Using GnuPG encyption with Mac OS X Mail

Using email encryption is one way to protect the privacy of your electronic correspondence. For a brief history and explanation of how they work:PGP and GnuPG.

I cannot make any sort of guarantee as to the efficacy of these programs, though I know that the NSA and the Federal Government fought the implementation and free dissemination of PGP for years. For me, this is one of those “165,000 coyotes can’t be wrong…” arguments. Better to have it and not need it than to need it and not have it.

I am not able to write documentation for implementing GPG for Windows, since I don’t use that platform every day. If you’re one of those people who does, and you can provide us with something like this for Windows, please do.

I make no guarantee about any of these products. If it breaks your computer, contact the software designer, not me. I am providing these links and these screenshots to aid in the installation of these products that I trust. I hope that you find it useful.

First, you will need to pilot your browser to the Mac GnuPG site, which looks like this:

Scroll down that page until you find the link to download the Gnu Privacy Guard for your version of OS X. In my case, it was 10.4.5, but I have discovered that the 10.3 version works just fine:

After you click the link, you will be offered a download site (or “Mirror site”) from which to download the software. Pick any one. I usually try to pick the one in North Carolina or Atlanta, just because I am biased like that, y’all:

This will download the GPG archive to your desktop. If you are running a current version of StuffIt or some other compression utility, it will probably automatically unpack the archive and mount a virtual disk:

The virtual disk contains the installer and some documentation. (And a great big Happy Gnu logo.) Double-click the GnuPG for Mac OS X .mpkp:

You will be asked if you want to run a program to determine if the software can be installed. The answer is “Continue”:

There’s a brief explanation of the package that you are about to install. Click “Continue”:

There is an information page about GnuPG and some instructions that you might want to refer to if you find that I have not been thorough enough. Please print these and then hit “Continue”:

The GPL licensing page comes next. The GNU General Public License (GNU GPL or simply GPL) is the most popular free software license, originally written by Richard Stallman for the GNU project. If you wish to understand the GPL licensing agreement about distribution and use of software that is produced under this unique license, you can read more here.

And you will have to agree to it. Just do it.

You will need to select a destination disk. This will need to be your boot disk, where your system folder lives. You will notice that my iPod and backup disk were not eligible to be destination disks for this software.

Next, you will chose the sort of installation you want. I did not explore the customized packages, and just clicked “Upgrade,”in the interest of keeping it simple.

You will need to enter your password.

And then the installer runs. It installs documentation in several languages, including, as I happened to catch as the installer was running, Russian.

When GPG has finished installing, you will get a message saying “The Software was Successfully Installed.” Click “Close.”

You will then return to to the Mac GnuPG site and scroll down to the Keychain Access Application.

Click the above link to download “Keychain Access.”

Again, you will have to select a mirror site. The same rules apply as before- pick any one you like:

You will be informed that the file that you are downloading contains an application. Click “Continue”:

The file that downloads will place a folder on your desktop. There is no installer for the Keychain Access application.

Drag this file to the folder called Applications on your hard drive. This is not to be confused with the Applications (OS 9) folder.

Once it is properly installed, the GPG Keychain Access folder looks like this:

If you open the GPG Keychain Access folder, you will find four files. You want to doubleclick the one called “GPG Keychain Access”:

As soon as the application opens, you will be informed that you do not have a private or secret key.” Briefly, here is how GPG works- this program will generate two keys, a public one and a secret one. You will give the public one to everyone who you receive email from. You will keep the private key close, since you’re the only one allowed to use it. The public key is used to scramble messages sent to you, AND ONLY THE PRIVATE KEY (in conjunction with your password) can unscramble them. So, it’s time to make those keys.

A brief introduction follows. Make sure the “Use assistant to generate keys” is checked.

You will select the type of key you wish to use. Go with DSA and ElGamal. We used to use RSA or Diffie-Helman, but I don’t think that’s an option any more, due to patents and trademarks.

