Step 2.a Make a keypair
The Enigmail Setup wizard may start automatically. If it doesn't, select Enigmail → Setup Wizard from your email program's menu. You don't need to read the text in the window that pops up unless you'd like to, but it's good to read the text on the later screens of the wizard. Click Next with the default options selected, except in these instances, which are listed in the order they appear:
- On the screen titled "Encryption," select "Encrypt all of my messages by default, because privacy is critical to me."
- On the screen titled "Signing," select "Don't sign my messages by default."
- On the screen titled "Key Selection," select "I want to create a new key pair for signing and encrypting my email."
- On the screen titled "Create Key," pick a strong password! You can do it manually, or you can use the Diceware method. Doing it manually is faster but not as secure. Using Diceware takes longer and requires dice, but creates a password that is much harder for attackers figure out. To use it, read the section "Make a secure passphrase with Diceware" in this article by Micah Lee.
If you'd like to pick a password manually, come up with something you can remember which is at least twelve characters long, and includes at least one lower case and upper case letter and at least one number or punctuation symbol. Never pick a password you've used elsewhere. Don't use any recognizable patterns, such as birthdays, telephone numbers, pets' names, song lyrics, quotes from books, and so on.
The program will take a little while to finish the next step, the "Key Creation" screen. While you wait, do something else with your computer, like watching a movie or browsing the Web. The more you use the computer at this point, the faster the key creation will go.
When the "Key Generation Completed" screen pops up, select Generate Certificate and choose to save it in a safe place on your computer (we recommend making a folder called "Revocation Certificate" in your home folder and keeping it there). This step is essential for your email self-defense, as you'll learn more about in Section 5.
- I can't find the Enigmail menu.
- In many new email programs, the main menu is represented by an image of three stacked horizontal bars. Enigmail may be inside a section called Tools.
- More resources
- If you're having trouble with our instructions or just want to learn more, check out Enigmail's wiki instructions for key generation.
- My email looks weird
- Enigmail doesn't tend to play nice with HTML, which is used to format emails, so it may disable your HTML formatting automatically. To send an HTML-formatted email without encryption or a signature, hold down the Shift key when you select compose. You can then write an email as if Enigmail wasn't there.
- Don't see a solution to your problem?
- Please let us know on the feedback page.
- Command line key generation
- If you prefer using the command line for a higher degree of control, you can follow the documentation from The GNU Privacy Handbook. Make sure you stick with "RSA and RSA" (the default), because it's newer and more secure than the algorithms the documentation recommends. Also make sure your key is at least 2048 bits, or 4096 if you want to be extra secure.
- Advanced key pairs
- When GnuPG creates a new keypair, it compartmentalizes the encryption function from the signing function through subkeys. If you use subkeys carefully, you can keep your GnuPG identity much more secure and recover from a compromised key much more quickly. Alex Cabal and the Debian wiki provide good guides for setting up a secure subkey configuration.