In the interest of simplicity, we want to allow the user to not manage passphrases for OpenPGP keys that are managed by Thunderbird.
However, if the user decides to set a master password for Thunderbird, then the openpgp keys should be protected by it, too.
This could be implemented using the following approach, which has been suggested and implemented by Vincent Breitmoser in an autocrypt addon. Because the code is MPL 2, I'd like to reuse it.
The above implementation works like this:
- Thunderbird obtains 16 random bytes, and converts it to a hex string of 32 chars
- this string is used as the passphrase for all OpenPGP keys managed by Thunderbird
- that string is remembered as a "saved login"
Whenever Thunderbird creates or imports an OpenPGP key, it will protect it using that automatic passphrase.
As a result, the OpenPGP keys that are stored on disk will be protected with that passphrase. By default. the passphrase can be obtained in a trivial way, by opening the saved password user interface, or by using the symmetric key stored in the NSS database.
However, as soon as the user sets a master password, obtaining the openpgp passphrase will require to provide the master password. This is equivalent to the protection for saved logins, and for the private keys of S/MIME certificates.
In the initial implementation, nothing protects the user from deleting it from the list of saved logins, which will cause all saved openpgp keys to be unusable. We should add some protection mechanism, but that should be handled at a later time, in a follow up bug.