I decided it is a good idea to have the option to sign my email, or encrypt my email if I need to. And I can do that quite nicely with open source tools. If this is something you would like to have for your Mac, then read on. For Windows you can find that here, and Linux too.
Things to get before you start
Software – bits, release notes, Support, Getting Started tutorial. I am doing this with 2015.09 build from 9/24/15. I am doing this on 10.11 El Capitan and that only has beta support in the software but I understand it works great (it does in fact).
BTW, since this is security stuff, you should always confirm that you downloaded what you think you did. For a cool easy way of verifying the signature of the downloaded file check this article out.
Since you already confirmed your downloaded file is legit lets install it now.
Notice how you can install or uninstall? Good to know they have an uninstall option.
A simple process to install, and once done you are prompted to create a new key pair.
Make sure the email info is the same as what you use with your Mac based email. Also make sure you use a strong passphrase! I also suggest you enable the upload public key option. It will take your public key and put it up on a key server which will make it easier for people to find and use to email you more securely. Be aware once the key is on the key server you will not be able to remove it.
After you have a strong passphrase use the Generate key button. This will create a key pair that will be you. It can be used to sign, which means attach your public key to your email in such a way that people will know it is from you for sure. But anyone can read it potentially, but if anyone changes it that will break your signature. You can also encrypt emails with this keypair so no one will be able to read or change your email without the destination knowing.
You should see something like below now.
BTW, the Key ID for me as seen above is 0267674B which is the ID of my public key. You could use it to search for my public key.
Sending Mail – sign or encrypt?
Now that the software is installed your email UI will look a little different.
This screen shows that you have a default of sign your message (blue), and that you are sending OpenPGP rather then S/MIME – shown in green. If you enter an email address AND you have the public key for that users your lock will change to black as seen below. BTW, below you can see how to find peoples public key.
You could push the lock and it would show as black and locked signifying that your email is encrypted and signed.
You can send messages now and by default your messages would be signed. This is not bad nor will it cause an issue for anyone. Most users will not even know.
Good things to know
Here is a variety of things that I think might be useful.
Changing the defaults
You can change the default behavior, for example you may not wish to sign every message. This can be done via the Mail preferences and changing to the GPGMail section.
You can change the basic behavior of GPGMail in Mail in this screen. So you can deselect the Sign new messages by default option to get the behavior you want.
Finding a user’s public key
So you want to email – securely – with your friends. How do you find their public key so you can encrypt?
Start by starting up the GPG Keychain. It should be in your dock.
Once started you will see something like below.
The arrow is pointing at what we want to work with. It will allow us to look up a users public key.
You can see I have typed in Dave’s email address and when I hit the search key we will see if I have found him. And I did. So I use the Retrieve key button. BTW, you can search by using the email address, or the name, or the ID. In other words you could search for Michael White, or mwhite at datagravity.com or 0267674B and any of these would find my public key. My email or the number is the best way as it will find me, and Michael White will find a bunch of Michael Whites!
Now when you look at your keychain you can see a new entry.
So this means I can send an email to Dave that is encrypted. He is my boss so that is handy! However, note that the Validity is yellow? If I sit beside Dave, and send him an email that is encrypted and he can read it I can change the Validity to better as I know it is really him.
It is very good to have strong validity when you are sharing secrets. If you actually really know that the user who you think you have the public key for is actually that user you can sign their public key.
As you can see above I am going to Sign my own public key so that is not reasonable or logical. but if you do the same thing above but on some other user you will see better validity.
- Would you like to have other email addresses in your key? Use this to do it.
- Introduction to Cryptography
- How to verify the downloaded GPG Suite – can be used to verify other things too if you have the SHA-1 checksum to compare against.
- Backup or transfer your keys – see this article.
Remember you share with others your public key, and your secret key is a secret. If you lose your secret key you will not be able to read your encrypted email.
- 10/21/15 – once you do this, you will be able to see when VMware sends you a security notice if it is signed or not. And if signed – and they always are – you will see if the signature is broken or not. Sort of handy actually.
Thanks for reading, if you have questions or comments let me know.