I Finally Set Up GPG

in privacy

And it was surprisingly easy.

The Discord Face ID debacle has reminded me that centralized platforms routinely abuse user privacy. I can empathize with the desire to protect underage users, but requiring facial identification is overreach. It’s especially insulting when Discord leaked some 70,000 government IDs in October 2025 under similar pretenses.

While my friends and I scour the web for an alternative place to call our digital home, I finally gathered enough motivation to finish setting up end-to-end encrypted email (via Thunderbird and GnuPG). If you’re curious about encrypted email, this post is for you.

Why encrypt email?

The first point to understand is that you don’t need a good reason to want encrypted email. Or encrypted anything, for that matter. FSF puts it nicely in their Email Self-Defense manual:

Bulk surveillance violates our fundamental rights and makes free speech risky. […] Even if you have nothing to hide, using encryption helps protect the privacy of people you communicate with, and makes life difficult for bulk surveillance systems.

I don’t have any particular need to send encrypted email. I do, however, believe that privacy is a fundamental right. Personal data should not be collected or monitored, no matter how innocuous. I want others who feel the same way to have an easy mechanism for communicating with me under those circumstances. In the realm of email, that’s PGP.1

Email has never been a great forum for private communication. The protocol was designed from the ground-up around plaintext (that’s the 80s for you). Encryption that is added on top of email, like PGP, is going to have its share of problems.

The main problem is that PGP only works if both parties in the email chain are using it. To use PGP, you and your contacts generate public keys and exchange them. When you send one of your contacts an email, it’s encrypted using that contact’s public key. That email can then only be decrypted by that contact’s secret key, which is not shared. This aspect of key exchange means that email is only encrypted when parties share public keys; all other communication is plaintext.

Other problems with PGP are intrinsic to email. For example, it’s very possible for someone in an email chain to accidentally forward ciphertext as plaintext. PGP also only deals with encryption of message bodies, metadata like subject or headers aren’t encrypted. There is still information to be gleaned from your emails even in an encrypted state.2

All this to say, encrypted communication is best done elsewhere (like Signal). But that’s not to say that encrypted email is completely worthless.3

Why GPG instead of Thunderbird’s default?

Thunderbird is my email client of choice and it supports end-to-end encryption with just a few configuration steps. By default, it uses OpenPGP. Keys created this way are managed by Thunderbird and the user doesn’t need to manage a separate tool (like GPG) to do anything.

The downside is a lack of functionality. With GPG, you can do a bunch of different things with your keys:

  • Signing git commits and tags (proving you contributed them)
  • Verifying software releases or downloads (e.g. verifying its signature)
  • Encrypting arbitrary files
  • Creating checksums

It’s only a couple of extra steps to set up your keys with GPG, so I think it’s worth the effort if you’re familiar with a terminal.

Gotchas for custom domains

All told, setting up GPG with Thunderbird is easy. Just follow FSF’s guide.

Well, easy if you don’t have a custom domain. If you’re like me and have multiple email aliases associated with a custom domain, it’s worth thinking through a few things before spending 30 minutes trying to figure out why Thunderbird won’t decrypt your emails.

First, make sure that you have your aliases configured as Thunderbird identities. Each identity has its own security options.

Second, decide if you want to have all of your email addresses attached to a single key (e.g. email aliases), or if you want separate keys for different addresses (e.g. different user personas). If you want all email addresses attached to the same public key, associate them with gpg. Note that if you already exported your public key without adding additional email addresses, you’ll have to re-export it. It includes your email addresses.

With these two steps done, follow the steps in the FSF guide. The only difference is that you’ll configure settings through the “Manage Identities” tab, rather than your primary account settings.

Signed commits

With GPG configured for Thunderbird, I figured I may as well start signing my commits. It’s only a couple of extra steps: upload a public key to Github and make these alterations to your .gitconfig (although gpgsign=true is optional if you don’t always want to sign commits):

[user]
	name = Your Name
	email = [email protected]
	signingkey = key-id

[commit]
	gpgsign = true

[gpg]
	program = gpg

Viola! Encrypted email and verified commits.

Footnotes

  1. The acronyms GPG and PGP are annoyingly similar. GPG stands for GnuPG, the program I use to encrypt emails. PGP stands for Pretty Good Privacy, the general standard (e.g. OpenPGP).

  2. Although Thunderbird (and presumably other email clients) can encrypt subjects in non-standard ways.

  3. Notably Proton Mail uses PGP. It works slightly differently than a manual PGP configuration, since Proton will also encrypt incoming mail on their server without storing the plaintext. Emails encrypted this way use the same PGP secret, so they’re inaccessible to Proton. But then again, Proton manages your private key.