I’m trying to figure out the least worst way to use Tuta Mail on Qubes-Whonix. There are basically 3 options I’m considering:
Webmail accessed via Tor Browser (I’ve tested this and it works but Tuta does not have an onion service that I’m aware of)
Maybe I can use Tuta Mail with Thunderbird. I don’t think I can do it like the wiki talks about because Tuta Mail has built in E2E, but there is an official ThunderBird add-on that might work.
I can probably use the official Tuta Mail app. (I haven’t tested this on Whonix, but it works on other Linux Distros. It’s packaged as an AppImage)
I’m looking for the best option in terms of maximizing privacy without compromising security. The Whonix Instant Messenger Chat docs say “Avoid using web interfaces for any messengers because they break end-to-end encryption (E2E).” I know that’s a different context, but I’m thinking that the same logic probably applies to email, so I’m leaning towards a native app rather than a web interface. Please correct me if I’m wrong.
I have no experience with Tuta as a mail provider, so I can’t speak to how good their official app is or isn’t. I will note though, their Thunderbird addon doesn’t integrate Tuta with Thunderbird, it simply uses Thunderbird’s builtin web rendering engine to load the Tuta web app as a new tab. See:
This is worse for security than using Tor Browser, as Thunderbird doesn’t come with all of Tor Browser’s protections when rendering a website. Whether Tor Browser or the AppImage is better depends entirely on how Tuta designed the AppImage.
Right-click on the AppImage and copy it to your new tuta-mail qube.
In your tuta-mail qube: Right-click on the tutanota-desktop-linux.AppImage , allow execution permission, login and enjoy.
If the above works for you, then you might want to go further: Increasing security by reducing the attack surface: Using a minimal template. See Minimal templates — Qubes OS Documentation
As highlighted in the docs, this is for advanced users.
(if you have issue with the following setup, you should ask for support in the Qubes OS forum)
Replace step 1. with:
Download the official minimal Debian template, in dom0: sudo qubes-dom0-update qubes-template-debian-13-minimal
Clone the minimal Debian template, in dom0: qvm-clone debian-13-minimal d13m-tuta-mail
Install all but also only mandatory packages to your new d13m-tuta-mail template. This could be the tricky part which requires testing. But based on this, it should work fine.
In your d13m-tuta-mail template terminal
(to access your template with root permission:qvm-run --pass-io --user root d13m-tuta-mail xterm):
Basic Qubes OS packages: sudo apt install qubes-core-agent-passwordless-root qubes-core-agent-networking
The mandatory packages to run the AppImage: sudo apt install gnupg gnome-keyring libasound2 default-jre libxtst6 libfuse2 fuse3
and for the AppImage download via curl: sudo apt install curl apt-transport-https ca-certificates
Not mandatory but useful a file manager with some Qubes features: sudo apt install thunar thunar-media-tags-plugin qubes-core-agent-thunar qubes-pdf-converter qubes-img-converter
Shutdown your d13m-tuta-mail template.
Now, continue with the creation of your tuta-mail qube (appVM) based on your newly create (source) template d13m-tuta-mail.
If it does not run as you expected, you should try to launch the *.appimage within the terminal and follow the error messages.
I prefer to keep things simple, first. If something does not work you can search the web / Debian forums / get Tuta support / ask your preferred LLM etc. easily. If all works fine you can simple delete the tuta-mail qube and do the same with Whonix as (source) template.
You will have a secure sandbox. With a dedicated template (minimal or not; Debian or Whonix, as long as you clone it and do not test your modification on a template which is used for other qubes) you can do your tests and just keep it or delete it. You won’t break your system or other qubes.
I understand. Thanks. My question was more about which of these 3 options would be most appropriate to use in Whonix:
Webmail acessed via Tor Browser
ThunderBird add-on
Native Tuta Mail app
I did some research and had some time to think about this. I’m not saying it’s the best way, but the only officially supported way to do this is with the ThunderBird add-on.
Webmail via Tor Browser is out because Tuta does not list the Tor Browser as a supported browser. Only the current versions of Firefox, Opera, Chrome, Safari, and Edge are supported.
The native Tuta Mail app is out because it is only supported on Ubuntu and Fedora.
Tuta supports the use of ThunderBird via their official add-on and Whonix meets the dependency requirements of ThunderBird. Furthermore, the official Whonix docs support the use of ThunderBird.
tutamail and protonmail and similar email services = you cant use your own keys in your own mail client = horrible.
Probably only way to get the best security out of them, is to use something like mailvelope. Other than this, using Tutamail,Protonmail.. webmail and Gmail is just matter of trusting the written words you see but you cant verify.
@nurmagoz Thanks for your input. I know that Tuta and Proton are not the best options. I’m looking for the “least worst” way to do this for now. I may consider better email providers in the future. @Wh0nix Thanks for testing and sharing the results. I can confirm that webmail via the Tor Browser works as well.
Simplicity does not equal security or anonymity. You can run other operating systems through Whonix-Gateway and get some level of anonymity, kind of like how you can have one leg removed and move around by hopping on the other leg. You’re going to be missing quite a bit of in-VM security measures and anonymity features that Whonix-Workstation provides. Almost anything that works on Debian will work on Whonix-Workstation, so unless you have a specific reason to avoid it, you should probably use it.
Okay, so I tried the Thunderbird add-on in Whonix. First it wouldn’t launch unless I enabled JavaScript in Thunderbird. I enabled it. Then it went to a browser not supported page in ThunderBird. I realized that ThunderBird in the Debian repo is ESR. I uninstalled ESR and installed the latest from Mozilla. Then the Tuta Mail Thunderbird add-on worked as expected, but JavaScript still had to be enabled.
This provides a supported environment for Tuta Mail to run in. The only catch is that I can’t do it with software from the default APT sources like the docs suggest. I don’t really mind using software outside of the Debian repos if I trust the source. I’m not worried about Mozilla, so this seems like a decent option except that it’s inherently less secure than browser access or the native app and the add-on does not support notifications.
So, I decided to go with the native app because it’s the most secure. It doesn’t break E2E encryption like the browser/webmail or thunderbird/add-on options.
