Simple Email Encryption on the Mac
Using Mountain Lion, Mail.app & GPG Suite
Tools have existed for a long time to encrypt email messages but sadly they have never been widely used. Given recent events I thought I would revisit the current state of the art and see if things have improved. The good news is that things are better, the bad news is that it's still a lot more complicated than it needs to be. Below is a guide which I hope will allow most people to get up and running with email encryption tools.
This tutorial requires that you are on a Mac running Mountain Lion1 and use the built-in Mail.app to send and receive email. I've tried to keep these instructions as simple as possible,2 please check the footnotes for supplementary information.
Installing and Configuring GPG Suite
- Download and install GPG Suite from gpgtools.org.3
- Open the newly installed
GPG Keychain Access
application.You can find it in your Applications folder. - Click the
New
icon to generate your encryption keys5 and enter your name and email address. Expand theAdvanced options
and adjust the remaining settings to match the screenshot.
- When you are finished, click
Generate key
. You will be asked to enter a passphrase6 and then to confirm it. It may take a couple of minutes to generate the key, when it's done you will be able to see your new key inGPG Keychain Access
.
- Restart
Mail.app
and go to the menuMail—Preferences—GPGMail
. At the top of the window you should have a green light and it should sayGPGMail is ready
. Adjust the settings as desired but I recommend the below settings.7
Sending an Email
- In order to send an encrypted message, you need the recipient's encryption key.8 Open
GPG Keychain Access
and go to the menuKey—Search for Key…
and search for an email address. Once you have selected the correct key, clickRetrieve key
.9
- Now compose a new message, you should see some new things. On the top right there is an
OpenPGP
dropdown10 and on the bottom right there are two new buttons which allow you toencrypt
and/orsign
a message.11
- Before you send the message, toggle the
encrypt
andsign
buttons to suit.12
Receiving an Email
- When you receive a message, it will show if it is encrypted and/or signed13 beneath the subject of the message.
Optional Tweaks
Both of these tweaks require restarting Mail.app
before they will take effect.
GPG Suite
has some hidden settings which can be used to adjust the default behaviour. I want to automatically encrypt messages if I have public keys for all the recipients, and I never want to sign a message.
To do this, open a Terminal
window and run these two commands.
# defaults write org.gpgtools.gpgmail EncryptNewEmailsByDefault -bool YES
# defaults write org.gpgtools.gpgmail SignNewEmailsByDefault -bool NO
Additional Information
- GPG (GNU Privacy Guard) is a free software implementation of PGP (Pretty Good Privacy).
- Your public and private keys are kept in a hidden folder called
~/.gnupg
. You can see what is in this folder by opening Finder, going to the menuGo—Go to Folder…
and entering~/.gnupg
. - It is important that your
~/.gnupg
directory is kept secret. If anybody gets your private key they might be able to sign messages as you and might be able to read your encrypted messages.14 - It is important that your
~/.gnupg
directory is backed up. If you lose your private key you will be unable to read any encrypted message has been sent to you. - If you send email from more than one computer you will need to copy your
~/.gnupg
directory to each computer. - If you use webmail you will need to use
GPG Services
to encrypt and decrypt messages. You do this by selecting the text you want to encrypt or decrypt15 and then going toSafari—Services
and selecting the appropriateOpenPGP
service.
Conclusions
GPG Suite combined with Mail.app is the nicest email encryption system I've ever used. Once it is installed, and you have swapped keys with the people you wish to communicate with, it makes sending and receiving encrypted messages about as simple as it can be.
However, things are still too hard in almost every regard.16 When I began writing this my hope was that I could make the installation and configuration process understandable enough that my mum could feel comfortable sending encrypted messages.However another problem became apparent as I was writing this. Almost every aspect of using encryption software has it's very own rathole that should be explained.
What is the difference between a public key and a private key? Why should I sign a message? How do I backup my keys? How do I create a strong passphrase? What happens if somebody gets my private key? Why do people have so many keys on the key servers? How do I read encrypted messages on my phone or webmail? What happens if I forget my passphrase? What happens if I lose my secret key? Which key server do I use? Why can't I find my friends key on the key server?
Few of these are explainable in concise terms which are understandable by the average computer user. Further, not understanding some of them can have significant repercussions!
I believe that encryption is increasingly important and needs to become accessible. In order to do that we have to make the process of using encryption as frictionless, and as safe, as possible.
Here are my suggestions:
- Every message should include an OpenPGP header which unambiguously tells the recipient where to get the senders public key.17
- Clients should automatically retrieve any new keys which they don't already posses.
- If you have the recipients public key, by default, the message should be encrypted.
- If you are sending a message to multiple people and only have public keys for some of them, two messages should be sent. One which is encrypted to everybody possible and an unencrypted one to everyone else.
- We need a way of managing encrypted communication via mailing lists. The only way I can see of doing this is to make uploading your public key a requirement when you join the list. Senders would encrypt their message with the lists key. On receipt the list would decrypt the message and resend it encrypted to each subscriber.
The goals of these settings isn't to provide the most secure messaging. People with serious need of security will, I hope, take the time to understand and tweak their settings to their requirements. The above changes would allow the average user to send the majority of their emails encrypted.
The more people who send encrypted messages, the easier it will be to protect our civil liberties online.
Footnotes
- Unfortunately, GPG Suite behaves quite differently on older versions of MacOS. The instructions are still approximately correct but there will be differences, especially in with the integration with Mail.app.
- It’s a tricky balance to include enough information to make it accessible but not so verbose that people get overwhelmed.If you have any feedback on what could be left out or where you get confused, please leave a comment and I will do my best to improve this document.
- Once you’ve downloaded the DMG file simply double click it and run the installer. You don’t need to customise or tweak anything in the installer, just keep clicking next.
- You can find it in your Applications folder.
- GPG is based on a cryptographic system called public key encryption. It uses a set of matched keys called your public key and your private key. Something encrypted by one key can only be decrypted by the other key, and vice versa. A fuller explanation is available at Wikipedia.
- The passphrase can be as long as you like. It is IMPORTANT that it is difficult to guess and that you are able to remember it. If somebody knows your passphrase they may be able to decrypt your email messages.
- Encrypting drafts is important if your drafts folder is stored on another computer (like Gmail). If you keep your drafts locally on your computer I wouldn’t bother. List Previews allow you to see unencrypted previews of your messages when browsing the message index.
- If you know somebody who uses GPG search for their email address. Otherwise try a geeky friend or use my email address.
- It is possible for there to be more than one key associated with an email address. In these cases it’s probably best to ask the recipient which key you should use. This happens because keys can’t be deleted from a key server. When people change keys the old ones remain.
- The OpenPGP dropdown goes green when it is either encrypting or signing the message. If it is grey then it means the message is not going to be encrypted or signed.
- The encrypt and sign buttons are toggles. Hover over them to see how they are currently set.
- Encrypting a message means that only the recipient can read it. Signing a message means that anyone with the message can mathmatically prove that the message was sent by you.Personally I don’t see any value in signing messages. A fuller explanation of digital signatures is available at Wikipedia.
- If it is signed it will also tell you the identity that signed it. The identity isn’t required to correspond to the senders email address, however generally it will.
- Your private key is protected by the passphrase you chose earlier. In order to forge or decrypt a message an attacker needs both your secret key file and your passphrase.
- If you are trying to decrypt you must select from
-----END PGP MESSAGE-----
, including the markers themselves. - Just look at the number of footnotes required to explain things!
- The exact mechanism is unimportant, only that it’s unambigious and can be reliably retrieved automatically.