/ Guides

Getting started with PGP in OS X

If reading the news over the past few weeks has told us anything, it’s that the government will seize any opportunity to have a crack at reading your personal communications. David Cameron has decided that the likes of Whats App, Snapchat, and Facebook Messenger are a threat the very fabric of society due to their encrypted nature; he feels that in order for the country to be safe the security services need to be able to read everything. The old adage about not worrying if you have nothing to hide comes to mind.

I am going to talk you through how to protect probably one of the most widely used forms of digital communication, email. To do this we’re going to setup PGP, or to be precise, GPGTools, the open source equivalent for Mac.

Note, this guide is for an Apple user, specifically someone running OS X Yosemite. If you’re using Windows, you probably having bigger privacy problems than David Cameron so don’t worry too much about encrypting your email.

What is PGP?

First of all, what is PGP? PGP is an encryption algorithm widely used throughout the world, it stands for “Pretty Good Privacy” and is a public/private key system. In public/private key encryption one is able to distribute the public key to anyone at all (hence the name) and this key can be used to encrypt communications to the owner of that key. Through the miracle of cryptography only the private key can decrypt those communications, and as the name suggests, the private key is just that, private.

PGP is desirable as an encryption method because it’s quite simple to use, established, and most importantly, open source. Although commercial software exists to implement PGP, open source software is sufficient for the average user and just as capable.

Why use encryption for email?

Encrypting your email has two benefits,  firstly it protects the contents of your message from prying eyes. Secondly, it confirms the identify of the sender so you know it was really sent from that person. This second point is accomplished via digitally signing the email with the private key that only you have. This digital signature has a two-fold benefit because it is also able to confirm the integrity of the message, i.e. whether it has been tampered with in transmission.

Isn’t email already encrypted I hear you ask?

Yes, to some extent email already is encrypted. Many mail providers provide SSL encrypted websites to write your webmail on, and for those using desktop mail clients they provide SSL/TLS encrypted SMTP and IMAP servers so the mail is encrypted in transit. Furthermore the majority of major providers encrypt the email in transit to the recipient mail server, using the same SSL/TLS encryption. The problem with this you may realise is that all of that encryption is handled by someone else, you don’t know at what point they may choose to decrypt it, or for that matter be compelled to decrypt it by a court or government.

If you add your own layer of encryption onto the message itself, then you have ultimate control over whether that message is read. If your mail provider is compelled to hand over the encryption keys to their systems then at least all the government or court is going to get is another layer of encryption, one that they’re going to have to ask you for the key. Of course, whether you comply and provide the key is another matter, and it may well be a legal requirement in your country for you to provide the key, it certainly is in the UK. But at least you know about it right? And casual blanket surveillance is impossible without your knowledge and cooperation.

Installing PGP

So, let’s get started then shall we? For the purpose of this guide I will presume that you are using Apple Mail, and that you have an email account set up in it and working already.

  1. Go to https://gpgtools.org and download the latest version. At the time of writing that was GPG Suite Beta 4.
  2. Open up the DMG file, and go ahead and double click to install it.
  3. Once it’s installed, open up the GPG Tools software from your application menu. Assuming it didn’t open itself after installation.
  4. Now, create a new key for the email address you have setup in Apple Mail. You can do this by either following the wizard that may open on first load, or by clicking the new key.
  5. It will ask you for a passphrase, choose a good one, make it complex and not something easily guessed. And most important of all, keep it secret, from everyone, even your wife and grandmother.
  6. If you have the option, select to send your newly generated key to the key server. This will help other people using PGP automatically discover your public key when emailing you, without any complicated faffing around sharing the key manually via email or carrier pigeon or something.
  7. Once the key is generated, you’re done! You are ready to use start sending government frustrating emails to upset your friendly local spy, or malicious foreign agent come to that!

How to use?

Using GPG Tools is pretty easy actually, open up Mail and click to compose a new message. You’ll notice in the corner a lovely little green icon for GPG Tools to indicate that it has a key for the email address you are composing from.

GPGTools Green Corner

And if you look next to your subject line you’ll see two new icons have appeared, for signed (wax seal icon) and encrypted (padlock icon).

GPGTools Compose Mail Buttons

If the GPG Tools has a public key for the person you’re trying to email it will encrypt the email with their public key and the icon will go blue to confirm it is going to be encrypted. Naturally you need the recipients public key to encrypt a message to them.

All emails will be signed by default, this will attach a special file and some data to the email that if their mail client understands it, will confirm it is indeed from you. Well, to be precise it is from someone who has a key that is setup with your email address. How does that mean it’s you? After all I could setup a key right now and type in your email address, no one would be any the wiser.

Signing keys

The final piece of the puzzle for PGP encryption is trust, if I know you and I personally email you my public key then you can be pretty sure that the key is from me and you can trust it. But what if you got the key from the key server? Or maybe it was automatically included on email that you’re not sure is definitely from me? How do you confirm it’s actually me who generated that key? The “key” to this question is trust.

If I download a key off a key server, I can look at that key and see if anyone else has indicated that they trust it, this is done by signing a key. Once I have a key, and I’ve confirmed that the key I have is definitely for that person, I can sign the key with GPG Tools and re-upload that key to the key server with my signature attached as a seal of approval so to speak. Another person can then look at the key and see that lots of people trust that key, so they can probably trust it too, especially if some of those signatures are people they know as well.

So, how to sign a key? Simple, right click the key in the GPG Tools software and click “Sign…” and then follow the few simple questions and re-upload the newly signed key to the key server for others to see, and in turn trust a little bit more thanks to your vote of approval.

Key signing screenshot

Final points

PGP encryption, or any encryption come to that, is not going to protect you from legal wire taps and court orders. As I hinted at earlier in this post, many western governments have the capability in law to compel you to provide the encryption key for encrypted communications. Refusing to hand over the key could well get you in a lot of trouble. However, what PGP encryption does mean is that you at least are aware of the monitoring or interception of your email because you were aware of the compulsion to provide the key. Your mail provider may not have told you if they’d been compelled to hand over your emails.

PGP encryption is only any good if people actually use it, these days it isn’t difficult to use so encourage those who you email regularly to begin using it and it will become mainstream. It’s all well and good you signing all your emails, but if the people you are emailing don’t use PGP then that digital signature is pointless, and if they don’t use PGP then your message to them, and their message to you, isn’t encrypted either.

Finally, keep your computer clean and safe. If your computer is vulnerable to attack, by malware or hackers then the chances are the encryption key is vulnerable too, all it takes is a key logger and they have your private key and can decrypt the messages without your knowledge, whoever “they” might be. Malware for Mac is few and far between, but that doesn’t mean you shouldn’t be sensible and stay safe online. Plus let’s face it, the data on your PC itself is probably a lot more interesting than whatever it is you’re emailing so probably worth keeping that safe even more than your email, but that is a topic for another day.