atErik/ReadMe_HowTo_UseExtrnlStorgWithThundrbrdGpgForEmail.txt

## ReadMe_HowTo_UseExtrnlStorgWithThundrbrdGpgForEmail.txt
How To Use External+Portable Storage Based Standalone/Portable Thunderbird &
 GPG, For (GPG Encrypted And/Or GPG Signed) Email Communication in Windows:

External Storage can be: USB-drives, (Flash) Memory Sticks/Cards/Media, etc,
                         OR, any Sub-Folder/Sub-Directory inside your own
                         computer.

|--------|---------|---------|---------|---------|---------|---------|---------|
0       10        20        30        40        50        60        70        80

Steps:
Step-1: Get a hardware portable/external storage drive or stick or card or media
Step-2: Get Email-client software, choose any one out of these:
        IceDove, or, Thunderbird. And also get GnuPG (GPG) software.
        Also see below, the "optional" items, which are needed for once
        only to create it for first time.
Such email-client software will be "guest". And "host" is the computer,
  where we will plug-in the portable storage.
But, you must try to get the windows "Portable" or "Standalone" edition of
  these email-client from official site, if thats not possible, then get from
  other trustworthy 3rd-party sources.
The "Portable" or "Standalone" means, such software will not access any files
  on the "host" computer, it will run & work based on files, which are under
  a sub-directory only.
Alternative is: convert a "Full" installation into a "Portable" or "Standalone"
  edition, so that guest email-client does not touch any files inside host
  computer's any other folders/directories, and, does not touch any of the
  existing installation of Thunderbird/IceDove or GPG software inside the host.
This article will not describe How To convert a "Full" Thunderbird into a
  "Portable" edition. But this article will describe How To convert full GnuPG
  v1.4.16 into "Portable" GnuPG v1.4.18.
Not all, but some full software installer gives an option to install with
  "portable" or "standalone" mode enabled, that is a very good option, and we
  need such feature from full-installer software.
Guest Thunderbird & GPG software (inside portable media/drive) must have
  to work with files which are inside the portable medias or drive.
That is the primary objective of this HowTo article.
The host computer which you will use to make the External/Portable Storage
  with Standalone/Portable Thunderbird+GPG, only on that computer you need
  some of these below software, or install in a Portable/Standalone Firefox
  inside external drive, which are possible:
Optional & you may skip if already exists/done: Get & install anti-virus
  scanner software, or, a security suit software, reboot, scan entire/full
  system.
Optional & you may skip if already exists/done: Get "Unbound" dns resolver
  software: https://unbound.net/ It supports full DNSSEC DNS, next version
   of old DNS. DNSSEC uses PGP-WoT (Web Of Trust) style authentication mechanism
   to deliver very very authentic dns data to dns-clients or to dns-resolvers
   or to dns-servers, used by internet visitors, and by internet servers.
  Note: Their website is already DNSSEC signed, SSL-cert is declared via
   DANE/TLSA dns record. SSL-cert has this SHA-256 fpr (fingerprint)
   BA:92:39:D8:99:89:EB:DE:AA:90:30:2A:BB:2D:2C:AC:15:17:B2:14:CC:89:78:BD:17:73:05:8A:14:12:71:59,
   and has this SHA1 fpr E7:37:10:B2:9C:4F:82:1E:40:1B:A6:85:03:1E:22:6C:35:90:53:04,
   and uses this "www.unbound.net" as CN (Common Name) data.
  Goto https://unbound.net/download.html and get below file:
   unbound_setup_<version-numbers>.exe file.
   Install this.
  Press Windows-Logo button & "R" button, at same time, and then let go both
   buttons, "Run" will appear, type in: "services.msc" (without double quote
   symbols), and press "Enter"/"Ok" button. Find out "DNS Client" windows
   service, double-click on it, "Stop" it, set it's "Startup type" into
   "Disabled" mode.
  Goto "Control Panel" > "Network and Internet" > "Network Connections", and
   one by one, select each network adapter > right-click > "Properties" option >
   in "Networking" tab, scroll-down & find:
   "Internet Protocol Version 4 (TCP/IPv4)", and then click on it to select,
    then, click on "Properties" button > select the option:
   "Use the following DNS server addresses" > in "Preferred DNS server",
   specify "127.0.0.1" data without the double-quote symbols, keep the
   "Alternate" or "Secondary" field empty > ok.
   Select "Internet Protocol Version 6 (TCP/IPv6)" and set "::1" data (without
   the double-quotes) in "preferred" dns field, and keep other fields empty
   > ok > ok.
  Select next Network Adapter and goto it's TCP/IPv4 & TCP/IPv6 and set
