Unlimited Plugins, WordPress themes, videos & courses! Unlimited asset downloads! From $16.50/m
  1. Code
  2. Security

It's Time to Encrypt Your Email: Using GPGTools for OS X

This post is part of a series called It's Time To Encrypt Your Email.
It's Time to Encrypt Your Email
It's Time to Encrypt Your Email: Using Keybase
GPG Suite

This is the second tutorial in a series focusing on encrypting your email. The first tutorial introduced the general concepts of encryption and how they can be used to secure and authenticate our emails. In this tutorial, I'll guide you through installing encryption software on your computer and getting started sending your first messages. For this episode, we'll use GPGTools for Mac OS X, an integration of open-source GnuPG

In addition to reading the first episode, you may want to check out the Electronic Frontier Foundation's The Surveillance Self-Defense Guide and their explainer, An Introduction to Public Key Cryptography and PGP. They also have a guide for Windows users: How to Use PGP for Windows PC.

In upcoming episodes, we'll explore encrypting browser-based email and strengthening the "Web of Trust", and then we'll switch topics a bit to encrypting your Internet activities with use of a VPN. Finally, as part of the series on managing your digital assets after your death, we'll use what we've learned to create a secure cache of important information for your descendants in case of emergency.

As always, I do participate in the discussions below. If you have a question or topic suggestion, please post a comment below. You can also follow me on Twitter @reifman or email me directly.

What Is GPGTools?

The GPGTools suite integrates the open-source GnuPG public key support into the Mac OS X operating system to make common, everyday uses of encryption easy for the rest of us. GPGTools consists primarily of three components:

  • GPG Keychain: allows you to manage your own PGP keys and public keys from acquaintances to encrypt and decrypt messages.
  • Plugin for Apple Mail: allows you to encrypt and sign outbound messages and decrypt and verify inbound messages.
  • GPG Services: allows third-party OS X applications to leverage PGP features such as Thunderbird.

Getting Started With GPGTools

Let's walk through how to begin using GPGTools and send our first encrypted message.

Download and Verify the Tools

First, visit the GPGTools home page, scroll down and click the Download GPG Suite button:

GPG Suite Home Page

As we mentioned in part one, if a surveillance authority or hacker wished to pose a man-in-the-middle attack, they could deliver a compromised version of the GPG download to your machine, exposing all of your messaging. So let's check that the digital signature on the download is the same as the one published on the website.

First, we'll check the checksum on our downloaded package from Terminal.

Then, we'll peek at the checksum published on the home page:

The GPG Tools published checksum

Since they are the same, we know we received authentic, safe code. See also How to verify the downloaded GPG Suite?


Once verified, launch the disk image. You'll see the following in Finder:

GPG Suite Package Installation

Double click the Install.pkg package to begin the installation.

GPG Suite Installation Wizard

Follow the standard Mac OS X application installation wizard. Eventually, you'll see the success page:

GPG Suite Installation Success

Launch the GPG Keychain application. This is the program that helps you track all of your colleague's public keys as well as your own public and private key:

GPG Suite Keychain Application

Creating a Key

To begin signing and encrypting messages, we need to create our own key pair. Click on the New key icon. Fill in your name and email address and a complex passphrase. The Intercept recently published an ideal method of choosing a strong passphrase for your private key: Passphrases That You Can Memorize — But That Even the NSA Can't Guess:

GPG Suite Generate a new key pair

GPGTools will generate a key pair for you using... math, complicated math:

GPG Suite Calculating Your New Key Pair

When it's done, it will display a listing for your key pair:

GPG Suite Keychain Listings

Now, we're almost ready to send encrypted and signed messages.

Signing and Sending an Encrypted Message

You can sign any message simply using your private key, but if you want to encrypt a message, you need the recipient's public key. I downloaded a friend's public key from a trusted key server. Alternately, you could upload a public key given to you on a USB flash drive.

Click Import and select the .asc key file to import it into the GPG Keychain:

GPG Suite Importing a Public Key of a Colleague

Once that's done, you can send a message to this user. Note the green OpenPGP badge in the upper right corner. And notice the blue lock and checkmark icons on the Subject line. These indicate that my outbound message will be encrypted and signed.

GPG Tools Sending an encrypted message with digital signature apple mail

When I click send, GPGTools will ask me to enter my Passphrase for it to access my key pair:

GPG Tools Passphrase Request

If you look at the message in the Outbox, you'll see that the message is encrypted in a file called encrypted.asc:

GPG Tools Message in the Outbox

Here's an example of that file's contents—gibberish except to the recipient with the proper private key:

Decrypting and Authenticating a Message

When you receive messages that have been encrypted with your public key, Apple Mail will use GPGTools to automatically verify the sender's digital signature and decrypt the message contents. Note the Security: Encrypted, Signed indicators:

GPG Tools Decrypting a Received Message

What's Next?

I hope you've recruited a few friends to send and receive encrypted messages with. Coming up in the next tutorial, I'll guide you through using a new service which strengthens the Web of Trust, creating a sophisticated audit trail of authentication for the validity of public keys.

Please feel free to post your questions and comments below. You can also reach me on Twitter @reifman or email me directly. You can find my other tutorials by browsing my Tuts+ instructor page

Related Links

Looking for something to help kick start your next project?
Envato Market has a range of items for sale to help get you started.