Skip to content

November 30, 2010

8

Using GPGMail to Encrypt Email

This post forms part of the series on Securing Leopard, and covers GPGMail, Mail.app plugin that allows you to digitally sign, encrypt and decrypt emails using PGP/GPG.

When Snow Leopard came around, it completely broke support for GPGMail, and there were no other solutions that enabled similar functionality. This caused a significant issue for Snow Leopard users needing GPG functionality. The original developer of GPGMail unfortunately did not have the time to update the plugin and restore support for Snow Leopard.

Since then the GPGMail project has been handed over to a new team of developers who have been working on restoring the full functionality of the plugin under 10.6. This tutorial shows you how to easily install GPGMail and start sending and receiving encrypted emails!

[Updated 21/01/2011] The team at GPGTools have now created a unified installer which consolidates MacGPG2, GPG Keychain Access, GPGMail and GPG Service. Their all-in-one installer simplifies the install process, and installs everything you need for encrypting/signing files and emails.

If you’ve used the GPGTools package, please post your experiences in the comments!

Summary

Pretty Good Privacy (PGP), and its open source equivalent GNU Privacy Guard (GPG), is a widely-used and accepted solution for performing file and email encryption and digital signatures. PGP is based on a model where each user has one public key, and one private key. The public key can be freely distributed, and only allows others to send you encrypted files or email. The private key is kept secret, and not only allows for you to decrypt messages encrypted using your public key, but also allows you to create digital signatures of files and emails. Digital signatures allows the recipients of your messages to verify that the message did indeed come from you, and that it hasn’t been modified, as long as they already possess your public key.

Note: You do not necessarily need to create your own GPG key in order to use GPGMail. As long as you have the GPG key of your recipient, you will be able to send them encrypted emails. You just won’t be able to create digital signatures. Creating a key is quick and easy however, so I recommend generating one using the steps below.

Installing GPGMail and Generating Keys

  1. Quit Mail.app
  2. Download and install the GPGTools package (requires 10.6 or greater)
  3. Launch GPG Keychain Access
  4. Click ‘New’ to generate a new key (use Import instead if you already have GPG/PGP keys)
  5. GPG Keychain Access Generating Keys

  6. Enter your name and email address. Choose a key length: 2048 or greater is recommended. You can also set an expiration date for this key.
  7. Click Generate Key, and enter a good passphrase (10+ characters with alphanumerics and symbols). This will take a few minutes.
  8. Once you’ve generated your own key, you can import other people’s keys. Here is my GPG key for example.
  9. Quit GPG Keychain Access and open Mail.app

Using GPGMail (Encryption and Digital Signatures)

Once installed, and with the relevant keys imported, GPGMail is quite straightforward to use. When composing an email, simply check the ‘Signed’ and ‘Encrypted’ checkboxes. You will need the PGP Public key of each recipient, otherwise you will be warned that keys are missing. You can send a signed email to anyone, but they will need a PGP/GPG program and your Public key in order to verify the signature. Note that you can just sign an email without encrypting it (if confidentiality is not crucial for a particular message), but it’s generally good practice to always sign messages when you encrypt them.

When you click Send, GPGMail will ask for your GPG Private key password (to create the digital signature). Your email will then be signed and encrypted with the public keys of your recipients. Only the people with the corresponding Private keys (and passwords) will be able to decrypt the message. Note: The subject line is not encrypted, so beware!

Upon receiving a PGP/GPG encrypted or signed email, you’ll see something similar to the email below.

Click the Decrypt button, and enter your GPG key passphrase at the prompt. The message will be decrypted and, if you have the sender’s Public key, the signature will be verified (as shown below).

That’s pretty much all you need to know about sending encrypted emails with GPGMail. Feel free to post any questions you may have!

8 Comments Post a comment
  1. newbie
    Dec 9 2010

    Make sure you get the correct version, I am using Leopard (not snow leopard) the default download on the GPGMail page defaults to the snow leopard version, I was able to install “successfully” but nothing happened when I opened mail – no errors and no encryption options

    Nice write up, GPGMail’s instructions are kinda lacking

  2. Dec 9 2010

    Hi newbie, thanks for the info.

    Indeed the versions are significantly different. If you have 10.3, 10.4, or 10.5, do not use the download link on the right hand side. Instead, find the appropriate download on this page: http://www.gpgmail.org/download/index.html

  3. jeffdubya
    Feb 10 2011

    “GPGMail’s instructions are kinda lacking?” Especially for someone who has never worked with GPG/PGP before, the instructions are practically NONEXISTENT. When I inquired about a manual to their various ticket systems, someone recommend I write one.

    First I gotta figure out how it works!

    I don’t suppose someone here might consider lending me a hand? Eventually I am supposed to help a dozen or so mac users get on board, and who knows, maybe I’ll write that manual.

    I don’t mind posting here either, so others can benefit from the discourse.

  4. Feb 10 2011

    Hi Jeff,

    Indeed the MacGPG soca are limited, and I’m currently in the process of improving my tutorials.

    Luckily MacGPG is quite easy to install and use. I’d be happy to help you out if you need help. I would suggest starting a forum thread about it: http://www.securitygeneration.com/forums/security-generation-forums-group5/mac-os-x-and-ios-forum2

  5. jeffdubya
    Feb 10 2011

    Will do. Thank you for the help and I look forward to the interaction.

  6. Steve Bell
    Feb 20 2011

    We are working on improving documentation about GPG usage and our tools.

    e.g. see:
    * http://www.gpgtools.org/faq
    * http://www.gpgtools.org/intro.html

    also feel free to ask questions on the user mailing list or contact us via Twitter:
    * http://www.gpgtools.org/about.html

    Any volunteers who’d like to help with documentation or creating a manual are very welcome.

    All the best,
    Steve (GPGTools Project Team)

  7. Frederick
    May 2 2011

    I want to use Portable Thunderbird for OS X on a USB drive, but with my OpenPGP keys. Ideally they would only exist on the USB drive. How do I accomplish that with Snow Leopard? I have the latest install of MacGPG2 from gpgtools.org.

    Thanks in advance for your help!

  8. May 9 2011

    Hi Frederick,

    You need to export your keys from MacGPG2 using GPG Keychain Access. You’ll need to install the Enigmail plugin into your Portal Thunderbird, and you should then be able to your keys into Enigmail.

    I haven’t tried it yet, but I imagine that should do it!

Share your thoughts, post a comment.

(required)
(required)

Note: HTML is allowed. Your email address will never be published.

Subscribe to comments

css.php