Tempests email guide -> Whonix wiki

No problem & thanks!

I think the KeePassX stuff is fine, since we note it is optional. We should just add a sentence somewhere re: any PW manager can be used.

It’s all tempest’s hard work that we’ve copied. I’ve got to test it from start to finish myself. Looks like the v3 is working perfectly for tempest with cadamail. I’ll try both v2 and v3 for completeness.


Further edits

I’ve uploaded 94 screenshots and linked them in the relevant sections & done further edits ->


So apart from final minor edits (e.g. figure titles/spacing perhaps) and test from start to finish, it is ready for publication.

@torjunkie thank you for all the work. when i do the updated images for cadamail, i will let you know.

1 Like

OK - thanks. Hope to have this published soon after I give it a test.

excellent. give me a little time. work is a little rough right now. but, i expect i can have this amended for cadamail in the next 2 weeks.

1 Like

No problem. Just edit the text if you like and upload a couple of changed pics for cadamail when you’re ready.

ok. changes should be minimal. more images than text. i did create a “tempest” wiki account. i’ll let you know if i have any issues.

1 Like

Patrick asked us to footnote/justify the following in the wiki entry:

Some footnotes for justification required:

--torbirdy from web rather than Debian package
–display-charset utf-8

I gather the TorBirdy version is much later than what is available from Debian. It isn’t clear to me why the charset and keyserver options are modified? If you let me know, I’ll footnote it.

without the modifications, enigmail cannot fetch gpg keys because torbirdy points to a local proxy running on port 8118. yet, no such proxy is running in the whonix workstation. the modifications of the “–display-charset” and “–keyserver-options” lines allow for the fetching or uploading of gpg keys with engimail and thunderbird.

edit: actually, good news. it appears that version 0.2.4, which is the latest version, no longer requires this edit. so the steps on unpacking the torbirdy.xpi file and editing it is no longer required.

Great! So I can remove steps 7 - 14 from here?:


@torjunkie yes they can be removed. they will be gone from next version of guide.

user@host:~/Downloads$ gpg --recv-key E4ACD3975427A5BA8450A1BEB01C8B006DA77FAA
gpg: key 0xB01C8B006DA77FAA: "Sukhbir Singh <azadi@riseup.net>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1
user@host:~/Downloads$ gpg --verify torbirdy-current.xpi.asc 
gpg: no valid OpenPGP data found.
gpg: the signature could not be verified.
Please remember that the signature file (.sig or .asc) should be the first file given on the command line.

Thanks Bubonic for the feedback. Will do a full test shortly and fix this if needs be, but I see the commands match previous instructions found elsewhere.

Actually I left them in there for those that want to use Debian stable (jessie or stretch) versions of TorBirdy, since those steps are still needed.

Other than the snapshot for cadamail instead of VFEmail and minor changes to the text in that section, I think we should also have a section somewhere on how to email someone who hasn’t uploaded their public key to a key server, but announces their email address and PGP public key block on their website (you see this from time to time).

You know, annoying shit like this below, which assumes people know what to do with it - a very big assumption:



I assume the correct method is (never tried it):

1. Cut and paste entire HTML PGP public key block from the browser into a file, including line of text at top and bottom.

2. Save as a plain text file e.g. “newkey.txt”

3. On the command line, run:

gpg --import newkey.txt

4. If successful, user should get a message like the following:

gpg: key F78FFE84: public key imported
gpg: Total number processed: 1
gpg: imported: 1

5. User can then check the newly imported key is listed on the keyring:

gpg --list-keys

@torjunkie it’s even simpler. they can copy the public key from the website to the clipboard. then, in the enigmail “key management” program, go to menu “edit -> import keys from clipboard.”

@BubonicChronicWhonix just verified the download without issue. did you import the key?

1 Like

@tempest @Patrick

I’ve done a successful full test of the encrypted email wiki instructions using cadamail and sent a key test encrypted email. :slight_smile:

Identified issues:

1. Changed TorBirdy steps back to “wget” instead of “scurl --remote-name”, since the latter never works at the gpg --verify step. No idea why.


If the .asc file won’t verify correctly, remove them and download them again with wget. Re-run the verify step, and it should have a good signature.

2. The lightning add-on does not appear in the add-ons manager any more (at least in Qubes-Whonix, so doesn’t need to be disabled).

3. When doing “Mail Account Setup”, your guide has "youranonemail@vfemail.net".

Not sure why you don’t have the .onion in the email address line? Works for cadamail i.e. blahblah@cadamailgxsy6ykq.onion

4. Ditto POP Mail Server options, you have username@vfemail.net, but cadamail works with the .onion extension for the user name.

Also note cadamail has the server name as:

The “pop” part doesn’t appear in your guide. Don’t know if it matters.

5. In cadamail for SMTP settings, cadamail port comes up as 465, not 587.

I changed it manually to 587. I think we should add a step for users to do the same (if necessary), since the web tells me that mail clients and proper mail servers should always use this port i.e. when coupled with TLS encryption ensures that email is submitted securely and follows guidelines set out by the IETF.

6. At the mkdir storage/gpg-revoke step ->

Doesn’t work in Qubes. Needs to be done in two separate steps->

mkdir storage
mkdir storage/gpg-revoke

7. After encrypting the revocation certificate, and moving the .gpg file to the storage directory, there is still the normal blahblah.rev.asc sitting in the user’s home directory.

I presume this should be securely shredded and we should add an explicit step there to do that?

8. TODO: Add tempest’s steps for copying public key from website to clipboard etc when no public key on keyserver.


This goddamn thing works - great. cadamail doesn’t require JavaScript to register either, so screw VFEmail.

Please respond to my test email (so I can check I can read your encrypted email reply correctly) and comment on the above issues, and we’ll get this thing published very soon after some minor edits.

1 Like

@torjunkie a few things.

  1. will look into this.

  2. i’m not aware that the onion vs. the clear makes a difference for the account login name. the login is happening over the onion. and, while i haven’t tested it, from what has been posted above, an onion to onion email to cadamail doesn’t appear to work. so, not sure this is an issue. but, if there is something i’m missing, will consider.

  3. will look into again. i don’t recall if i had to use anything but the onion and the default.

  4. see above in 4. i believe default settings worked for me with starttls.

  5. difference in guide since it uses virtualbox. “storage” directory is created in another chapter.

  6. will add.

mail was received. reply sent.

1 Like

Thanks tempest. The page has already been published, so I’ll try to get to any of my final edits shortly.

Change anything you need to at your leisure. It’s a fine chapter, so it is much appreciated that is has been shared.


Hmm, the POP mail server is not replying, so I probably configured something wrong. Will check.

Issues 6-8 -> Fixed

I wouldn’t worry about the other stuff, since it appears that cadamail is down hence the timeout on the server when checking for new emails.

“is it down” tests confirm, plus Tor Browser can’t connect to either the clearnet or .onion, so maybe they are going the way of sigaint

So, I wouldn’t change your instructions at all for cadamail at this time i.e. VFEmail still has working instructions.

if it’s not one thing, it’s another. haha. thank you. now we’re back to the issue of recaptcha v2’s hostility to tor again. :wink:

1 Like

for some good news, vfemail.net appears to have fixed registration on the onion. and, at the moment, recaptcha seems to be tor friendlier again. so, may not require a provider change for the instructions.

1 Like
[Imprint] [Privacy Policy] [Cookie Policy] [Terms of Use] [E-Sign Consent] [DMCA] [Investors] [Priority Support] [Professional Support]