In keys, like most everything else important, size matters. What this number indicates is the complexity of the algorithm used to encrypt your data. The higher the complexity, the more processor cycles it takes to deal with it. 1024 is minimum. I suggest 2048, because 4096 is so massive that your computer will have a hell of a time creating the key in any kind of timely manner. Pick whatever you’re comfortable with, and be aware of the consequences.

Your key SHOULD expire. If you forget your password or lose your private key, what are you going to do? Don’t ask me how I know this. Just make sure your key expires in a year or so. Pick a date that is meaningful to you if you think it will help you remember.

Enter the email you will be using and your name. You can also use your vCard file from Address Book by checking the check box underneath the comment field. I did this for mine.

Your encryption is only as good as the strength of your passphrase in the event that someone somehow gets your private key. Even if I have your private key and your passphrase is “tHe kwicKK brwn f000xA@__jump3d ov3r the LaZZEE døg!$$” there’s no way that I am going to be able to use a dictionary to crack that, nor am I going to be able to randomly guess that. HOWEVER, are you going to be able to remember it? Choose well, and keep it close.

Retype and double-check your passphrase to make sure that it’s right by clicking the “Show Passphrase” button. This way you can make sure that you didn’t accidently have the Caps Lock button on or anything.

You will then have the opportunity to review what you have done. Make sure your details are correct. If they are not, use the “Go Back” button.

With a 2048 bit key, the actual making of the key takes a while. Might be time to make a cup of tea or go chase the dog. This took ten minutes for me, this morning.

When the bar is solid from left to right, you’re done making the key. Click finish.

You keys window should look similar to this, with your new public key at the top of the window.

Now, select that new key and click the “Export” button. This is the first step to making your public key available to other users so that they can send you encrypted emails.

A “Save” dialogue box will pop up. Click the blue arrow next to the window where the name of the file is displayed. This will drop down a directories window…

which will look like this. I suggest steering to the Documents folder and clicking the “New Folder” button…

Which will open this dialogue box. Call the new folder anything you want.

GPG, but you can call yours Fred if you want. Or Key archive.

Now, doubleclick in the window where the “Save As” gives you the file name, which for now is a series of random numbers and letters. This should highlight the entire file name. You will know this when all the letters and numbers are highlighted in blue.

Rename the file you are saving “whatever_you_want_to_call_it.gpgkey” I highly recommend keeping the “.gpgkey” at the end of the file name. Then click Save.

Now, hold the control button on your keyboard, and click here. This should give you a drop-down menu like this:

Select “Download linked file” and this file will appear on your desktop:

Go to the GPG Key Manager and click the “Import” button.

Pilot the window to your Desktop

and select the public key (my public key) that you just downloaded. Click “Open.”

Once the key is imported you will see this message:

and after you click “ok” you will see my public key in your keychains.

Now, go back to Safari, or whatever web browser you use, and go to the Sente site for GPGMail.

Scroll down to the “Download” button.

This will take you to a list of links. Choose the binary that matches the operating system you are using.

You will get the warning message “GPGMail-10.x.dmg contains an application.” Click “Continue.”

Once the file downloads, a window should automatically open. This window contains an installer script called “Install GPGMail.” Close Mail if you haven’t already, then doubleclick the script.

You will get a very brief note of explanation of what you are about to do. Click “Run.”

Once the script has finished running, you will receive a message that it ran successfully, and you should “Launch Mail.”

When you open click “New” you will notice new features have been added to the composition window. You have the ability to sign and encrypt emails now. Signing the email tells the recipient, if he or she has your public key, that you did indeed enter your password and send this email. This protects you from being impersonated by someone else using your email account. You can also encrypt the message to a recipient.

Dropping down the “Encrypted” menu, you will see the name and email of every person whose public key you have imported. If this is the first time you have done this, there should just be mine there.

Once you have selected my name in the “Encrypted” list, you can type a message and then hit “Send.” You will then be asked to enter your passphrase to certify that YOU sent the email.

The encrypted message I receive (and which anyone who intercepted would see, which is the whole point of this) is a garbled mass of random numbers and letters.

When I click the “Decrypt” button in the upper right-hand corner of the window, I am queried for MY passphrase.

And then I see your signed message.

The only thing remaining for you to do is to send me an email with your public key attached.