   suggested same data values shown earlier.
Optional & you may skip if already exists: Get "DNSSEC-Validator" extension
  for firefox: https://www.dnssec-validator.cz/
  Restart Firefox, windows firewall will ask windows-user to create inbound
   & outbound firewall rules, choose "cancel" or click on cross button.
   Because, we do not want firefox to create such inbound firewall rules,
    and if created then later we will not receive proper warning for un-approved
    inbound connections. So we will force DNSSEC-Validator to use our own local
    127.0.0.1 dns resolver, inside our own computer.
  Inside firefox, press Ctl+Shift+A buttons same time & let go, Firefox
   Addons Manager tab will appear, find out "DNSSEC/TLSA Validator" addon,
   click on "Options" button, click on "Custom" option & specify "127.0.0.1"
   without the double-quote symbols. Under TLSA/DANE validation section,
   place checkmarks on these 3 options: Enable TLSA Validation, Use browser's
   certificate chain, Enable TLSA validation of all HTTPS requests on the page.
   If you see "Ok"/"Save" button, press/click it.
Optional & you may skip if already exists: Get "DownThemAll" extension
  for firefox. You should also load these extensions: "AdBlock plus",
  "Calomel SSL Validation", "Cert Viewer Plus", "Cipherfox", "HTTPS-Everywhere",
  etc.
Portable Thunderbird (installer), or Portable IceDove (Installer):
  http://portableapps.com/apps/internet/thunderbird_portable
  Check if you have correct downloaded file by using MD5 hash shown here:
   http://portableapps.com/apps/internet/thunderbird_portable#download_details
  Install in external drive, lets assume your external drive is J: drive,
   so install in, J:\ThunderbirdPortable\
  When/If you can, request PortableApps to show SHA-256 hash code over a
   HTTPS encrypted connection, then large file can be received over HTTP, and
   then we can check received file's integrity by using hash code.
  In web-browser load "DNSSEC-Validator" extension, and check shown icons to
   find out if the used SSL-certificate was verified with declared DANE dns
   record or not.
Portable GPG v1.4.16 (installer):
  http://portableapps.com/support/thunderbird_portable#encryption
  Unfortunately, the PortableApps doesn't provide even MD5 for it!
  Install it, inside the external drive, in same location as your Portable
   or standalone Thunderbird is, in here: J:\ThunderbirdPortable\
  Make a backup copy of this below entire folder will all files in it,
  or make a backup zip file:
   J:\ThunderbirdPortable\App\gpg\
GnuPG v1.4.18 (full, gnupg classic, for windows):
  https://www.gnupg.org/download/index.html
  Goto above webpage and search for "GnuPG classic", we need windows GnuPG
   classic edition, "download" that (they use FTP), also get the "sig"
   signature file, they also kept it on FTP site.
  When/If you can, request GnuPG developers to provide the "sig" file over
   a HTTPS connection, and if they do then check in web-browser if used
   SSL-cert was verified and authenticated by DANE icon.
  Get GnuPG signing keys from this page over HTTPS connection:
   https://www.gnupg.org/signature_key.html
  When/If you can, request GnuPG developers to add+declare SSL-cert's DER
   hash code in TLSA/DANE dns/zone record, and then they need to sign the
   domain "gnupg.org" with DNSSEC. If they do those, then check in web-browser
   if used SSL-cert for connection, was verified and authenticated by DANE
   icon.
  Install it in your external storage drive in below sub-folder location,
   if you are asked/prompted to overwrite existing files, you can do so:
   J:\ThunderbirdPortable\App\gpg\
Also get GnuPG (GPG4Win) Gpg4win-Vanilla-v2.2.3 (it has GnuPG v2.0.26):
  https://gpg4win.org/download.html
  If your host already has it, then no need to re-install.
  Get vanilla GPG4Win edition.
  After getting installer file, check file's integrity, with the shown SHA1
   hash code, in that download HTTPS webpage.
  Note: Warning: Gpg4Win.org website uses a SSL-cert which has SHA-256
   fingerprint (fpr)
   20:B8:00:01:23:8D:86:21:AE:63:B2:6A:4F:99:53:5A:5D:E0:7C:93:BB:64:C3:39:64:A5:81:88:FE:6A:F3:27,
   and also has SHA1 fpr 3B:AD:99:29:43:44:D4:97:15:2E:FB:EE:1C:5A:7E:A1:C4:BE:07:C8,
   and SSL cert's CN data is "wald.intevation.org", though used on "gpg4win.org".
Enigmail (xpi extension):
  https://www.enigmail.net/
  Make sure to use HTTPS based download.
...
...
	How To Use External+Portable Storage Based Standalone/Portable Thunderbird &
	GPG, For (GPG Encrypted And/Or GPG Signed) Email Communication in Windows:

	External Storage can be: USB-drives, (Flash) Memory Sticks/Cards/Media, etc,
	OR, any Sub-Folder/Sub-Directory inside your own
	computer.

