Using Thunderbird with system GnuPG keyring

 Fri, 11 Jul 2025 09:12 UTC

Image: CC BY 4.0 by cybrkyd

Thunderbird uses built-in OpenPGP encryption, and because of this, users are required to load private keys into the client. The issue with this requirement is that imported private GPG key passwords are stored unencrypted on disk, unless the so-called “primary password” is configured in Thunderbird. Additionally, creating a second copy of one’s private key and associated password is not recommended.

With this in mind, it is quite easy to configure Thunderbird to use the existing system GnuPG keyring for both encryption and decryption.

Enable external GnuPG keyring in Thunderbird

1. Go to Settings >> General >> Config Editor (at the very bottom of the page).
2. Search for mail.openpgp.allow_external_gnupg and set it to true.
3. Next, search for mail.openpgp.fetch_pubkeys_from_gnupg and set it to true.

Thunderbird will now pick up the system GnuPG keyring. With mail.openpgp.fetch_pubkeys_from_gnupg, Thunderbird will import any public keys from the system GnuPG keyring into OpenPGP. Since these are only public keys, it is acceptable to let Thunderbird save them.

Note: This only collects the external public keys successfully for use. Whilst it can collect your own public key from the keyring, sending will not yet be possible without first importing your own public key into Thunderbird’s OpenPGP.

Add your GnuPG key ID to Thunderbird

1. Find your GPG key ID.

   gpg -k
   

   The output will look like this:

   pub   rsa4096 2025-07-04 [SC] [expires: 2026-07-04]
         652FEEA075DD7CC801E80371C225632C6762B49B
   uid           [ultimate] name <name@place.com>
   sub   rsa4096 2025-07-04 [E] [expires: 2026-07-04]
   

2. Copy the key ID.

   652FEEA075DD7CC801E80371C225632C6762B49B
   

3. In Thunderbird, go to Edit >> Account settings and select the account associated with your GnuPG key.

4. Select End-To-End Encryption and then click on Add Key….
5. From the pop-up, choose Use your external key through GnuPG (e.g. from a smartcard) then choose Continue.
6. Add your key ID, then click Save key ID.
7. Observe the confirmation that the key ID has been attached successfully to the account.

Add your public GPG key to Thunderbird

To enable the successful sending of e-mails, you will need to add your public key to Thunderbird’s OpenPGP Key Manager.

1. Export your GPG key.

   gpg -o public.txt -a --export 652FEEA075DD7CC801E80371C225632C6762B49B
   

2. In Thunderbird, go to Tools >> OpenPGP Key Manager.

3. Click on File >> Import Public Key(s) from file and select the previously exported GPG key.
4. Finally, restart Thunderbird.

You will now be able to send and receive encrypted e-mails using the system GnuPG keyring.

Some closing notes

My GnuPG keyring lives in Seahorse, and it is configured to unlock whenever I log on to my desktop. This way, I am able to send and receive encrypted e-mails without having to enter my GPG key’s password. By using the method described above, I have yet to be prompted for a password by Thunderbird, and above all, it makes the whole process of e-mail encryption seamless.

Stay safe, stay private.