Using GPGMail to Encrypt Email
This post forms part of the series on Securing Leopard, and covers GPGMail, Mail.app plugin that allows you to digitally sign, encrypt and decrypt emails using PGP/GPG.
When Snow Leopard came around, it completely broke support for GPGMail, and there were no other solutions that enabled similar functionality. This caused a significant issue for Snow Leopard users needing GPG functionality. The original developer of GPGMail unfortunately did not have the time to update the plugin and restore support for Snow Leopard.
Since then the GPGMail project has been handed over to a new team of developers who have been working on restoring the full functionality of the plugin under 10.6. This tutorial shows you how to easily install GPGMail and start sending and receiving encrypted emails!
[Updated 21/01/2011] The team at GPGTools have now created a unified installer which consolidates MacGPG2, GPG Keychain Access, GPGMail and GPG Service. Their all-in-one installer simplifies the install process, and installs everything you need for encrypting/signing files and emails.
If you’ve used the GPGTools package, please post your experiences in the comments!
Summary
Pretty Good Privacy (PGP), and its open source equivalent GNU Privacy Guard (GPG), is a widely-used and accepted solution for performing file and email encryption and digital signatures. PGP is based on a model where each user has one public key, and one private key. The public key can be freely distributed, and only allows others to send you encrypted files or email. The private key is kept secret, and not only allows for you to decrypt messages encrypted using your public key, but also allows you to create digital signatures of files and emails. Digital signatures allows the recipients of your messages to verify that the message did indeed come from you, and that it hasn’t been modified, as long as they already possess your public key.
Note: You do not necessarily need to create your own GPG key in order to use GPGMail. As long as you have the GPG key of your recipient, you will be able to send them encrypted emails. You just won’t be able to create digital signatures. Creating a key is quick and easy however, so I recommend generating one using the steps below.
Installing GPGMail and Generating Keys
- Quit Mail.app
- Download and install the GPGTools package (requires 10.6 or greater)
- Launch GPG Keychain Access
- Click ‘New’ to generate a new key (use Import instead if you already have GPG/PGP keys)
- Enter your name and email address. Choose a key length: 2048 or greater is recommended. You can also set an expiration date for this key.
- Click Generate Key, and enter a good passphrase (10+ characters with alphanumerics and symbols). This will take a few minutes.
- Once you’ve generated your own key, you can import other people’s keys. Here is my GPG key for example.
- Quit GPG Keychain Access and open Mail.app
Using GPGMail (Encryption and Digital Signatures)
Once installed, and with the relevant keys imported, GPGMail is quite straightforward to use. When composing an email, simply check the ‘Signed’ and ‘Encrypted’ checkboxes. You will need the PGP Public key of each recipient, otherwise you will be warned that keys are missing. You can send a signed email to anyone, but they will need a PGP/GPG program and your Public key in order to verify the signature. Note that you can just sign an email without encrypting it (if confidentiality is not crucial for a particular message), but it’s generally good practice to always sign messages when you encrypt them.
When you click Send, GPGMail will ask for your GPG Private key password (to create the digital signature). Your email will then be signed and encrypted with the public keys of your recipients. Only the people with the corresponding Private keys (and passwords) will be able to decrypt the message. Note: The subject line is not encrypted, so beware!
Upon receiving a PGP/GPG encrypted or signed email, you’ll see something similar to the email below.
Click the Decrypt button, and enter your GPG key passphrase at the prompt. The message will be decrypted and, if you have the sender’s Public key, the signature will be verified (as shown below).
That’s pretty much all you need to know about sending encrypted emails with GPGMail. Feel free to post any questions you may have!
Make sure you get the correct version, I am using Leopard (not snow leopard) the default download on the GPGMail page defaults to the snow leopard version, I was able to install “successfully” but nothing happened when I opened mail – no errors and no encryption options
Nice write up, GPGMail’s instructions are kinda lacking
Hi newbie, thanks for the info.
Indeed the versions are significantly different. If you have 10.3, 10.4, or 10.5, do not use the download link on the right hand side. Instead, find the appropriate download on this page: http://www.gpgmail.org/download/index.html
“GPGMail’s instructions are kinda lacking?” Especially for someone who has never worked with GPG/PGP before, the instructions are practically NONEXISTENT. When I inquired about a manual to their various ticket systems, someone recommend I write one.
First I gotta figure out how it works!
I don’t suppose someone here might consider lending me a hand? Eventually I am supposed to help a dozen or so mac users get on board, and who knows, maybe I’ll write that manual.
I don’t mind posting here either, so others can benefit from the discourse.
Hi Jeff,
Indeed the MacGPG soca are limited, and I’m currently in the process of improving my tutorials.
Luckily MacGPG is quite easy to install and use. I’d be happy to help you out if you need help. I would suggest starting a forum thread about it: http://www.securitygeneration.com/forums/security-generation-forums-group5/mac-os-x-and-ios-forum2
Will do. Thank you for the help and I look forward to the interaction.
We are working on improving documentation about GPG usage and our tools.
e.g. see:
* http://www.gpgtools.org/faq
* http://www.gpgtools.org/intro.html
also feel free to ask questions on the user mailing list or contact us via Twitter:
* http://www.gpgtools.org/about.html
Any volunteers who’d like to help with documentation or creating a manual are very welcome.
All the best,
Steve (GPGTools Project Team)
I want to use Portable Thunderbird for OS X on a USB drive, but with my OpenPGP keys. Ideally they would only exist on the USB drive. How do I accomplish that with Snow Leopard? I have the latest install of MacGPG2 from gpgtools.org.
Thanks in advance for your help!
Hi Frederick,
You need to export your keys from MacGPG2 using GPG Keychain Access. You’ll need to install the Enigmail plugin into your Portal Thunderbird, and you should then be able to your keys into Enigmail.
I haven’t tried it yet, but I imagine that should do it!