How to keep your email private with PGP encryption on your Mac

In our last episode of Private I, I explained the basics of public-key (PK) cryptography, a way to scramble messages in a way that only someone possessing a particular key can decrypt, without that key ever having to be publicly disclosed or shared. Its an effective system that has no known theoretical exploits, and currently deployed implementations are considered robust.

And to recap: The clever bit with the public-key approach is that you have two complementary keys, one public and one private. The public key can be freely distributed. Anything encrypted by someone else with the public key can only be decrypted by having access to the corresponding private key. And a private key can be used to sign a string of text or a document to prove mathematically that only the private keys possessor could have signed it.

But there are two missing pieces that would let Mac, iOS, and other platforms users take advantage of PK. The first is pragmatic: Senders and recipients need compatible software tools or plugins, preferably integrated into apps so that little effort is required. The second is existential: Without pre-arrangement, such as meeting in person or a phone call, how do you know that what purports to be someones public key is actually that persons key?

The easiest way to solve both problems is to use an end-to-end proprietary ecosystem, but that gets us back, more or less, to iMessage or something similar. Silent Circle has one of the best options that embeds public-key cryptography, if you can convince all the people with whom you need to communicate to opt in. It starts at $10 per month for unlimited text, calls, video chat, and file transfers among its users. The services messaging and calling options received scores of 7 out of 7 in the Electronic Frontier Foundations secure messaging scorecard.

But most of us dont live in a walled garden, and one of the companys founders, Phil Zimmermann, is responsible nearly 25 years ago for turning public-key cryptography into what he called PGP, for Pretty Good Privacy. (How PGP works is described in Part 1.)

Composing a message in Mail to a recipient whose key is in your local GPG Keychain, the lock icon can be clicked to encrypt the message when sent.

PGP is available for the Mac via GPGTools, a version of the free software GPG (GNU Privacy Guard). It lets you build a directory of other peoples public keys, while also letting you carry out encryption, decryption, signing, and verifying. (PGP is a trademark, and GPG coined to get around it, but youll often see PGP used generically to refer to this method of using public keys.)

The EFF has very nice step-by-step instructions for installing GPGTools to allow it to be used directly with either Apple Mail or Mozilla Thunderbird for email; the tools are also available via the application Services menu wherever you can manipulate or select text. GPGTools is currently free, but plans to charge a very modest fee for its email plug-in at some point to help support development costs.

The sent message is shown in the Sent mailbox as being encrypted, and has to be decrypted to view as in this window.

The EFF instructions walk you through creating your own public/private key in GPG Keychain. To use GPGTools with email, your key needs to have the same email address as the return address from which you want to send encrypted messages. Once you have a key, you can upload a key to a keyserver by selecting your key and choosing Key > Send Public Key to Keyserver. This makes your key searchable by your name and email address in a PGP directory. A key has an associated fingerprint, a cryptographic transformation of the public key thats far shorter, which Ill get to in a moment.

Original post:
How to keep your email private with PGP encryption on your Mac