How to use Yubikey or any GPG smartcard in Thunderbird 78

Thunderbird is the free and open source email client by Mozilla Foundation. I have been using it for some years now. Till now the Thunderbird users had to use an extension Enigmail to use GnuPG. Thunderbird 78 now uses a different implementation of OpenPGP called RNP.

Since RNP library still does not support the use of secret key on smartcards, to use Yubikey or any other GnuPG enabled smartcards, we need manually configure Thunderbird with GnuPG. The steps as said are the following :

Install GPGME

dnf install GPGME

GPGME, GnuPG Made Easy library makes the GnuPG easily accessible by providing a high level crypto API for encrypt, decrypt, sign, verify and key management. I already have GnuPG installed in my Fedora 33 machine and my Yubikey ready.

Modify Thunderbird configuration

Go to the Preferences menu then click on the config editor button at the very end.


Click on the I accept the risk.


Search for mail.openpgp.allow_external_gnupg and switch to true.


Remember to restart the Thunderbird after that.

Configure the secret key usage form Yubikey

Now go to the Account Settings and then go to the End-To-End-Encryption at the sidebar. Select the Use your external key through GnuPG(e.g. from a smartcard) option and click on continue.


Type your Secret Key ID in the box and click on Save key ID.


Now open the OpenPGP Key Manager and import your public key and then verify.


Now you can start using your hardware token in Thunderbird.

In this case we have to use 2 keyrings - GnuPG and RNP’s keyring (internal in Thunderbird). This is an extra step, which I hope in future can be avoided.

Show Comments