Why this stack
- Thunderbird: full-featured OSS email client with built-in OpenPGP.
- Mailvelope: browser extension to encrypt/decrypt inside webmail UIs.
- You control keys: generate, store, and back them up locally.
Set up in Thunderbird (simplest)
- Add your mail account → End-to-End Encryption → Generate New Key.
- Export your public key to share; keep the private key offline/backed up.
- To mail someone privately: import their public key → compose → click the lock to encrypt/sign.
Thunderbird handles OpenPGP natively—no extra add-ons needed.
Webmail route (Mailvelope)
- Install Mailvelope (Firefox/Chromium) → generate/import keys.
- Open your webmail → compose → use the Mailvelope editor to encrypt.
Great for people who live in webmail but want real crypto.
Good hygiene
- Use ed25519 or RSA 3072+; set reasonable expiry and rotate keys over time.
- Share public keys via multiple channels; verify fingerprints out-of-band.
- Back up private keys + revocation cert to offline storage.