Nitrokey 3: GPG and emails

Previous posts:

One well known use of PGP is to encrypt emails. This is not a perfect solution as metadata (sender, recipient, headers…) and the email’s subject are usually not encrypted. For those, you should at least make sure that emails are transferred over TLS between servers (under GDPR, doing otherwise is illegal for companies if you are a European Union citizen…).

Encryption and signature happen in sender’s email client, decryption and signature verification in recipient’s email client.


Until recently Thunderbird didn’t have native support of PGP and required the Enigmail extension. Since Thunderbird 78 there’s no need of an extension. But support of smart cards is not actvated by default. Thunderbird’s wiki has documentation for using OpenPGP smart cards.

Go to “Settings” → “General” → “Config Editor…” (at the bottom). Search for mail.openpgp.allow_external_gnupg and turn it to true.

Go to your account in “Account Settings” → “End-To-End Encryption” → “Add Key…” → “Use your external key through GnuPG”. Enter the key id (the last 16 characters of the fingerprint: 0123456789ABCDEF).

Thunderbird will use GnuPG only for operations requiring the private key. Which means Thunderbird has its own public keys keyring (to hold your own public key and the persons’ public keys you are sending emails to/from) and is not using your GnuPG trusted keyring. So your public key needs to be also added to Thunderbird: open the “OpenPGP Key Manager” → “File” → “Import Public Key(s) From File…” then select the file containing your public key.

First use of the Nitrokey smart card will require to unlock it. After some tests I would say the main issue for me is that it’s quite slow to open encrypted emails (a few seconds instead of being immediate).

Doing sudo lsusb -vvv, the Nitrokey’s ChipCard Interface Descriptor shows a dwDataRate and a dwMaxDataRate at 9600 b/s. I hope that’s not true and that the key can go faster than that for PGP operations.


For people using webmails, Mailvelope is a browser extension that integrates PGP encryption to various webmails.

To have Mailvelope talk to GnuPG is a bit tricky (I’m on a debian based operating system). The first step in the official Mailvelope installation manual is to install gpgme without much information. I have gpgme installed but what Mailvelope requires is the gpgme-json binary which isn’t packaged in debian yet.

The solution so far is to retrieve gpgme’s source code and compile it:

$ git clone
$ cd gpgme/
$ ./
$ ./configure
$ make
$ sudo make install

Then there’s an extra file to create to authorize the extension to talk to gpgme-json. But first we need to find where it has been installed. Running whereis gpgme-json says that, on my machine, it’s installed in /usr/local/bin/gpgme-json.

Then create the file /usr/lib/mozilla/native-messaging-hosts/gpgmejson.json for Firefox (see the documentation for the Chrome’s equivalent) with the path to gpgme-json:

  "name": "gpgmejson",
  "description": "JavaScript binding for GnuPG",
  "path": "/usr/local/bin/gpgme-json",
  "type": "stdio",
  "allowed_extensions": ["jid1-AQqSMBYb0a8ADg@jetpack"]

Now going to Mailvelope “Options” → “General” → “OpenPGP Preferences”, “GnuPG” should be selected instead of “OpenPGP.js”.

In “Options” → “Authorized Domains” you should check that the webmails you are using are listed. Otherwise, add them yourself.

I tried it on the Nextcloud Mail App, it seems to work fine.

Mobile clients

So far, the few email clients I had a look at on Android and iOS, none of them support using an OpenPGP smart card 🙁.

The OpenPGP website has a list of OpenPGP compatible software programs.

Next steps:

Comments Add one by sending me an email.