Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

How to keep your email private with PGP encryption on your Mac

Glenn Fleishman | March 3, 2015
In our last episode of Private I, I explained the basics of public-key (PK) cryptography, a way to scramble messages in a way that only someone possessing a particular key can decrypt, without that key ever having to be publicly disclosed or shared. It's an effective system that has no known theoretical exploits, and currently deployed implementations are considered robust.

The EFF instructions walk you through creating your own public/private key in GPG Keychain. To use GPGTools with email, your key needs to have the same email address as the return address from which you want to send encrypted messages. Once you have a key, you can upload a key to a keyserver by selecting your key and choosing Key > Send Public Key to Keyserver. This makes your key searchable by your name and email address in a PGP directory. A key has an associated fingerprint, a cryptographic transformation of the public key that's far shorter, which I'll get to in a moment.

When you compose an email in Mail after going through the installation and key creation, you now have two new icons on the Subject line as long as the sending account matches any public key you've created. The blue starburst checkmark indicates your outgoing mail will be signed by your private key, allowing others to validate that it's been unchanged in transmission as long as they have your public key. And you can click the lock icon if all of the recipients in the address fields have public keys stored in GPG Keychain.

(Note that PGP-encrypted email protects the contents of the message, but not its subject line nor the metadata: the routing information and other details stored in email headers, and which have formed a large portion of the analysis by the NSA and other governments' security agencies to identify patterns.)

On sending such a message, you're prompted for your passphrase. I store my passphrase in 1Password, so I can bring it up rapidly. If you plan to type it, make it something long and memorable with a single piece of punctuation, like "From the still of the ! night" — this is essentially uncrackable due to length and the fact that the phrase would never appear in any English text used for word-frequency analysis.

Now, of course, your recipients have to go through the same procedure, or use other compatible PGP software. Symantec still makes PGP, although it works on the Mac only with Microsoft Outlook. There are other implementations of GPG for other platforms. And some mobile apps can handle PGP-encrypted documents and email. (I looked for PGP iOS app that meet the bill, and the current lineup have a variety of limitations. I'll be looking into this further as this situation changes.)

With GPGTools installed, you can also perform all the other PGP-style operations from the Services menu. For instance, as I compose this in BBEdit, I can select BBEdit > Services > Insert My Fingerprint (which is 53F4 9E97 2652 4E2F 2993 4611 BB54 A24B EDD1 8384). I can also encrypt, sign, verify, and so forth.


Previous Page  1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.