How to Install GPG on OS X and Use It With Mail

Tuesday, October 21st, 2008

Overview

This article is meant to help people who are not UNIX gurus but know OS X well and want to get GPG encryption in Mail running in a minimum amount of time. For more detailed info on GPG, check out the GNU Privacy Handbook. Some of the apps listed below are OS X 10.5+ only…

Installing GPG and GPGMail

Just double click the installer package to install GnuPG, then make sure Mail is not open and put GPGMail in the ~/Library/Mail/Bundles directory (create it if necessary). To finish GPGMail install, you need to type those 2 commands in the Terminal:

defaults write com.apple.mail EnableBundles -bool yes
defaults write com.apple.mail BundleCompatibilityVersion -int 3

Don’t start Mail yet, you need to create a key pair before you can encrypt or sign messages.

Creating a key pair

You need to create a public and private key pair before you can use GPG in Mail. You could use the Terminal, but GPG Keychain Access makes it even easier. It will ask you a few questions while guiding you through the process of creating your GPG key pair:

  • Select what kind of key you want: DSA and ElGamal
  • How large should the key be: 4096 (larger = safer)
  • Key has expiration date: leave unchecked
  • Set your identity: you can’t change that later so be careful, the comment section is optional
  • Set your passphrase: don’t use your pet’s name or your birthday… (more on that)

It will take a while to create the key pair, especially if you chose 4096 for the key length. You can go get a coffee or something in the meantime.

Configuring GPG

Once you’re done creating your keypair(s). You can view and edit your settings by opening ~/.gnupg/gpg.conf in your favorite text editor, but there is a great preference panel that provides a GUI for that: GPGPreferences. Once this is installed, open your System Preferences to launch it. It will perform some basic configuration checks that you want to accept unless you got a good reason not to. Also check the “Automatically retrieve keys from server while verifying” option under the “Key Server” tab, and make sure you got a “Key Server” set from the drop down.

Sending emails with Mail

Once you did all that, when you launch Mail, you’ll have a new PGP area with a bunch of self explanatory options right above the message window. In Mail preferences, you’ll have an extra “PGP” tab where you can fine tune your settings. The only thing I would change from the default is “Use Keychain to store passphrases” which is clearly less safe but way more convenient.

If you’re not clear on how to use the plugin, the online help is pretty good…

Using your key(s) on several computers

To be able to decrypt the emails your receive on more than one mac, you’ll have to repeat the installation process outlined above for each one of them minus the key creation. Instead, you’ll need to export the private keys you created on the first computer and import them on all the other computers. It’s easier than it sounds:

First, on the computer you created the keys, open the Terminal and type:

gpg --armor --export-secret-keys

This will export your private keys in a text format. It will look like a bunch of random letters and number, something like that (but much longer):

-----BEGIN PGP PRIVATE KEY BLOCK-----
Version: GnuPG v1.4.8 (Darwin)

sdbfweibdkdnfewhvfsciosifidfs etc...

-----END PGP PRIVATE KEY BLOCK-----

Copy that text and save it in a text file. Copy that text file to the computers you want to use the keys on. Then open GPG Keychain Access and select “import”, check the “Allow Secret Key Import” check mark, select your text file, and click on “open.” You private keys should be imported now. If you don’t see them immediately, try restarting GPG Keychain Access.

That’s it!

Filed under: OS X