Setting up PGP in OS X Mail using GPGTools

With more and more reports of people’s privacy being infringed by newspapers, companies and even governments, it’s hardly surprising that more and more people are looking for ways to protect their privacy online.

One area that is often overlooked is email. Regardless of how careful you are with using secure connections, VPN, clever passwords etc, if you’re sending your emails in plain text you have no guarantees that they aren’t being intercepted and read by various interested parties. A solution to this issue has been available for a very long time, but for some reason it is rarely included by default in email systems. Probably due to vendors wanting to keep their systems as easy as possible to use.

PGP (Pretty Good Privacy) is a method of encrypting and decrypting data. GPG (Gnu Privacy Guard) is an OpenSource implementation of the PGP algorithms, and you can freely use it to protect your emails in transit.

It isn’t hard to get yourself set up.

Install GPGTools

First of all, go to this website and download the GPG Suite Beta 6 - https://gpgtools.org

Next, of course, run the installer. This will install a number of things including a patch for the Mail app adding the PGP features.

Create your key

Now you have the right software, you need to generate a PGP key:

Open the GPG Keychain app.
Click the New button in the toolbar.
Enter your full name and email address for the account you want to send and receive signed/encrypted emails with.
Tick the Upload public key box. This allows others to find your public key to validate your signed emails.
Add a passphrase! This is important as it protects you from somebody else sending emails from your computer or using your private key if they get hold of it somehow.
Click the Generate key button.

By this point you will have two keys in your GPG Keychain. The first will be the public key of the GPGTools Team, which you can use to send them encrypted emails. The second will be the private/public (sec/pub) key-pair which you just generated.

Before moving onto actually using them, it’s a good idea to generate a Revoke Certificate now and store it somewhere securely. If for some reason you ever lose your private key, or forget the passphrase you added, you can then use this revoke certificate to tell people to stop using the matching public key, allowing you to generate and publish a new one. Without the private key you cannot generate a new revoke certificate.

Signing/Encrypting Email

Now that you have your own key-pair, you can now start sending signed/encrypted emails. Open the Mail app and create a new email from the account you generated the key-pair for. You should see a couple of new icons on the right of the window in the subject bar.

The tick icon tells you that your email will be signed with your private key. People will then be able to use the public key you’ve published to verify that the email was sent by you and that no modifications have been made to the email since you sent it. If you don’t want to sign your email, simply click the tick and it’ll switch to a cross.

The padlock icon allows you to swich on/off encryption of your email. However this requires you to have the public key of the recipient you’re sending your email to. You can search for them and add them to your GPG Keychain using the Lookup Key button in the toolbar of the GPG Keychain application. Once you have their public key, your email will be encrypted with that and only their private key will be capable of decrypting your message.

Spread the word!

Without widespread adoption, encryption systems for email are unlikely to be successful in the long term. You can do your part by telling people about it. It really isn’t a difficult system to set up, and once configured there is very little overhead other than remembering a passphrase.

My Public Key

Valid until 31 March 2019 for emails sent to jon.pascoe@me.com: