This tutorial demonstrates how to use Thunderbird to generate a new OpenPGP cryptographic keypair on a Secalot device, change default user and administrator PIN-codes and begin sending signed and encrypted emails.

Install GnuPG.

On Windows, install Gpg4win.
On macOS install GPG Suite.
On Linux use your package manager.

Open Thunderbird and install the Enigmail plugin.

On the “Tools” menu choose “Add-ons”. Click on the “Extensions” tab and search for “Enigmail”. Install the plugin. Restart Thunderbird as prompted.

Change PIN-codes.

Open “Key management” in the “Enigmail” menu. Then click on “Manage SmartCard” in the file menu. On the “SmartCard” menu click “Change PIN”.


Change your PIN-code. The default PIN-code on new Secalot devices in “123456”.
Change your administrator PIN-code. The default value is “12345678”.

Change personalization data.

In the “SmartCard” menu select “Edit Card Data”.

In the “OpenPGP SmartCard Details” window you can enter your first name, last name, and sex.
The “Force signature PIN” option determines if you want to be asked for your PIN-code before performing each mail singing, or if you want the device to remember you PIN-code until it is not plugged out.
Press the “Save” button and enter your administrator PIN-code.

Generate cryptographic keys.

Click on “Generate Key” in the “SmartCard” menu.

Here choose if you want your mail encryption key to be backed up or not. If you choose not to backup, in an event that you lose your Secalot device or if it becomes unfunctional, you would not be able to read any of the emails that were sent to you encrypted. If you back up the key, store it a very secure place and use a very strong passphrase.
You can also choose your key expiration date, or if you want it to never expire.
Press the “Generate key” button and enter your PIN-code.
Key generation would take approximately half a minute.
Choose if you want to create a revocation certificate. This certificate can be used to mark your keys as “invalid” in case you lose your device.
Close all the pop-up windows and return to the main Thunderbird window.

Finish Enigmail setup.

In the “Enigmail” menu choose “Setup wizard” and then “I prefer standard configuration”.

Click “Next”, select your newly generated key, then another “Next” and “Finish”.

Write an email.

Write an email to yourself. On the top of the message composition window, there are two buttons. One for encrypting an email and one for signing. By default, encryption is on and signing if off. Select both options and send the email. You will be asked for your PIN-code.

Once you receive your message, click on it. You can notice a green field saying that the message signature is valid and that it has been successfully decrypted.

If you now disconnect your Secalot device and open the message again, you would see that it can not be read, as the decryption key is on your device.