brian on 2004.12.08
at 05:37 pm
How to: Using GnuPG and Apple Mail for Encryption and Digital Signatures.
Jake and I were curious to see how we could get our email more secure. He was working on getting a set up at his job for some sensitive financial information to be transmitted via the internet. I was just curious about more secure email, since I knew Mac OS X had some good security features in it.
I had looked into this once before, and my eyes glossed over when looking it over. Jake, being more familiar with unix was not so detered, and figured it out without much fuss. Thus, once he set it up in Mozilla Thunderbird, his work email app that he uses with his company's Windows machines, he figured out how to add it to his personal PowerBook.
Wanting to learn, I had Jake walk me through the steps of the set up. It's clear from the attempt that while its not exceedingly difficult to implement PGP on Mac, it's not going to spread like wildfire until someone improves the user experience. The following walk through will dive into the terminal briefly, and some of the GUI aspects leave much to be desired.
Let it be noted that I am eternally grateful to those who took the time to build GUIs for OS X so that I might enter the PGP world without much fuss, and I hope my criticisms here are seen as only constructive and supportive towards their authors efforts.
And just before we begin the installation, I just wanted to mention that some of the functionality we are about to install is already present in OS X, however, it is well hidden, designed to automatically kick in when needed. It is however, a different style of email security.
To use the built-in encryption and digital signature abilities of Mail, you need to have a digital ID certificate of your own, stored in the keychain. However, the Mail Help is very vague on how to achieve that. Additionally, Keychain Access does not have its own help (it has a very tips thrown in to the general Mac OS X help).
You can get someone's certificate if that person sends you a digitally signed or encrypted message, since that person's certificate is automatically included in such messages. When you receive one of these messages, Mail automatically stores this person's certificate in the keychain.
Once you have a signing certificate for your mail account stored in your keychain, additional buttons appear in the Compose window, allowing you to digitally sign or encrypt a message.
It does not tell us how to add our own signing certificate into the Keychain, or how to create one if we don't have one. The secret is thus: Apple's Mail and Keychain only currently work with third-party certificate authorities. The one most people talk about in these circles is thawte.com, where you must establish an identity. This third party vouches for you, that you are who you say you are.
If you would care to use this style of security in your email, then I might direct you to two excellent tutorials,
PGP works differently. It only needs two parties. For example, I know Jake in the real world, we've lived together even. So when he sends me his public key, I don't need a third party to establish who he is. If you have this level of comfort with those your are attempting to communicate with securely, then you are all set, PGP will work for you. Let's see how to get it to work for Mac OS X.
First, go to the MacGPG website and download the latest Mac version of the application, "GNU Privacy Guard." (often shortened to GPG, just to be confusing.) When I wrote this tutorial, version 1.2.4 was current.
Next you'll want to be able to create your own PGP keys, so you'll need an application for that, too. Smartly enough, it's on that same page and called "GPGKeys" You can download it now, too.
We're going to install MacGPG first. It's simple... an installer should automatically appear when its finished downloading. If it didn't automatically appear, then double click to open the GnuPG disk image (.dmg). An installer will appear. Follow the instructions. When it is finished, you will not see the finished product anywhere... its off in the BSD section of your Mac... that's OK. We're going to use other applications which will use GnuPG behind the curtains.
(If you manually turned off the BSD part of the Mac OS X install at any point in your Mac's life, chances are this install will not work. You will need to install this portion from a Mac OS X install disc. By default, the BSD goods are installed. If none of this sounds familiar, worry not, it's likely in there.)
Next, we'll install the application to create our key. Find "GPGKeys " (in the downloads folder, usually your Desktop) open it up. There is no active installer for this application. Drag the "GPGKeys" application to your Applications folder (or the place of your choice).
Now, go find it, launch. GPGKeys is a GUI interface to create a PGP key, only in the most loosest of interpretations. Under the Key menu, click "generate" and you'll be brought proptly to the command line. Gasp! I don't see why this couldn't be wrapped in a GUI, but luckily, it's a pretty straight forward CLI.
First, it'll ask what types of cipher you'd like to create. I chose the default.
Second, key size, I again chose the defaults.
Third, expiry... how long do you want this to work until you have to create another.
Next, it asks for name, email, both pretty self-explanatory, and a comment, which is whatever you want it to be. Perhaps a title for your own use, so you might identify this key later.
Next, the app will create the key, using some random text, which you'll be asked to participate in, if you wish.
It will end by showing you a key. You won't have to copy this, because when you quit the application (which is will now ask you about) it'll show up in the GUI app, once you leave the terminal. Once you leave the terminal, if your key isn't seen in the window, refresh the window. (Window > Refresh)
Last words about GPGKeys... if you're looking to exchange PGP-secured documents with others, you'll need their public key. This is stored as a file, and you need to store it in this GPGKeys application. When you aquire the file, you can put it here by simply choosing (File > Import)
Next, we need to incorporate PGP into Apple's Mail.app.
Acquire the GPGMail app from
I didn't see this as a qualification anywhere, but i would suggest quitting Apple's Mail during the following install, since this app will be attaching itself to it.
This application also comes with a double-click installer. Use it.
Now, open Apple Mail and check the Preferences, you should have a new pane called "PGP." Set the preferences you'd like to use.
Once these are set, whenever you open a Mail composition window, you'll have a new row beneath the addressing section, which allows you check a box if you want you message signed and/or encrypted (you can sign an un-encrypted email), and pull down menus to select which keys to use in these tasks.
Once you have this set up, and a friend who is also using a similar set up, and you have exchanged keys, then you can send, receive and read encrypted email. Enjoy.
Posted in: Apple · Technology
ghedo said on 2004.12.12 at 08:08 am
A good tutorial to make the use opo gpg easy !
Dan York said on 2005.01.11 at 03:48 pm
Thank you for the howto – I’ve been meaning to set up PGP on my wife’s iMac and this just may prompt me to do so.
Mike Gordon said on 2005.02.11 at 02:13 pm
Great, but how do you use it?
This is the kind of stuff that should be easily available – step by step instructions for doing stuff that’s more complicated than “download and install”. But I confess I did all this and it installed, but I’m still not too sure how to use the encryption and key system. Anyone know of a good user guide?
brian said on 2005.02.12 at 02:31 pm
About using keys…
If you know someone with a key, and they send to you as an attachment to an email, simply open the GPG Keys app and say “File>Import” find the formerly-attached that you downloaded, and add it. Once it’s in your key-keeper, if someone sends you a message with their key now, you’ll see an affirmation in the email window.
As for sending someone your key, I believe you just select your key in the GPG Keys app, “File>Export…” and save the file (somewhere, desktop) you should be able to name it whatever, and then attach it to an email… once they have you in their key app, you’re set. Send them an encrypted email, and they should be able decrypt it.
The biggest challenge for you may be to find someone who you can exchange keys with, since you have be a total geek to set this up.
I have a total one other key in my app…
Martin said on 2005.02.20 at 02:42 am
Is key exchange secure?
If you send your key to someone (or the other way around) via an unencrypted email, there’s a chance for someone who could “sniff” your network traffic to get (via wiretaping) your key and could decrpyt your encrypted email too. So i think changing keys via mail is not very secure.
I am wrong here?
Mniot said on 2005.02.23 at 12:37 pm
Martin: You are wrong. PGP uses public/private key pairs. You never give anyone your private key (over email or anything else), but you give everyone your public key. Having your public key only allows someone to send messages to you, not to impersonate you or read messages that are encrypted for you.
Of course, if you recieve someone’s key by email, it may be that the email was really sent by a third party. However, if you trust the email message to get through without modification, it is absolutely secure to send public keys by email.
Lubo Diakov said on 2005.03.15 at 06:42 pm
on the http://macgpg.sourceforge.net/ page
GPG Keychain Access has replaced GPGKeys.
Dave Epstien said on 2005.03.17 at 01:30 pm
copying private key
Thanks for the great tutorial. I realized some time after I installed it that there was no way to back up a private key or copy it in order to use it on a second computer via the GUI. After some searching, however, I found that it is possible to do this via the command line:
Importing the new file via the GUI seems to work fine, however (but remember you must export and import public and private keys separately).
Comments have been automatically disabled to curtail spam.