I Finally Set Up GPG

And it was surprisingly easy.

The Discord Face ID debacle has reminded me that centralized platforms routinely abuse user privacy. I can empathize with the desire to protect underage users, but requiring facial identification is overreach. It’s especially insulting when Discord leaked some 70,000 government IDs in October 2025 under similar pretenses.

While my friends and I scour the web for an alternative place to call our digital home, I finally gathered enough motivation to finish setting up end-to-end encrypted email (via Thunderbird and GnuPG). If you’re curious about encrypted email, this post is for you.

Why encrypt email?

The first point to understand is that you don’t need a good reason to want encrypted email. Or encrypted anything, for that matter. FSF puts it nicely in their Email Self-Defense manual:

Bulk surveillance violates our fundamental rights and makes free speech risky. […] Even if you have nothing to hide, using encryption helps protect the privacy of people you communicate with, and makes life difficult for bulk surveillance systems.

I don’t have any particular need to send encrypted email. I do, however, believe that privacy is a fundamental right. Personal data should not be collected or monitored, no matter how innocuous. I want others who feel the same way to have an easy mechanism for communicating with me under those circumstances. In the realm of email, that’s PGP.¹

Email has never been a great forum for private communication. The protocol was designed from the ground-up around plaintext (that’s the 80s for you). Encryption that is added on top of email, like PGP, is going to have its share of problems.

The main problem is that PGP only works if both parties in the email chain are using it. To use PGP, you and your contacts generate public keys and exchange them. When you send one of your contacts an email, it’s encrypted using that contact’s public key. That email can then only be decrypted by that contact’s secret key, which is not shared. This aspect of key exchange means that email is only encrypted when parties share public keys; all other communication is plaintext.

Other problems with PGP are intrinsic to email. For example, it’s very possible for someone in an email chain to accidentally forward ciphertext as plaintext. PGP also only deals with encryption of message bodies, metadata like subject or headers aren’t encrypted. There is still information to be gleaned from your emails even in an encrypted state.²

All this to say, encrypted communication is best done elsewhere (like Signal). But that’s not to say that encrypted email is completely worthless.³

Why GPG instead of Thunderbird’s default?

Thunderbird is my email client of choice and it supports end-to-end (E2E) encryption with just a few configuration steps. By default, it uses OpenPGP. Keys created this way are managed by Thunderbird and don’t require a separate tool (like GPG) for use.

The downside to this approach is that configuring E2E via GPG is useful for more than email encryption. After generating a key pair, GPG can:

• Sign git commits and tags
• Verify software releases or downloads (e.g. verifying its signature)
• Encrypt arbitrary files
• Create checksums

GPG is a swiss army knife of cryptographic software, for good and for bad. Its utility comes with a dense manual and lots of complicated configuration options. For me, this means an exciting place to learn a bunch of new stuff.

Custom domain gotchas

All told, setting up GPG with Thunderbird is easy. Just follow FSF’s guide.

Well, easy if you don’t have a custom domain. If you’re like me and have multiple email aliases associated with a custom domain, it’s worth thinking through a few things before spending 30 minutes trying to figure out why Thunderbird won’t decrypt your emails.

First, make sure that you have your aliases configured as Thunderbird identities. Each identity has its own security options.

Second, decide if you want to have all of your email addresses attached to a single key (e.g. email aliases), or if you want a separate key for each address (e.g. different user personas).

If you want all email addresses to be associated to the same key, you need to edit your key and add each address as a new “uid”. Note that if you already exported your public key without the additional addresses you’ll have to re-export it. The public key includes your email addresses.

gpg --edit-key key-id

gpg> adduid
# ...fill out fields
gpg> save

If you have a separate key for each identity, you’ll need to gpg --full-generate-key for each address.

With your Thunderbird identities configured and GPG updated with each of your email addresses, you’re now ready to follow the steps in the FSG guide. The only difference is that you’ll configure E2E settings through the “Manage Identities” tab, editing each identity individually rather than the primary account settings.

Signed commits

Since I went through the effort of configuring E2E encryption for Thunderbird, I figured I may as well use my GPG key to sign commits on Github. It’s only a couple of extra steps:

1. Upload a public key to Github
2. Add a signingkey to .gitconfig

Doing so proves that signed commits are authored by me (authentication) and that their content hasn’t changed since they were signed (integrity).

Here’s a .gitconfig that signs commits automatically. Replace key-id and [email protected] to match your GPG key:

[user]
	name = Your Name
	email = [email protected]
	signingkey = key-id

[commit]
	gpgsign = true

[gpg]
	program = gpg

Viola! Encrypted email and verified commits.