Encrypting Your Email & Key Signing

22 July 2013

In light of all the computer security news of late and my own ongoing pursuit of securing my computer and Internet habits for my own protection against hackers and identity theft, I've now started encrypting my emails, or rather installed the ability to.

I installed the open-source GPG (PGP) GPGTools add-on for Apple Mail and generated a 4096-bit public and private key each for two of my email accounts. The whole process took less than five minutes and is very easy to accomplish.

Once installed, sending either a digitally signed and/or encrypted email is as simple as clicking on a button in the new mail window. The catch is that the recipient must also have encryption enabled on their account and have uploaded their public key to a key server so you can download it and use it to decrypt an email. If the person you're sending an email to isn't set up for encryption, that's not a problem, you can still send them an email as you would normally, it just won't be encrypted.

What encrypting your email does is ensure that no one, a hacker, Apple, Google, Microsoft, et al or even the NSA, can snoop on your messages if they happen to intercept it. All they would get would be a huge string of random characters that they wouldn't be able to decrypt.

One part of the setup process is generating your keys. The installer (above) installs the GPG Keychain Access app, which is different from Apple's Keychain app. With the GPG Keychain access you generate a public and private key and during the generation process you're supposed to move the mouse around a lot or type a lot to get the CPU or disk to create a lot of activity which helps mix up the bits of the key for maximum entropy. With the speed of today's CPU's, key generation is accomplished in mere seconds.

What I did to ensure there was plenty of disk activity during the key generation was start up and run Blackmagic, the disk speed test app, which is free from the Mac App Store. I figure with that running while you're generating the keys, the excessive disk activity will help create the most entropy possible making for a very secure key. Once the key is generated, you can cancel Blackmagic's speed test - if you want.

Another part of the key generation process is creating a passphrase. This is similar to a password in that its typically a sentence with upper/lower case words and numbers, even characters, that only you know and can remember. This is used to decrypt your private key and send/read encrypted emails or verify a digitally signed email. If you lose or forget your passphrase, there is no way to ever recover it and you would have to make a new key. Any email you received sent to you based on your lost passphrase will forever be unreadable to you. Its very important to remember your passphrase and never give it out to anyone.

Lastly, you will want to upload your public key to a key server so others can download and use it to decrypt your emails. You will also want to get as many people as you can to sign your key so that it helps bring validity and credit to your key letting people know that its actually you and your key. Doing this is usually called a key signing party where you get people, typically that you know to sign your key, or actually meet up somewhere so people can actually meet you and be comfortable signing your key.

This method is very secure, open-source, and endorsed by the podcast Security Now with Leo Laporte ( and Steve Gibson (

Additionally, this can be set up on Windows computers and Mozilla Thunderbird (OS X & Windows). Here is the addon for Thunderbird: Enigmail. I don't have the method worked out for applying this on Windows yet, but will work on it.

I have two email accounts set up, one in Apple Mail and the other in Thunderbird. I set them both up and have easily sent encrypted emails to each account.

Steps to set up email encryption

  1. Download GPGTools and install it
  2. Generate a pair of keys for the email account you desire
  3. Choose the bit length of the keys under advanced in GPG Keychain Access when creating a new key. Recommend length is 4096
  4. Upload your key to the key server
  5. Find someone who has or will set their account up like you have
  6. Download their key
  7. Send them an encrypted email

Here is the link to the GPG tutorial which does a nicer job of detailing the process than I have here.

If you have or once you have set up your encryption, you can search the key server through the GPG Keychain Access app for my key which is listed under my username: SandboxGeneral.

For those interested in how PGP and cryptography works, here is a series on it from the podcast Security Now done in 2006. These are the MP3 audio files linked.

Page URL:

Episode 30: Cryptographic Issues

Episode 31: Symmetric Stream Ciphers

Episode 32: Listener Feedback Q&A #5

Episode 33: Symmetric Block Ciphers

Episode 34: Public Key Cryptography

Episode 35: Cryptographic Hashes

Episode 36: Listener Feedback Q&A #6

Episode 37: Crypto Series Wrap-up

Download the pdf version with pictures here.