Piero V.

Thunderbird 78+ and OpenPGP secrets

I have used OpenPGP for a while now, usually with GPG. I use it, especially with my password manager on my Debian box. The GNOME folks did a great job with password prompts for it and for the SSH agent.

Recently, I started using encryption and digital signatures also for emails.

I use Thunderbird as a client. With version 78, its authors deprecated the old plugin APIs. Enigmail, the addon that provided OpenPGP with a GPG integration, became incompatible. However, they also decided to support this feature natively.

While most of Thunderbird’s source code is released under MPL, GPG is released under the GNU GPL 3.0 or later. Therefore, they preferred using another library. And so, they also waived the great integrations that GPG already has.

Thunderbird's prompt for the key passphrase

So, what is different in this screenshot from the usual Thunderbird password prompts?

It lacks the checkbox that tells whether the passphrase can be saved with its bundled password manager.

When I saw it, I thought that Thunderbird would have kept in memory the passphrase for a while. And that saving it was completely disabled as a security measure.

Well, turns out it is the opposite: Thunderbird asks your passphrase once.

Then, it decrypts your key and re-encrypt it with a random key. This random key is then saved in your disk, encrypted with the same key used for the passwords.

But if you do not have a principal password, this is equivalent to saving your precious OpenPGP key in clear. Yikes.

And if you have one, be sure it is strong enough. Otherwise, the safety of your PGP key is downgraded to Thunderbird’s password.

The issue is reported in a FAQ, but this is not enough, in my opinion. So, I thought of sharing it, and please, consider doing the same.

If you do not have a principal password, you would better remove the old cryptographic files (at least key4.db, cert9.db, and encrypted-openpgp-passphrase.txt, if it already exists) and create new ones. I preferred doing so in case adding the password just encrypted the old key4.db file. But I have not looked in the source code yet, so I do not know whether this is actually needed.

I hope this will get fixed, or maybe I could try to create and submit a patch by myself. In any case, just be advised and be careful when using this feature. Apart from this, it works very well and is quite handy, so good job, Thunderbird’s developers 😄️.