Enigmail User Manual

Enigmail OpenPGP Key Manager

The Enigmail OpenPGP Key Manager is designed to be simple to use with a clean, powerful interface.

You can access it from within Thunderbird/SeaMonkey via the OpenPGP menu: OpenPGP > Key Management.
You can also run it as a stand alone application by appending -pgpkeyman to the command that runs Thunderbird/SeaMonkey, e.g. on Windows: "C:\Program Files\Mozilla Thunderbird\thunderbird.exe" -pgpkeyman.

Key Management Functionality

Key management interface

The image above shows the results of a search for "mozilla" on the list of keys in the keyring. All the keys returned have "mozilla" appearing in one of their UID's.

  • Clicking on the + beside a key reveals all the User ID's (UID) for that key.

  • Right clicking on a key reveals a menu of tasks that can be carried out on that key. You can select multiple keys and carry out some of the tasks on them as a group.
    You will note that some tasks are grayed out in the image above; that is because the key is a public key, and those options can only be applied to a key pair (including a secret key).

Actions

The actions shown in the context menu can also be accessed through the menus on the Key Manager's toolbar. The context menu actions are arranged into logical groups for ease of use: export, import, trust, availability, private key functions, and public key functions.

In the descriptions below, the menu that the action can also be found in is indicated by (Menu).

  • Copy Public Keys to Clipboard: copies the public key(s) selected to the clipboard as ASCII armored text. (Edit).

  • Export Keys to File: allows you to export the public and secret keys (in case of a key pair) to an ASCII armored text file with a .asc extension. (File).

  • Upload Public Keys to Keyserver: allows you to upload your public key to a keyserver. (Keyserver).

  • Refresh Public Keys from Keyserver: will refresh the key(s) selected from a keyserver. (Keyserver).

  • Sign Key: allows you to sign a key, setting the level to which you have verified the ownership. (Edit).

  • Set Key Trust: allows you to set the amount of trust you place on the key owner to validate the ownership of keys (s)he have signed. (Edit).

  • Disable Key: will leave the key in your keyring but disables it's use. (Edit).

  • Revoke Key: will allow you to create a revocation certificate and import it automatically, ready for upload to a keyserver. (Edit).
    A revocation certificate is a special key that, when imported and merged with the key pair it was created for, will allow you to revoke (cancel) the key. You may need to do this in situations where the key has been compromised in some way, or you forgot your passphrase.
    Once you have revoked a key pair, you should upload it to a keyserver if your key was already on a keyserver.

  • Delete Key: allows you to delete a key (pair) from your keyring. (Edit).

  • Manage User IDs: will allow you to add UID's to your key pair and set which UID is the primary. (Edit).

  • Generate & Save Revocation Certificate: allows you to create and save a revocation certificate for a secret key and save it as an ASCII armored text file with a .asc extension. (Generate).
    A revocation certificate is a special key that, when imported and merged with the key pair it was created for, will allow you to revoke (cancel) the key. You may need to do this in situations where the key has been compromised in some way, or you forgot your passphrase.
    Once you have revoked a key pair, you should upload it to a keyserver if your key was already on a keyserver.
    You should make a copy of your keyrings and the revocation certificate and save them to a floppy disk (or if you can, on a CD), lock it against being overwritten, label it and put it somewhere very safe that you wont forget!

  • View Signatures: displays all the signatures on the selected key. (View).

  • View Photo ID: displays the photo ID if one is present. (View).

  • Key Properties: displays the key's properties. (View).

In addition there are actions available that do not appear in the right click menus that appear in the menus on the tool bar at the top of the key manager interface.

  • Import Keys from File: will allow you to import a key/keys into your keyring from a text file. (File).

  • Reload Key Cache: will refresh Enigmail's internal key cache. Keyrings are read into memory when the key manager is first opened. After each operation carried out it is refreshed within. If you leave the key manager open and you perform manual actions using a different key manager, the commandline or just view some signed emails that cause keys to be retrieved from a keyserver (if configured so), you will not see them in the key manager until you refresh the cache. (File).

  • Search for Keys: allows you to search for a key on a keyserver. (Keyserver).

  • New Key Pair: allows you to generate a new key pair, with the ability to select the desired key strength, set the expiry date, and add the passphrase, all within an easy to use interface. (Generate).


Signing a Key

Signing a keys

When you select to sign a key, you are presented with the screen above to make your selections. You should select how carefully you have verified the key ownership and then select OK.
Note: In many cases you will want to perform a local signature (only) to mark keys on your keyring valid without having them checked thoroughly. You should only sign keys as exportable if you have carefully checked that the owner is really who they say they are and can prove key ownership, and that you intend to send the key to the owner once you have signed it. It is good etiquette to send a key you have signed to the key owner for them to upload to a keyserver, rather than for you to sign it and upload it yourself.


Key Trust

Setting key trust

When setting trust, you can select single or multiple keys to carry out the action.

When you set the trust on a key, you are indicating to what extent you trust the owner of that key to correctly validate the ownership of other peoples keys. It may be that you trust the person to be very thorough in their validation, in which case you trust them fully. Alternatively, you believe that they are fairly lax in their validation techniques, so you only trust them marginally.

The value of trust you apply to a key affects the web of trust as it relates to your key and influences the implied trust that other peoples keys that you have not validated might gain, based upon the value of the trust from the person who's key you have set the trust value on.


Key Signatures

View key signatures

Here you can see the key's signatures displayed in a scrollable list. Keys that do not appear in your keyring show up as "(User ID not found)".

By right-clicking on any key you can display further details about the key, download non-existing keys.


Key Properties

View a key's properties

The key properties display shows the major elements and values of the selected key. Any of the values shown in the light gray areas can be highlighted using the cursor and copied for pasting elsewhere.