Thunderbird email client users who use the program"s built-in email encryption functionality need to set a master password in Thunderbird to properly protect their encryption keys.
Thunderbird introduced support for encrypting emails using OpenPGP in the major version 78. Previously, Thunderbird users relied on extensions such as Enigmail to use encryption when reading and sending emails in the client.
The introduction of native support made things a lot easier, as it meant that users could get started encrypting emails right away without having to install and configure third-party extensions, even once as good as Enigmail.
Thunderbird 78.x supports the importing of keys and also the generation of new keys. Users who used encryption before to protect emails may notice that Thunderbird does not ask for an unlocking password when they need to encrypt or decrypt email messages in the client.
Kai Engert provided a technical analysis of the inner workings on Mozilla"s Bug tracking site three months ago. According to him, secret keys are stored encrypted on the disk. Thunderbird generates a password automatically for all keys and stores it encrypted on the disk as well.
Problem is: the unprotected key is stored in the key4.db file in the Thunderbird directory. In other words: anyone who gets access to the file may use the information to decrypt the data and gain access to encrypted emails in the end.
A support page confirms this:
At the time you import your personal key into Thunderbird, we unlock it, and protect it with a different password, that is automatically (randomly) created. The same automatic password will be used for all OpenPGP secret keys managed by Thunderbird. You should use the Thunderbird feature to set a Master Password. Without a master password, your OpenPGP keys in your profile directory are unprotected.
The only protection that Thunderbird offers against this kind of threat is the master password.
Only by setting a master password will the information in key4.db be protected, and the use of the OpenPGP secret keys will then require to unlock once by entering the master password (to unlock key4.db, which has the information that can then be used to unlock the automatic password and the keys.)How to set up a master password in Thunderbird
You can set up a master password in Thunderbird in the following way:
Note that it is essential that you remember the password as it unlocks access to your emails and other data stored in Thunderbird. You may want to consider using a password manager such as KeePass to save the master password.
There are other means of protection, e.g. by using full disk encryption to prevent local access to the key4.db file. An open source program like VeraCrypt can be used for that. It is easy to set up and can be used to encrypt the system disk and/or other drives or partitions.
The development team may introduce support for protecting OpenPGP keys using user defined passwords instead of the single randomly generated password. A bug is already available but it is unclear whether the change will be introduced or if it won"t be implemented.
Thunderbird users who use the built-in OpenPGP functionality may want to enable master password functionality to protect Thunderbird data against unauthorized access. Mozilla should consider informing users about the fact during the initial setup or import.
Now You: Do you use Thunderbird and OpenPGP?