Email security, asymmetric encryption, keys…all confusing and complicated subjects to the uninitiated. However, there are some tools that help make the job of keeping your email secure much easier, especially on a Mac. In this tutorial, I'll show you how you can keep your email secure from prying eyes by using GPGTools to create your own keys and encrypt your email.
One of the most commonly-used internet services today is email. Edward Snowden’s disclosure of massive government internet spying has raised awareness of computer privacy and security worldwide, and email is no exception. In fact, email is arguably one of the highest-priority targets for government agencies since it contains a lot of content, as well as metadata such as sender and recipient's names and possibly locations.
Unless you are hosting your own email service on your physical server, your email provider may already allow the government to filter through your emails. According to some of the released documents, services hosted by Google, Microsoft, and Apple, among others, are open to spying by the NSA and other agencies. Large public companies have basically no choice but to comply when the government confronts them with a National Security Letter. Smaller private companies, like Lavabit, have shut their secure email services to avoid compromising their users’ accounts.
Even if you are using a “secure” service like Lavabit, email is still sent “in the clear” (readable by anyone watching the traffic) when traveling from your email provider to the receiver's provider.
If you are serious about keeping your email secure, there are basically no options but to take matters into your own hands by encrypting your email before it ever leaves your computer.
How to get started
GPGTools is a free open-source software suite (based on GnuPG) that handles encrypting files and email messages. It has plugins for Apple Mail and the Services context-aware menu for encrypting text, files, or anything else you have selected.
Mailvelope is a browser plugin for Chrome and Firefox that allows you to read and send encrypted emails from webmail providers like Gmail, Yahoo! Mail, Outlook.com, and more.
Private and public keys
GPGTools—and every solution based on GnuPG—uses private and public key pair technology. A key is basically a blob of random text that looks something like this, only much longer:
Keys are created in pairs: a public and a private key that fit together.
The public key is available for anybody to see and use. Messages sent to the key owner are encrypted by the sender using the public key. Once encrypted, they can only be decrypted by using the matching private key, since the encryption process is one-way. Public keys may be distributed on owners’ websites, in email signatures, on public keyservers (directories of public keys and their owners’ names/email addresses), or anywhere else the owner wishes to post it.
The private key is for the owner’s use only; it allows the owner to decrypt anything that was encrypted with the matching public key. Private keys are the most important part of the entire key pair system—if the private key gets out, anybody can decrypt messages intended for the key owner. You should guard your private keys very carefully.
The public and private key pair can also be used to verify the sender of a message; if the sender signs it with his private key, anybody can use the public key to verify that the message in fact was signed with the matching private key and that it was not tampered with.
How to Use GPGTools
Creating a private-public key pair
After installing GPGTools, open GPG Keychain Access. You’ll see one public key in the keychain already from the GPGTools Team. Click on the New icon in the toolbar to set up your first key. Enter your name and email address and leave the other settings as they are unless you have a need to change them.
You will be prompted to enter a strong password for the key; once you’ve entered your password, you’ll want to move your mouse around and type random characters on the keyboardto help create extra random noise to generate a good key. After a few seconds, you’ll see your brand-new key show up in the GPGTools Keychain.
If you want other people to be able to send you encrypted email (and why wouldn’t you?), you’ll want to upload your public key to keyservers, collections of public keys available for anybody to search. Just right-click on the key and choose Send public key to Keyserver. You could also post the key or a link to it on your website, in your email signature, etc., so people can find it easily.
For extra features, you can double-click on the key and add a photo, subkeys, and set other advanced options. For now, let’s move on to encrypting email.
When you compose a new email message, you’ll notice a new OpenPGP header in the compose window, as well as a lock icon and a seal icon:
The seal means that this email will be digitally signed with your key. By default, this is turned on for all messages.
In order to encrypt a message, you need to have the public key for the recipient installed in your GPG Keychain (search the public keyservers or ask them for it). Once you have the public key installed, the lock icon becomes active and you can click on it to turn encryption on (if you don’t have their public key, the lock icon is disabled).
If you receive an encrypted email, you will also see a new Security header in the email info:
That’s all there is to sending encrypted email—it’s not all that confusing after all!
- Compliance statements: by default, all outgoing messages are signed with your private key, allowing recipients to verify that it was not changed in transit. If your company adds a compliance statement or the message is changed in any way, the mail client will raise a red flag, alerting you that the message has been changed.
- Possible confusion: if someone is not PGP-compatible encryption software, the signature that is sent by default will show up as an attachment named
signature.asc, full of seemingly-random characters like the public key sample above, possibly confusing some people as to what they should do with it.
- Mobile clients: probably the biggest pitfall is that even if you have GPGTools installed on your Mac, you’ll need an app on your mobile device if you want to send or read encrypted email. There are several available, but setting them up and transferring keys, etc. is beyond the scope of this tutorial.
In addition to sending verified and encrypted email, GPGTools can also encrypt files—just right-click on any file in Finder, go to Services, and choose OpenPGP: Encrypt File. It will bring up a dialog box asking which public key you would like to use for encryption, and allow you to optionally sign it as well. If you select a group of files, they will be automatically compressed into a zip archive before encryption.
In this tutorial, I’ve explained the need for taking privacy into our own hands and how GPGTools for Mac can make it easy and almost automatic.
While your initial thought may be, “Well, that’s interesting … I think I’ll download it and try it just for fun,” email encryption will do you no good if you don’t actually use it. In addition, if you encrypt only important emails, you’re painting a target for anybody who wants to see what you’re doing: if everything is sent in the clear and only a few messages are encrypted, there must be something important there. The best way to use email encryption is to use it whenever possible.
Do you have any other tips or questions about email encryption? If so, leave them in the comments below.