Encrypt Your Emails on OS X


Now that we know that the American government is probably reading all our email, we should be encrypting all sensitive emails that we send. At the very least, we should be signing all the email that we send, so that it can’t be changed en route.

This guide assumes that you’re using a Mail.app on a Mac, although similar tools exist for Windows and Linux.

First, for those who are unfamiliar with this, here’s an (oversimplified) explanation of how encryption works.

A key is a randomly generated string of characters which is used to encrypt/decrypt your data. Every user has a pair of keys. His public key can be freely shared online. His private key is known only to him, and must be safely stored.

Let’s consider the classic Alice and Bob example.

  • Alice wants to send a message to Bob
  • Alice combines her private key with Bob’s public key to generate a shared secret
  • Alice encrypts her message with the shared secret and sends it to Bob.
  • Now the way this works, the same shared secret can also be generated by combining Bob’s private key and Alice’s public key
  • This means that the message can be decrypted by Bob (assuming he has Alice’s private key)

So, in practice, this means:

  • You need a private/public key pair
  • The person you’re sending email to needs a private/public key pair
  • You need to know the public key of the person you’re sending email to
  • That person needs to know your public key
  • Additionally, your private key is usually encrypted on disk, so you need a password (sometimes called a passphrase) to unlock your private key.

Generating a Key Pair

First, download and install GPG Suite. Then, the GPG Keychain Access application. This should be present in your Applications folder after you install the GPG Suite.

Click on New, and enter your Name and Email address. Upload public key after generation should be checked. You will also need to pick a passphrase to secure your private key on disk.

You should now have a key pair generated for you. To be safe, use GPG Keychain Access to export your key to a file. Make sure that the Allow secret key export option is checked. This makes sure that your private key is exported as well. This will create a file with an asc extension. Keep this file safe!

Remember, if you lose your private key, you cannot read any encrypted mail sent to you, nor can you send any encrypted email. Ditto for your passphrase. I use Arq to backup my private keys and 1Password for my passphrase.

Getting Another Person’s Public Key

You cannot send an encrypted email to someone unless you know their public key.

To do this, open GPG Keychain Access, and press ⌘F to launch the Find dialog. Enter the email address of the person you want to email. Once the search completes, you can import the public key for the email you entered.

You can also do this manually using a key server like http://pgp.mit.edu/

Sending an Encrypted Email

Open/Restart Mail.app. Type ⌘N to compose a new mail. If you set up your keys right, you should see a green OpenPGP on the top right corner of the window.

Once you fill in the To: field with an email address you know the public key for, the little padlock icon on the right should become clickable. Click it.

Padlock Icon

If the padlock is closed, that means that the email you’re about to send is encrypted.

The person you’re sending the email to should be able to view the email as normal (using software like GPG Suite to handle decryption).

If someone else were to try and view the email, this is what they would see:

Un-Decrypted View

Receiving an Encrypted Email

Thankfully, there’s nothing you have to do here, assuming you have the sender’s public key imported into GPG Keychain Access. GPG Suite will automatically decrypt the email and show it to you. It’s seamless!

In fact, here’s what the email from the previous screenshot would look like in Mail.app:

Decrypted Email

Digital Signatures

It might not always be practical/necessary to encrypt all your emails.

However, there is an easy way to avoid MITM attacks (man-in-the-middle attacks, where a third-party could modify the text of the email before it reaches you).

Simply (digitally) sign every email you send. GPG Suite makes this very easy. Just make sure the button next to the padlock is clicked:

Signature Button

Here’s what this does:

  • The text of your message is applied to a one-way function, and a digital fingerprint of your message is obtained.
  • If the text of your message changes even by a single character, this fingerprint ceases to be valid.
  • The fingerprint is signed with your private key, and is attached with the email in a plain-text file called signature.asc
  • The receiver independently calculates the fingerprint of the message, and also decrypts your signature.asc using your public key.
  • If the two match, the email was sent by you, and was not tampered with.

An email client that supports digital signatures (GPG Suite included) will complain if this verification fails.