How to transfer - and 'confirm' - a key from Thunderbird?

Hi all

I am trying to get K9 to use an encryption setup that I have on my computers. I use that setup with an email account that I use on Thunderbird - Thunderbird on Windows and on Linux. In Windows, and using Thunderbird 102 (on Linux I am on a slightly earlier version of Thunderbird), I exported the key (or is it pair of keys?) that is associated with the relevant email account. I transferred the resulting single file to the phone. I told K9, via ‘OpenKeyChain’, to import the key. It did, but it said it (or something to do with it) was ‘unconfirmed’ and needed confirming . . via QR code or fingerprint. That left me stumped.

I looked at this thread but, at least given my limited knowledge, it shed little light.

Mmh, this is actually not a question for the K-9 forum as it is a question on fundamentals of GnuPG encryption…

Have you tried Google? One of the first result on key verification and trust is Validating other keys on your public keyring

tchara: thanks for your reply.

This is a question for the K-9 forum, even aside from the recent merger between K-9 and Thunderbird. Here is why. K-9 offers to import and use the sort of keys at issue.

Key management and Encryption is completely done by OpenKeyChain App - so K9 does use it for encryption.

Did you already check there, eg at

Thanks. I have, now, looked at those FAQ. Insofar as I understand relevant material therein, that material is telling me that I need to use OpenKeychain to create a key and then use that key to ‘confirm’ my imported key. Yet, as I reported, OpenKeychain seems to require me to confirm my imported key via . . QR code or fingerprint - and, thus, not via some other key.

As mentioned, this is a core aspect of key trust…

When you confirm a key (i.e. sign it with your key), you tell others that they can trust that key if they trust you. Thus, you should only verify other keys if you yourself trust them.

Often, this is simply conducted through Key Signing Parties (KSP). Everybody brings their IDs (dirver’s licence, national ID card, etc.pp.) as well as the fingerprint of their key. When presenting their key to you, you can verify the fingerprint and match the name to the information on the ID. If everything is OK, you sign the key with your key. And everybody does this for everybody else during a KSP. That way, a group of people verify in person the keys presented at the KSP.

The QR codes help make KSPs easier. You don’t need to manually check the fingerprint and key itself. Once you establish trust through the ID, you can scan the QR code and then validate the key.

Of course, you can just verify a key without checking the validity and the identity of the presenter, but I strongly urge you not to do that.

@LaPaTa: From your description it sounds like you’re not copying the secret/private key from your computer to your Android device, only the public key. Please make sure to follow these instructions: What is the best way to transfer my own key to OpenKeychain?

Edit: If you’re using Thunderbird’s built-in OpenPGP support, open the “OpenPGP Key Manager”, select your own key, then select “Backup Secret Key(s) To File” from the “File” menu.

1 Like

I made some progress. First, I discovered - or rediscovered - that OpenKeychain had a somewhat buried option to confirm not by QR code by fingerprint. And it dawned on me that the fingerprint at issue here is not one created by one’s finger. I managed to use the ‘fingerprint’ to ‘confirm’ my imported key - but only after I had created a key - or was it an ‘identity’? - on my phone. But now, when I try on the phone to decrypt a message, K9 tells me that I need to ‘import’ a key in order to . . use my key. Or something. No wonder people say that a problem with email encryption is that it is too hard to setup.

See @cketti’s answer. You need to import your private key.

People encrypt messages for you with your public key. You decrypt with your private key.

Vice versa when you send a message: You sign with your private key, the recipient verifies with your public key.