As part of my cybersecurity posts I’ve decided to write briefly about PGP (Pretty Good Privacy) encryption of email. We will use GPG which stands for GNU Privacy Guard and is a compatible free software equivalent of Symantec’s proprietary encryption algorithm. Both PGP and GPG are interchangeable so you can use either protocol. These keys use a high level of encryption. I Use RSA 4096 for my keys which is possibly a little overkill, but I like to future proof when learning.
GPG is important for emails as it means that an email remains encrypted between the sender & the receiver. It works on the principle of key pairs. Each user generates a pair of keys, one private key remains secret and on the user’s computer, the other, known as a public key is free to distribute on the internet and allows you to pass it on to those you wish to communicate with.
It is important that your private (secret) key always remains private & you never share it with anyone. The keys are paired so that both are required to encrypt & decrypt emails. I won’t go into the technicals of it, if you are interested there are a lot of free resources which will guide you through the technology.
Encryption also requires a password to be set when creating your key pair. This password allows you to unlock your keys & use them to encrypt your email. Both sender & receiver need to set up a keypair & share their public keys with each other. This allows encrypted communication between both parties.
On OSX/ OS Sierra you can use the free & open source GPG Suite to install the tools required to start encrypting email. The suite includes the GPG keychain which allows you to create your key-pair for your email address, and it also allows you to store the public keys of your recipients & to upload your public keys to public key servers. It allows you to manage & store your keys.
Also in GPG suite you have GPG mail which integrates with the native mac mail client. Much of the encryption process is automated once you setup your keypair, including downloading the keys of recipients you address your emails to. You can also sign your emails with GPG Mail which confirms your email as authentic to the recipient.
First, install GPGsuite using the .DMG file available on their website. If you are using Sierra or require cutting edge enhancements, opt for the beta package.
Once installed you will have an extra option in your settings preference pane called GPG Preferences. This allows you to set your GPG preferences, such as update checking and the public keyserver you would like to use. Most people can just leave this set with the default values.
The first thing you will want to set up are your keypairs. Make sure you have added the email account you want to start using with encryption as one of your Mac Mail accounts. If you use a free account such as Gmail you can still add it to your Mac Mail software & encrypt emails using that account.
Next, head to your applications folder & select the newly installed GPG keychain application. Open the application and click New in the top left corner. You will be presented with the following screen, showing you your Mac Mail email addresses. In these settings, select the email account you would like to use with GPG encryption, select the box to upload your public key (makes it much easier for people to correspond with you) and enter your passphrase.
The passphrase is a vital part of your encryption as it unlocks your keypair for use. Make sure it is a strong password & one you can remember. Also, my advice is to use a password you only use for encryption. This password is never for use with any online services such as websites. A single hack of any of those sites could reveal your password, so encryption passwords are only for local use.
Once you are happy with your passphrase, click generate key. Your GPG key pair will be generated & public key uploaded to they keyservers.
You should then see your newly created key within GPG Keychain. You are now good to start creating encrypted emails.
My advice, if you are going to start encrypting emails between friends, family or colleagues is to first send them an email with your public key attached. This way, they can import it into their keychain to allow them to email you. They can also send you theirs back. This isn’t a requirement if you have both uploaded them to a keyserver, but it’s always a good idea before you start encrypting communications between you. It’s also a friendly way to allow the other party to know that you want to encrypt your emails & to expect future emails to be encrypted.
Now, fire up Mac Mail and compose a new email, you will see a new OpenPGP option in the top right of your compose window. This will be green if using an email account for which you have created a keypair & will be greyed out if composing from an account without a keypair. In the screenshot below I’m emailing between my own account & my unused gmail account which also has a keypair. As you can see the OpenPGP button is green which means a keypair is present & I can encrypt on this account.
You will also see in the above screenshot the two blue icons. They are blue if they are enabled, but are greyed out if either a public key isn’t present for your recipient or you have opted not to encrypt. If you do have a public key for your recipient in your GPG Keychain you can activate one or both of these buttons. The left one which is a padlock is your encryption button, the right one is your GPG signature to securely sign your email. If sending to someone with whom you have a public key, I would always sign & encrypt.
Once you are setup, emailing is just as straightforward as before. Write your message, your subject and add any attachments you would like. Note that only the body of the email is encrypted, the subject line is not so be careful what you use there as it is publicly viewable. Once you are ready you can hit send, at this point you will be given an OpenGPG prompt for your pass phrase. This is your encryption pass phrase which you setup at the time of creating your key pair. This password will be required every time you encrypt or decrypt an email. You can opt to save the pass phrase in your keychain but I would advise against that. The whole point of encryption is to make email for your eyes only (and your recipient of course) so keep the passphrase to yourself & commit it to memory. It’s just good practice.
The last part of the puzzle is decrypting email. Below is a screenshot I took of the email I just sent between my two accounts. When opening the email you will be asked for your encryption passphrase, this is to unlock your own keypair to decrypt the email. You will see from the screenshot that the email looks like any other, with the exception that it has signature and encryption details. The padlock shows that the email is encrypted.
If you follow these steps you will ensure any correspondence sent between you & your friends/family can’t be read by any third-party. This means that if your email account is hacked, the contents of your messages remain private. Perfect for family photos, private information and general personal chatter. It also means that companies such as google can’t read your emails for advertising & data collection purposes. The message remains scrambled with encryption across the whole internet, no matter who intercepts it.
Once you get used to this process it will become second nature. I like the ‘at rest’ security of encrypted emails. I’m less worried about personal emails being hacked or stolen in a data grab. If my server is compromised, my emails are not. I also like the fact that using a completely unique password for my encryption means that my encryption password is never in the wild online. I’ve committed a complex password to memory & I’m not likely to forget it after typing it so many times.
No security is perfect, but this is by far the biggest bang for your buck with regards securing your communications on a day-to-day basis.
You must keep your key pair secure. You can back them up using GPG keychain, both your public & private key, but you must keep them safe. Never put your secret (private) key online or into cloud storage. If you ever lose control of your keypair, someone could pose as you and send emails masquerading as you, not to mention decrypt emails if they guess your passphrase. GPG Keychain has the ability to revoke keys if you feel they have been compromised. You can then generate a new keypair & upload to keyservers as required.
This is just a brief outline of how to get started with OpenPGP using GPGSuite. If you would like to know more, you can read up online. A good starting point is the GPGtools site itself.
If you would like to send your first encrypted email, drop me a message at john AT johnlarge.co.uk using my public key which you can retrieve from the keyservers or download by clicking here. If you want to add to this post or correct please do let me know, like my other cybersecurity posts I’ve kept it as simple and non technical as possible to make it accessible. The post will evolve over time.