users\<your login>\AppData\Roaming\gnupg:

use-standard-socket

Then reboot your computer.

 

gpg-agent is a mandatory component of GnuPG 2.x. That's a design decision taken by the GnuPG developers, which cannot be influenced by Enigmail. It is not possible to use GnuPG 2.x without gpg-agent.

About the Project

Enigmail is a non-profit project. We live mainly from the unpaid work of the team members during their spare free time. We get some funding from donations, which covers our regular expenses.

We'd love it if you did! Here are some options:

We are also grateful for donations.