Sign/Encrypt Your Email: GPGTools on a Mac

Posted: 17 February 2012 | Author: | Filed under: PGP Signing and Encryption | Tags: , , , , , , | 4 Comments »

You may not have realized this, but sending an email is not that different from sending a postcard—with the right know-how, anyone could intercept, read, or change it.

Signing an email with a digital signature means that the recipient can verify that no one has changed anything in the email in transit. Better still, encrypting an email means that no one can read it except the sender and you. Signing and encrypting email is not hard to do.

In order to sign, verify, and encrypt/decrypt mail, you can use GPGTools for mac, which works together with your desktop email client (like Mail.app) to make signing and encrypting email very easy.

This post will explain how to set up Mac’s Mail.app to allow you to sign and encrypt your email. Note that this was done on a Mac running Snow Leopard 10.6, but should work on any Mac running 10.5 or higher.

1) Install GPGTools

Installing GPGTool is easy.

  • Download the GPGTools Installer at http://www.gpgtools.org/installer/index.html
  • Double click the GPGTools dmg and open the installer.
  • The installer will check that the program can be installed on your operating system (see Figure 1).
Figure 1: Installer check
  • The installer will then ask you to select a destination where GPGTools should be installed. Select your hard drive.
  • Now, choose what you would like to install. I went ahead and installed everything, but you can decide what you want (see Figure 2).
Figure 2: Choose what to install
  • Then click continue.
  • Then click install.

The installer will do the rest. Now you have what you need.

2) GPGTool and Mac’s Mail.app

  • If you are using mac’s mail.app, click Mail > Preferences. In the top panel of the preferences windows you should now see GPGMail. Here you can change your preferences. (I will eventually post more on what these options mean, but for now you can look at it yourself.)

3) Generating Public/Private Keys

Generating a key-pair is simple.

  • Open the program GPG Keychain Access. Click on New (see Figure 3).
Figure 3: GPG keychain options
  • Fill in your name and the email address you want to use PGP with (see Figure 4).
Figure 4: Name, email, and default settings.
  • Under advance options, I use the defaults, and leave an expiration date for my key—some people say an expiration date is not so important. I let my keys expire so that—should I be unable to revoke my key for whatever reason—I know my key-pair will be invalid eventually.
  • The program will begin creating randomized bytes. The longer you randomize, the better (see Figure 5).
Figure 5: Generating random bytes.
  • Now it will ask for a password. Choose a good, long password THAT YOU WILL REMEMBER.
  • To help you store your passwords, you can use a program like KeePassX, or write it down and store it somewhere safe. Never, ever leave it on your computer in plain text. That is asking for problems down the road. (For example, anyone can boot off a CD or USB drive and copy the entire contents of your hard drive—and then they have your password.)

The best password is one that is NOT HARD to remember but VERY hard for someone to guess.

  • DO NOT USE A WORD FROM THE DICTIONARY. It is easy to use a computer to run through the entries in a dictionary.
  • DO NOT REUSE A PASSWORD. Make each password unique.

Personally, I use whole sentences, sometimes mixing languages, with a few random letters and characters thrown in at places which I can remember. Then I save them in an encrypted password manager like KeePassX. Perhaps there are better ways, but I think this is not bad.

Figure 6: I love XKCD

  • After you type in the password and the confirmation, your password pair will be generated.

Now what?

Now you have a key-pair. I suggest uploading your PUBLIC key to a key server (for example, pgp.mit.edu) so others can find you and verify your messages. (I will write a post on that soon.)

How do key-pairs work?

Remember those love stories in which two young lovers each carry 1/2 of a heart-shaped locket around their necks. When they meet again, they put the two halves together, and the perfect fit means it is their true love.

Figure 7: Heart-Shaped Locket

Well, the concept is similar. Your public key is 1/2 of a pair—the private key being the other half.

The private key is for you only, so keep it safe.

On the other hand, you can give anyone your public key. That way, they can check that an email is from you when you sign an email, or encrypt a message to send to you, which only you can decrypt.

Similarly, once you have your friends public key you can do the same.

Now you have everything all set. I will write more about sending and receiving signed or encrypted email soon.

===Related Posts On PillowFortress===

How To Import From A PGP Key Server (PGP Signing and Encrypting)

Importing From A Public Key Server

Posted: 28 January 2012 | Author: | Filed under: PGP Signing and Encryption | Tags: , , , | 3 Comments »

When you want to import a public key from a public key server—for example, to verify a digital signature or send an encrypted email—follow these instructions.

