You may not have realized this, but sending an email is not that different from sending a postcard—with the right know-how, anyone could intercept, read, or change it.
Signing an email with a digital signature means that the recipient can verify that no one has changed anything in the email in transit. Better still, encrypting an email means that no one can read it except the sender and you. Signing and encrypting email is not hard to do.
In order to sign, verify, and encrypt/decrypt mail, you can use GPGTools for mac, which works together with your desktop email client (like Mail.app) to make signing and encrypting email very easy.
This post will explain how to set up Mac’s Mail.app to allow you to sign and encrypt your email. Note that this was done on a Mac running Snow Leopard 10.6, but should work on any Mac running 10.5 or higher.
1) Install GPGTools
Installing GPGTool is easy.
- Download the GPGTools Installer at http://www.gpgtools.org/installer/index.html
- Double click the GPGTools dmg and open the installer.
- The installer will check that the program can be installed on your operating system (see Figure 1).
- The installer will then ask you to select a destination where GPGTools should be installed. Select your hard drive.
- Now, choose what you would like to install. I went ahead and installed everything, but you can decide what you want (see Figure 2).
- Then click continue.
- Then click install.
The installer will do the rest. Now you have what you need.
2) GPGTool and Mac’s Mail.app
- If you are using mac’s mail.app, click Mail > Preferences. In the top panel of the preferences windows you should now see GPGMail. Here you can change your preferences. (I will eventually post more on what these options mean, but for now you can look at it yourself.)
3) Generating Public/Private Keys
Generating a key-pair is simple.
- Open the program GPG Keychain Access. Click on New (see Figure 3).
- Fill in your name and the email address you want to use PGP with (see Figure 4).
- Under advance options, I use the defaults, and leave an expiration date for my key—some people say an expiration date is not so important. I let my keys expire so that—should I be unable to revoke my key for whatever reason—I know my key-pair will be invalid eventually.
- The program will begin creating randomized bytes. The longer you randomize, the better (see Figure 5).
- Now it will ask for a password. Choose a good, long password THAT YOU WILL REMEMBER.
- To help you store your passwords, you can use a program like KeePassX, or write it down and store it somewhere safe. Never, ever leave it on your computer in plain text. That is asking for problems down the road. (For example, anyone can boot off a CD or USB drive and copy the entire contents of your hard drive—and then they have your password.)
The best password is one that is NOT HARD to remember but VERY hard for someone to guess.
- DO NOT USE A WORD FROM THE DICTIONARY. It is easy to use a computer to run through the entries in a dictionary.
- DO NOT REUSE A PASSWORD. Make each password unique.
Personally, I use whole sentences, sometimes mixing languages, with a few random letters and characters thrown in at places which I can remember. Then I save them in an encrypted password manager like KeePassX. Perhaps there are better ways, but I think this is not bad.
- After you type in the password and the confirmation, your password pair will be generated.
Now you have a key-pair. I suggest uploading your PUBLIC key to a key server (for example, pgp.mit.edu) so others can find you and verify your messages. (I will write a post on that soon.)
How do key-pairs work?
Remember those love stories in which two young lovers each carry 1/2 of a heart-shaped locket around their necks. When they meet again, they put the two halves together, and the perfect fit means it is their true love.
Well, the concept is similar. Your public key is 1/2 of a pair—the private key being the other half.
The private key is for you only, so keep it safe.
On the other hand, you can give anyone your public key. That way, they can check that an email is from you when you sign an email, or encrypt a message to send to you, which only you can decrypt.
Similarly, once you have your friends public key you can do the same.
Now you have everything all set. I will write more about sending and receiving signed or encrypted email soon.
===Related Posts On PillowFortress===
– How To Import From A PGP Key Server (PGP Signing and Encrypting)