	\|--------\|---------\|---------\|---------\|---------\|---------\|---------\|---------\|
	0 10 20 30 40 50 60 70 80

	Steps:
	Step-1: Get a hardware portable/external storage drive or stick or card or media
	Step-2: Get Email-client software, choose any one out of these:
	IceDove, or, Thunderbird. And also get GnuPG (GPG) software.
	Also see below, the "optional" items, which are needed for once
	only to create it for first time.
	Such email-client software will be "guest". And "host" is the computer,
	where we will plug-in the portable storage.
	But, you must try to get the windows "Portable" or "Standalone" edition of
	these email-client from official site, if thats not possible, then get from
	other trustworthy 3rd-party sources.
	The "Portable" or "Standalone" means, such software will not access any files
	on the "host" computer, it will run & work based on files, which are under
	a sub-directory only.
	Alternative is: convert a "Full" installation into a "Portable" or "Standalone"
	edition, so that guest email-client does not touch any files inside host
	computer's any other folders/directories, and, does not touch any of the
	existing installation of Thunderbird/IceDove or GPG software inside the host.
	This article will not describe How To convert a "Full" Thunderbird into a
	"Portable" edition. But this article will describe How To convert full GnuPG
	v1.4.16 into "Portable" GnuPG v1.4.18.
	Not all, but some full software installer gives an option to install with
	"portable" or "standalone" mode enabled, that is a very good option, and we
	need such feature from full-installer software.
	Guest Thunderbird & GPG software (inside portable media/drive) must have
	to work with files which are inside the portable medias or drive.
	That is the primary objective of this HowTo article.
	The host computer which you will use to make the External/Portable Storage
	with Standalone/Portable Thunderbird+GPG, only on that computer you need
	some of these below software, or install in a Portable/Standalone Firefox
	inside external drive, which are possible:
	Optional & you may skip if already exists/done: Get & install anti-virus
	scanner software, or, a security suit software, reboot, scan entire/full
	system.
	Optional & you may skip if already exists/done: Get "Unbound" dns resolver
	software: https://unbound.net/ It supports full DNSSEC DNS, next version
	of old DNS. DNSSEC uses PGP-WoT (Web Of Trust) style authentication mechanism
	to deliver very very authentic dns data to dns-clients or to dns-resolvers
	or to dns-servers, used by internet visitors, and by internet servers.
	Note: Their website is already DNSSEC signed, SSL-cert is declared via
	DANE/TLSA dns record. SSL-cert has this SHA-256 fpr (fingerprint)
	BA:92:39:D8:99:89:EB:DE:AA:90:30:2A:BB:2D:2C:AC:15:17:B2:14:CC:89:78:BD:17:73:05:8A:14:12:71:59,
	and has this SHA1 fpr E7:37:10:B2:9C:4F:82:1E:40:1B:A6:85:03:1E:22:6C:35:90:53:04,
	and uses this "www.unbound.net" as CN (Common Name) data.
	Goto https://unbound.net/download.html and get below file:
	unbound_setup_<version-numbers>.exe file.
	Install this.
	Press Windows-Logo button & "R" button, at same time, and then let go both
	buttons, "Run" will appear, type in: "services.msc" (without double quote
	symbols), and press "Enter"/"Ok" button. Find out "DNS Client" windows
	service, double-click on it, "Stop" it, set it's "Startup type" into
	"Disabled" mode.
	Goto "Control Panel" > "Network and Internet" > "Network Connections", and
	one by one, select each network adapter > right-click > "Properties" option >
	in "Networking" tab, scroll-down & find:
	"Internet Protocol Version 4 (TCP/IPv4)", and then click on it to select,
	then, click on "Properties" button > select the option:
	"Use the following DNS server addresses" > in "Preferred DNS server",
	specify "127.0.0.1" data without the double-quote symbols, keep the
	"Alternate" or "Secondary" field empty > ok.
	Select "Internet Protocol Version 6 (TCP/IPv6)" and set "::1" data (without
	the double-quotes) in "preferred" dns field, and keep other fields empty
	> ok > ok.
	Select next Network Adapter and goto it's TCP/IPv4 & TCP/IPv6 and set
	suggested same data values shown earlier.
	Optional & you may skip if already exists: Get "DNSSEC-Validator" extension
