Thunderbird Profile Encryption

encryptionthunderbirduser-profiles

Is there any way to encrypt my Mozilla Thunderbird profile (stored emails and such) to protect them with a password?

Solutions such as using Windows encryption or TrueCrypt won't work because I only want to encrypt the contents of the file, not use file system-specific features.

Thank you!

Best Answer

With TrueCrypt:

  1. Create a new file-based container.
    1. In the main window, Create volume
    2. Create an encrypted file containerStandard volume
    3. Select where you want to store it. (I have an AppData.tc in my user directory.)
    4. Accept the default encryption algorithm.
    5. Select how big do you want the volume to be.
    6. Enter a password, or pick a key file, or both.
    7. Format the volume. (I personally choose NTFS as filesystem, for some reliability.)
      • Even though file-based, the container still has a standard filesystem.
      • The Linux term is "loop mounting".
    8. Click Exit.
  2. In the main TrueCrypt window, open the freshly-created volume.
    1. Use Select File
    2. Pick an empty drive letter from the big list
    3. Click Mount
    4. You can make this step mostly-automatic through FavouritesAdd Mounted Volume to Favourites.
  3. Move your Thunderbird profile.
    1. Copy the current profile from your AppData folder to the drive you chose in 2.2
      • Usually it is in %APPDATA%\Thunderbird\Profiles and has a name similar to mbqbp1tq.default
      • After copying, rename to Thunderbird profile or something, to avoid confusion later.
    2. Securely wipe the old profile.
      • I used to like Eraser, until it received a complete rewrite and became inconvienent to use "but it's .NET now!"
      • Now I stick with sdelete.
    3. Tell Thunderbird about the new location. It's kept in %APPDATA%\Thunderbird\Profiles.ini, but there's an easier way to update it:
      1. StartRun → enter thunderbird -profilemanager
      2. Delete your current profile. Click Don't delete files; you already nuked them in step 3.2.
      3. Click Create Profile, enter any name (such as default), and click Choose Folder.
      4. Pick the location of your encrypted profile from step 3.1.
  4. Start Thunderbird.

If you decide you do not like TrueCrypt, there is FreeOTFE, which works in mostly the same way.

With Windows' built-in Encrypting File System: Not to be confused with BitLocker.

You mentioned that you do not want to use filesystem-specific features, but they can be useful at times.

  1. Browse to your Thunderbird settings folder. Usually %APPDATA%\Thunderbird.
  2. Right-click on Profiles, choose Properties.
  3. AdvancedEncrypt contentsOKOK
  4. Start Thunderbird.
  5. Backup the encryption key. You only need to do it once for your Windows account.
    1. Start → Runcertmgr.msc
    2. PersonalCertificates
    3. Find the one with "Encrypting File System" in its "Intended Purposes" column.
    4. Right-click, All tasksExport
    5. Click Yes, export the private key
    6. Enter the encryption password for the exported key, and choose where to put it.
  6. Oh, one more thing. You have to somehow wipe the old, unencrypted data. I use cipher /w:C: to wipe all unused space, but even one pass takes a long time...

The downside - EFS is only available in Windows * Professional and up.

From a comment:

The only other way (besides transparent encryption, as above) is to build crypto capabilities into Thunderbird itself. And considering the complexity of the program, it is not a solution.

Related Question