Bugzilla considers certain groups as "secure". If a bug is in one of those groups, Bugzilla will not send unencrypted email about it. To receive encrypted email rather than just a "something changed" placeholder, you must provide either a S/MIME or a GPG/PGP key on the SecureMail preferences tab.

In addition, if you have uploaded a S/MIME or GPG/PGP key using the SecureMail preferences tab, if you request your password to be reset, Bugzilla will send the reset email encrypted and you will be required to decrypt it to view the reset instructions.


S/MIME Keys must be in PEM format - i.e. Base64-encoded text, with the first line containing BEGIN CERTIFICATE.

S/MIME certificates can be obtained from a number of providers. You can get a free one from StartCom. Once you have it, export it from your browser as a .p12 file and import it into your mail client. You'll need to provide a password when you export - pick a strong one, and then back up the .p12 file somewhere safe.

Import on Thunderbird as follows:

Then, you need to convert it to a .pem file. Here are two possible ways to do this.


Paste the contents of the .pem file into the SecureMail text field in Bugzilla.


Or, if you have OpenSSL installed, do the following:

openssl pkcs12 -in certificate.p12 -out certificate.pem -nodes -nokeys

Open the .pem file in a text editor. You can recognise the public key because it starts "BEGIN CERTIFICATE" and ends "END CERTIFICATE" and has an appropriate friendly name (e.g. "StartCom Free Certificate Member's StartCom Ltd. ID").

Paste the contents of the .pem file into the SecureMail text field in Bugzilla.


PGP keys must be ASCII-armoured - i.e. text, with the first line containing BEGIN PGP PUBLIC KEY.

If you already have your own PGP key in a keyring, skip straight to step 3. Otherwise:

  1. Install the GPG suite of utilities for your operating system, either using your package manager or downloaded from gnupg.org.

  2. Generate a private key.

    gpg --gen-key

    You’ll have to answer several questions:

    • What kind and size of key you want; the defaults are probably good enough.
    • How long the key should be valid; you can safely choose a non-expiring key.
    • Your real name and e-mail address; these are necessary for identifying your key in a larger set of keys.
    • A comment for your key; the comment can be empty.
    • A passphrase. Whatever you do, don’t forget it! Your key, and all your encrypted files, will be useless if you do.
  3. Generate an ASCII version of your public key.

    gpg --armor --output pubkey.txt --export 'Your Name'

    Paste the contents of pubkey.txt into the SecureMail text field in Bugzilla.

  4. Configure your email client to use your associated private key to decrypt the encrypted emails. For Thunderbird, you need the Enigmail extension.

Further reading: GPG Quickstart.