	for firefox: https://www.dnssec-validator.cz/
	Restart Firefox, windows firewall will ask windows-user to create inbound
	& outbound firewall rules, choose "cancel" or click on cross button.
	Because, we do not want firefox to create such inbound firewall rules,
	and if created then later we will not receive proper warning for un-approved
	inbound connections. So we will force DNSSEC-Validator to use our own local
	127.0.0.1 dns resolver, inside our own computer.
	Inside firefox, press Ctl+Shift+A buttons same time & let go, Firefox
	Addons Manager tab will appear, find out "DNSSEC/TLSA Validator" addon,
	click on "Options" button, click on "Custom" option & specify "127.0.0.1"
	without the double-quote symbols. Under TLSA/DANE validation section,
	place checkmarks on these 3 options: Enable TLSA Validation, Use browser's
	certificate chain, Enable TLSA validation of all HTTPS requests on the page.
	If you see "Ok"/"Save" button, press/click it.
	Optional & you may skip if already exists: Get "DownThemAll" extension
	for firefox. You should also load these extensions: "AdBlock plus",
	"Calomel SSL Validation", "Cert Viewer Plus", "Cipherfox", "HTTPS-Everywhere",
	etc.
	Portable Thunderbird (installer), or Portable IceDove (Installer):
	http://portableapps.com/apps/internet/thunderbird_portable
	Check if you have correct downloaded file by using MD5 hash shown here:
	http://portableapps.com/apps/internet/thunderbird_portable#download_details
	Install in external drive, lets assume your external drive is J: drive,
	so install in, J:\ThunderbirdPortable\
	When/If you can, request PortableApps to show SHA-256 hash code over a
	HTTPS encrypted connection, then large file can be received over HTTP, and
	then we can check received file's integrity by using hash code.
	In web-browser load "DNSSEC-Validator" extension, and check shown icons to
	find out if the used SSL-certificate was verified with declared DANE dns
	record or not.
	Portable GPG v1.4.16 (installer):
	http://portableapps.com/support/thunderbird_portable#encryption
	Unfortunately, the PortableApps doesn't provide even MD5 for it!
	Install it, inside the external drive, in same location as your Portable
	or standalone Thunderbird is, in here: J:\ThunderbirdPortable\
	Make a backup copy of this below entire folder will all files in it,
	or make a backup zip file:
	J:\ThunderbirdPortable\App\gpg\
	GnuPG v1.4.18 (full, gnupg classic, for windows):
	https://www.gnupg.org/download/index.html
	Goto above webpage and search for "GnuPG classic", we need windows GnuPG
	classic edition, "download" that (they use FTP), also get the "sig"
	signature file, they also kept it on FTP site.
	When/If you can, request GnuPG developers to provide the "sig" file over
	a HTTPS connection, and if they do then check in web-browser if used
	SSL-cert was verified and authenticated by DANE icon.
	Get GnuPG signing keys from this page over HTTPS connection:
	https://www.gnupg.org/signature_key.html
	When/If you can, request GnuPG developers to add+declare SSL-cert's DER
	hash code in TLSA/DANE dns/zone record, and then they need to sign the
	domain "gnupg.org" with DNSSEC. If they do those, then check in web-browser
	if used SSL-cert for connection, was verified and authenticated by DANE
	icon.
	Install it in your external storage drive in below sub-folder location,
	if you are asked/prompted to overwrite existing files, you can do so:
	J:\ThunderbirdPortable\App\gpg\
	Also get GnuPG (GPG4Win) Gpg4win-Vanilla-v2.2.3 (it has GnuPG v2.0.26):
	https://gpg4win.org/download.html
	If your host already has it, then no need to re-install.
	Get vanilla GPG4Win edition.
	After getting installer file, check file's integrity, with the shown SHA1
	hash code, in that download HTTPS webpage.
	Note: Warning: Gpg4Win.org website uses a SSL-cert which has SHA-256
	fingerprint (fpr)
	20:B8:00:01:23:8D:86:21:AE:63:B2:6A:4F:99:53:5A:5D:E0:7C:93:BB:64:C3:39:64:A5:81:88:FE:6A:F3:27,
	and also has SHA1 fpr 3B:AD:99:29:43:44:D4:97:15:2E:FB:EE:1C:5A:7E:A1:C4:BE:07:C8,
	and SSL cert's CN data is "wald.intevation.org", though used on "gpg4win.org".
	Enigmail (xpi extension):
	https://www.enigmail.net/
	Make sure to use HTTPS based download.
	...
	...