1. Go to a public key server. For this example, I will use the MIT PGP Public Key Server at http://pgp.mit.edu/.

2. At “Search String,” type in the name of the person whose public key you are searching for:

3. You will see results like this (note that I have blocked out any identifying information):

4. Click on the KeyID link (indicated above by the red rectangle) and you will see something like the following:

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: SKS 1.1.0

mQENBE8bDHABCADvG/uMIauqEPtifjzAY3CWKDsIHb5KRAzzT6GN4okGWCImfyNRuStl2ZZt
rAmGbX0+1roGgxrLIpnRxcaQeRdBVQQjhA3oe3IiL+kNpbE7EjHw/E30RoNURzvNd6ykRJAN
oJJz3OQ3w1eJdLXK9VIUzya1YxsEVZe5DO7F5jzOlX06I3dDFvFZp9l7u9A0th8USQ8uPG/Q
tdjoskvJrh5strmgQfyLEudEL0HPlArUoBG/nCaQyfz4ouJJQFs313D/thkgcbg9xA7YiXMd
pqkcX+njVBuWJ489G+jJqBlxhYS9/sHNejz1XLOsxtakQiHtj9GVfI0s3uhIU7g/Q7P/ABEB
AAG0KEpvc2VwaCBEZVZlYXVnaC1HZWlzcyA8am9lZHZnQGdtYWlsLmNvbT6JAT4EEwECACgF
Ak8bDHACGy8FCQHihQAGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEB1FePVoLV+TPlQH
/irTGA0XC44IKUBWL+mCrazHAGvN0aHUkdSZfpwLOZAqX3p4SfGhJPcc08vKpsPMGeXDmxK0
BrEhOM/B524+DLyBlfjhTyPiDZDo5egs0zBShNM7ap49azs4qs/EmPpo+f1C7HwRzJ97oth/
MUysVV73BCIlTKFiPBlzftaWZD1wSEUts6MB1pwIlOWe/tk4Ut7pgpXHklq3M+d0MJnivZ/Q
LhKAqo1kJf4i5z7GmvnWncp13E2vLJMXfMuv6yYJqIulwnBj0/OqV9ngXgedzN77q2iO1LaU
MDNHDM7g3K99IhjDnUVRKTTH06EPpDc9Xs+wnTbU+sV7x7Lrx/4qtM65AQ0ETxsMcAEIAMP0
tI02kXfIkrd8lTlFhMB6Sh57mpMwryXhUq15J1P0az/FCMpoeaC2LbWv5Mypfm8K7JrnKvKG
WqdX76Q90c8AAp7pWSKzDsn9KkbWbxMVzpGHAzve5uu4q03+B8cgUBOENjOa1o4DBn/LRev8
49LR35Mstvyo/p6Pf8PotzuOBKYgqyRy6pd9iWlCCvlBS/FjYeY4UCsbIii3rEExCv86SHxA
dlB6G0N9vEWAfU4T1QlNYlzviMeYBvYfFUZFUyPiMWSKGYmlA59gAzMqP6zHBKqPkpn9jmSF
cBwQ0jbIp5EVHvppwaDA3JTtxiqcJcbauY5IrVZNT4Y8d6GiPA0AEQEAAYkCRAQYAQIADwUC
TxsMcAIbLgUJAeKFAAEpCRAdRXj1aC1fk8BdIAQZAQIABgUCTxsMcAAKCRANQ0jh5723ug4f
B/0cq6d1xWfU10JwaYX/tr0RJXWQku0qv/a5RJzzYgANNctIMsfFIeWQncJxctyVHqnOHAhA
8VN6uOm9QRKGahmWcOm49tSLw7o18nAuiS1rPQYwmAz1SS7E9+xM2KkdHjgUOrtBssHz+OJX
G5QCLSW5X9I411jV9CYbKiFtqzyFyp8UUeuWAnrwUFrYSv3o9J2tytHSBDgXjQ7KwF638ULj
qmw8FC8fGTGUtqBpR2CLy4apra/718l4auzYeDNTRURo4/+0t6uag8l554wjedSoN4bVyOll
WN9df8UJNtohlZzWM4Kbp0RYqL7VKyRPfTz5Rv3TrOCG16fr1EubSUR7xIIH/0/ck9JCKIIH
v6/7sWdynryF21Rf3YXoGR46iCxG/fDQ37bd2iVT9DVQSk+hwzAW3AGdhm2JOLUQTuUvhEd9
azc0AvS27srqiifBI6gxWu1Ux6ulcrmyeMQ34IsNdurP6aYdOK8Sw1NNeGP88DJ3gsM6/ebA
hQQnxupeRLKjaqk7Fk90VBLb8KOBUir0hHXrrJrjV8HepKtMkeOFCGlvaEgUJBRtkorKxJYc
ljE6oiFRSNVps6iDTl1mmekbTsyvZMQbBt5pZddaQZP/LinPlO/awaUPPC0dKVtVcTDajmtu
3XJeFtwZfSSe1/UU9g0KpGIWjbkXr1u7KZoeG4jvq3Q=
=i537
-----END PGP PUBLIC KEY BLOCK-----

In fact, this is my own public key—if you know my email address, you can now use this.

Steps 5 and 6 are true for mac OS X 10.4 and above. (At the moment I don’t know how it works with other operating systems.)

5. To use a public key, you have to add it to your keychain. Copy and paste the entire text (including “-  -  -BEGIN PGP PUBLIC KEY BLOCK-  -  – ” and  “-  -  -END PGP PUBLIC KEY BLOCK-  -  -”) into a plain text file. Name it whatever you wish, e.g., public_key.txt.

6. Import this key by using GPG Keychain Access (included with the GPGTools installer): open the “GPG Keychain Access” application, click on import, and select the file (e.g., public_key.txt)—voilà, the public key has been imported and is now ready to be used.

If you imported my public key above, now when I send you an email signed with PGP, you can verify with my public key that no one has tampered with the content of the email in digital transit. Furthermore, you can send me an email encrypted with my public key—only I will be able to read the email’s contents, as only I have the private key to decrypt it.

===Related Posts On PillowFortress===

Sign/Encrypt Your Mail: GPGTools on a Mac (PGP Signing and Encryption)

Follow

Get every new post delivered to your Inbox.