Encrypting / Signing my email!

I decided it is a good idea to have the option to sign my email, or encrypt my email if I need to.  And I can do that quite nicely with open source tools. If this is something you would like to have for your Mac, then read on.  For Windows you can find that here, and Linux too.

Things to get before you start

Software – bits, release notes, Support, Getting Started tutorial.  I am doing this with 2015.09 build from 9/24/15.  I am doing this on 10.11 El Capitan and that only has beta support in the software but I understand it works great (it does in fact).

BTW, since this is security stuff, you should always confirm that you downloaded what you think you did.  For a cool easy way of verifying the signature of the downloaded file check this article out.

Install

Since you already confirmed your downloaded file is legit lets install it now.

Notice how you can install or uninstall?  Good to know they have an uninstall option.

Install, or uninstall? Your choice

Install, or uninstall? Your choice

A simple process to install, and once done you are prompted to create a new key pair.

NewKeyPair

GPG Keychain – creating a new key pair

Make sure the email info is the same as what you use with your Mac based email. Also make sure you use a strong passphrase!  I also suggest you enable the upload public key option.  It will take your public key and put it up on a key server which will make it easier for people to find and use to email you more securely.  Be aware once the key is on the key server you will not be able to remove it.

After you have a strong passphrase use the Generate key button.  This will create a key pair that will be you.  It can be used to sign, which means attach your public key to your email in such a way that people will know it is from you for sure.  But anyone can read it potentially, but if anyone changes it that will break your signature.  You can also encrypt emails with this keypair so no one will be able to read or change your email without the destination knowing.

You should see something like below now.

Key

GPG Keychain with my info

BTW, the Key ID for me as seen above is 0267674B which is the ID of my public key.  You could use it to search for my public key.

Sending Mail – sign or encrypt?

Now that the software is installed your email UI will look a little different.

Mail

Notice the green, and the blue?

This screen shows that you have a default of sign your message (blue), and that you are sending OpenPGP rather then S/MIME – shown in green.  If you enter an email address AND you have the public key for that users your lock will change to black as seen below.  BTW, below you can see how to find peoples public key.

Message2

Lock is black since my public key is available

You could push the lock and it would show as black and locked signifying that your email is encrypted and signed.

You can send messages now and by default your messages would be signed.  This is not bad nor will it cause an issue for anyone.  Most users will not even know.

MessageE

My first encrypted email

Good things to know

Here is a variety of things that I think might be useful.

Changing the defaults

You can change the default behavior, for example you may not wish to sign every message.  This can be done via the Mail preferences and changing to the GPGMail section.

Prefs

GPGMail preferences

You can change the basic behavior of GPGMail in Mail in this screen.  So you can deselect the Sign new messages by default option to get the behavior you want.

Finding a user’s public key

So you want to email – securely – with your friends.  How do you find their public key so you can encrypt?

Start by starting up the GPG Keychain.  It should be in your dock.

keys

GPG Keychain

Once started you will see something like below.

Lookup1

The arrow is pointing at what we want to work with.  It will allow us to look up a users public key.

Lookup2

You can see I have typed in Dave’s email address and when I hit the search key we will see if I have found him.  And I did.  So I use the Retrieve key button.  BTW, you can search by using the email address, or the name, or the ID.  In other words you could search for Michael White, or mwhite at datagravity.com or 0267674B and any of these would find my public key.  My email or the number is the best way as it will find me, and Michael White will find a bunch of Michael Whites!

Lookup3

Now when you look at your keychain you can see a new entry.

Lookup4

So this means I can send an email to Dave that is encrypted.  He is my boss so that is handy!  However, note that the Validity is yellow?  If I sit beside Dave, and send him an email that is encrypted and he can read it I can change the Validity to better as I know it is really him.

Changing Validity

It is very good to have strong validity when you are sharing secrets.  If you actually really know that the user who you think you have the public key for is actually that user you can sign their public key.

Sign

As you can see above I am going to Sign my own public key so that is not reasonable or logical.  but if you do the same thing above but on some other user you will see better validity.

Useful Links

Remember you share with others your public key, and your secret key is a secret.  If you lose your secret key you will not be able to read your encrypted email.

Updates

  • 10/21/15 – once you do this, you will be able to see when VMware sends you a security notice if it is signed or not.  And if signed – and they always are – you will see if the signature is broken or not.  Sort of handy actually.

Thanks for reading, if you have questions or comments let me know.

Michael

Tagged with: ,
Posted in How To
One comment on “Encrypting / Signing my email!
  1. […] recently read an awesome blog by Michael White about how he encrypted/signed his email. Given all the news about security I figured it was a good time to consider doing this as well. […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: