GPG: Using Mac GPG and GPGMail with OS X Tiger

GPG is an open source implementation of PGP, the industry-standard file encryption tool. GPG will allow you to send documents and other files securely and be decrypted by the end user, providing they also have GPG or PGP installed. This article will explain how to install GPG and create a key using the command line. If you wish to use a graphical client, the same team that distributes Mac GPG also distributes several tools for various uses. This article will also show how to install GPGMail, which allows you to encrypt email messages sent with Apple's Mail.app using the same GPG key you will create with Mac GPG.

This guide will also assume that you know the basis of GPG and how PGP works. If not, read up before you try and create keys.

There are two main components to using GPG: creating and managing your own private and public keys, and encrypting and decrypting files that you send and receive. We will start with GPG key creation and management.

First, download Mac GPG. Here you will also find the optional GUI tools. After you have downloaded and expanded the disk image, run the installer, which will place everything you will need in the appropriate place. NOTE: you will have to authenticate as an administrator to install this software.

The installer will place files in the following directories:

/Library/Documentation/GnuPG/
/usr/local/bin/
/usr/local/info/
/usr/local/lib/
/usr/local/libexec/gnupg/
/usr/local/man/man1/
(and man3 and man7)
/usr/local/share/gnupg/
/usr/local/locale/**
(where ** is each localization)

 

Next, we'll create a keypair. Open a terminal session with Terminal or X11 and type:

 

(Input is in bold; system response is normal text. "[ENTER]" refers to when you should hit the Enter or Return key.)
tungsten:~ jsmith$ gpg --gen-key [ENTER]
gpg (GnuPG) 1.4.1; Copyright (C) 2005 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.

Please select what kind of key you want:
   (1) DSA and Elgamal (default)
   (2) DSA (sign only)
   (5) RSA (sign only)
Your selection?

 

This command starts the key creation process. Type 1 for the key kind.

 

Your selection? 1 [ENTER]
DSA keypair will have 1024 bits.
ELG-E keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)

 

The size of the key determines the amount of time and effort necessary to crack it. A longer key is larger, but more secure. We will select a 2048-bit key.

 

What keysize do you want? (2048) 2048 [ENTER]
Requested keysize is 2048 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0)

 

Since we want to avoid having to generate new keys in the future, enter 0 as your choice. When it asks you if you are sure, enter y.

 

 

 

Key is valid for? (0) 0 [ENTER]
Key does not expire at all
Is this correct? (y/N) y [ENTER]

You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
    "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"

Real name:

 

This section is asking for some identification to store in the keypair. This will show people who have your public key who the key belongs to. The comment field can be used for your department or organization, or to add a personal note.

 

Real name: John Smith [ENTER]
Email address: jsmith@purdue.edu [ENTER]
Comment: Engineering Computer Network, Purdue University [ENTER]
You selected this USER-ID:
"John Smith (Engineering Computer Network, Purdue University) <jsmith@purdue.edu>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit?

 

If you need to change any of the fields before the key is generated, enter the appropriate letter. If you are satisfied with the values you entered, enter O for "Okay". The next step is to choose a passphrase. You will type it and then verify it. After the passphrase is verified the key will be created.

 

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
You need a Passphrase to protect your secret key.

Enter passphrase: [type your passphrase here] [ENTER]
Verify passphrase: [type your passphrase again] [ENTER]

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
+++++...+++++.++++++++++++++++++++..+++++++++++++++.++++++++++.++++++++
+++++++.+++++++++++++++++++++++++..+++++++++++++++..+++++.+++++.+++++.+
++++>++++++++++>+++++.........+++++
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
+++++++++++++++++++++++++.++++++++++++++++++++.++++++++++..+++++.+++++.
+++++.++++++++++.+++++++++++++++...+++++.+++++++++++++++..+++++..++++++
+++++++++..++++++++++>..+++++.+++++>..+++++...............<
+++++............>+++++...........+++++^^^
gpg: /Users/jsmith/.gnupg/trustdb.gpg: trustdb created
gpg: key 3596F3D0 marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
pub   1024D/3596F3D0 2006-03-07
      Key fingerprint = 1D46 9919 5176 7322 5037  B6D8 CBEE C027 3596 F3D0
uid                  John Smith (Engineering Computer Network, Purdue University) <jsmith@purdue.edu>
sub   2048g/A994D657 2006-03-07

 

At this point your keypair has been created. You can view a list of all created keys by typing:

 

tungsten:~ jsmith$ gpg --list-keys [ENTER]
/Users/jsmith/.gnupg/pubring.gpg
----------------------------------
pub   1024D/3596F3D0 2006-03-07
uid                  John Smith (Engineering Computer Network, Purdue University) <jsmith@purdue.edu>
sub   2048g/A994D657 2006-03-07

 

Sharing and Receiving Keys

If you would like someone to encrypt a file for you to read, they must have your public key. You can create a public key by exporting they key you created to a .gpg file and including your email address that the PGP key is connected to (when you created the key). The file will be saved to the working directory.

 

tungsten:~ jsmith$ gpg --output jsmith.pgp --export jsmith@purdue.edu [ENTER]

 

If you would like to post an exported key on a Web site for anyone to download, include the --armor flag when exporting the key. Including this flag saves the file as a .asc file.

 

tungsten:~ jsmith$ gpg --output jsmith.pgp --export jsmith@purdue.edu --armor [ENTER]

 

If someone has sent you their public key (either as a .gpg or .asc file), you can add it to your GPG key database using the --import flag.

 

tungsten:~ jsmith$ gpg --import jane.doe.asc [ENTER]
gpg: key 6312A015: public key "Jane Doe <jdoe@purdue.edu>" imported
gpg: Total number processed: 1
gpg:               imported: 1
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0 trust: 0-, 0q, 0n, 0m, 0f, 1u

 

After receiving a key you will want to validate it and ensure its authenticity. To accomplish this we will first edit the key and examine its fingerprint. The email address should be the person whose key you are examining. Using this command will cause GPG to enter an interactive mode.

 

tungsten:~ jsmith$ gpg --edit-key jdoe@purdue.edu [ENTER]
gpg (GnuPG) 1.4.1; Copyright (C) 2005 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.


pub 1024D/6312A015  created: 2002-12-19  expires: never       usage: CSA
                     trust: unknown       validity: unknown
sub  2048g/055DDC1D  created: 2002-12-19  expires: never       usage: E
[ unknown] (1). Jane Marie Doe <jdoe@ecn.purdue.edu>
[ unknown] (2)  Jane Marie Doe <jdoe@purdue.edu>
[ unknown] (3)  Jane Marie Doe <jdoe@pier.ecn.purdue.edu>

Command>

 

After you have opened the key, use the fpr command to view the key's unique fingerprint. You can then verify the key by communicating verbally, over email, etc. with the person who sent you the key to confirm its authenticity.

 

Command> fpr [ENTER]
pub   1024D/6312A015 2002-12-19 Jane Marie Doe <jdoe@ecn.purdue.edu>
 Primary key fingerprint: A619 155D BE6B B1EB CEAA  074C 87FC FD5C 6312 A015

Command>

 

Once you have confirmed that the key is genuine, sign it. Since you are already editing the key, it is a good idea to sign and check the key, as the editing mode is the only way you can perform these actions. To sign the key, use the sign command. You will then be asked twice to verify that you want to sign that person's key with your own.

 

Command> sign [ENTER]
Really sign all user IDs? (y/N) y [ENTER]

pub  1024D/6312A015  created: 2002-12-19  expires: never       usage: CSA
                     trust: unknown       validity: unknown
 Primary key fingerprint: A619 155D BE6B B1EB CEAA  074C 87FC FD5C 6312 A015

     Jane Marie Doe <jdoe@ecn.purdue.edu>
     Jane Marie Doe <jdoe@purdue.edu>
     Jane Marie Doe <jdoe@pier.ecn.purdue.edu>

Are you sure that you want to sign this key with your
key "John Smith (Engineering Computer Network, Purdue University) <jsmith@purdue.edu>" (3596F3D0)

Really sign? (y/N) y [ENTER]

You need a passphrase to unlock the secret key for
user: "John Smith (Engineering Computer Network, Purdue University) <jsmith@purdue.edu>"
[type your passphrase] [ENTER]
1024-bit DSA key, ID 3596F3D0, created 2006-03-07


Command>

 

After the key is signed, you can check the signing status of every key in GPG's key database.

 

Command> check [ENTER]
uid  Jane Marie Doe <jdoe@ecn.purdue.edu>
sig!3        6312A015 2005-04-21  [self-signature]
sig!         3596F3D0 2006-03-07  John Smith (Engineering Computer Network, Purd
uid  Jane Marie Doe <jdoe@purdue.edu>
sig!3        6312A015 2005-04-21  [self-signature]
sig!         3596F3D0 2006-03-07  John Smith (Engineering Computer Network, Purd
uid  Jane Marie Doe <jdoe@pier.ecn.purdue.edu>
sig!3        6312A015 2002-12-19  [self-signature]
sig!         3596F3D0 2006-03-07  John Smith (Engineering Computer Network, Purd
3 signatures not checked due to missing keys

Command>

 

Encrypting and Decrypting Files with GPG

After you are finished creating and signing keys, you can begin encrypting files. After exiting PGP's interactive mode, the first step is to navigate to the directory containing the file you wish to encrypt. If you want to encrypt several files or a directory of files, creating a .zip archive of the files will make the process much easier. In this example the user navigates to his Desktop and lists the files in the directory.

 

Command> quit [ENTER]
Save changes? (y/N) y [ENTER]
tungsten:~ jsmith$ cd ~/Desktop/ [ENTER]
tungsten:~/Desktop jsmith$ ls -al [ENTER]
total 8492888
drwx------   34 jsmith  jsmith        1156 Mar  7 16:54 .
drwxr-xr-x   28 jsmith  jsmith         952 Mar  7 17:20 ..
-rw-------    1 jsmith  jsmith       21508 Mar  7 16:54 .DS_Store
-rw-r--r--    1 jsmith  jsmith           0 Sep 28 13:18 .localized
-rw-r--r--    1 jsmith  jsmith      306089 Mar  1 11:21 Archive.zip
tungsten:~/Desktop jsmith$

 

The user wants to encrypt the file Archive.zip and send it to jdoe@ecn.purdue.edu. You must have a person's public key to encrypt a file for them to decrypt; if you don't, the command will fail. To do this we will use the gpg command again, with appropriate flags. We then list the contents of the Desktop again, and see that the new file encrypted.gpg is now there.

 

tungsten:~/Desktop jsmith$ gpg --output encrypted.gpg --encrypt --recipient jdoe@purdue.edu Archive.zip [ENTER]
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   1  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: depth: 1  valid:   1  signed:   0  trust: 1-, 0q, 0n, 0m, 0f, 0u

tungsten:~/Desktop jsmith$ ls -al [ENTER]
total 8493488
drwx------   35 jsmith  jsmith        1190 Mar  9 14:56 .
drwxr-xr-x   28 jsmith  jsmith         952 Mar  7 17:20 ..
-rw-------    1 jsmith  jsmith       21508 Mar  9 14:56 .DS_Store
-rw-r--r--    1 jsmith  jsmith           0 Sep 28 13:18 .localized
-rw-r--r--    1 jsmith  jsmith      306089 Mar  1 11:21 Archive.zip
-rw-r--r--    1 jsmith  jsmith      306687 Mar  9 14:56 encrypted.gpg
tungsten:~/Desktop jsmith$

 

After sending this file, the recipient (jdoe@ecn.purdue.edu) will be able to decrypt the file with her private key. You can also decrypt secure files that have been sent to you by people who have your public key. To do so, we'll use the gpg command again. This example shows the user decrypting the file secret.gpg from jdoe@ecn.purdue.edu, which contains the file changes.txt.

 

tungsten:~/Desktop jsmith$ gpg --output changes.txt --decrypt secret.gpg [ENTER]

You need a passphrase to unlock the secret key for
user: "John Smith (Engineering Computer Network, Purdue University) <jsmith@purdue.edu>"
2048-bit ELG-E key, ID A994D657, created 2006-03-07 (main key ID 3596F3D0)
[type your passphrase] [ENTER]
gpg: encrypted with 2048-bit ELG-E key, ID A994D657, created 2006-03-07
      "John Smith (Engineering Computer Network, Purdue University) <jsmith@purdue.edu>"

tungsten:~/Desktop jsmith$ ls -al [ENTER]
total 8493504
drwx------   37 jsmith  jsmith        1258 Mar  9 15:12 .
drwxr-xr-x   28 jsmith  jsmith         952 Mar  7 17:20 ..
-rw-------    1 jsmith  jsmith       21508 Mar  9 15:12 .DS_Store
-rw-r--r--    1 jsmith  jsmith           0 Sep 28 13:18 .localized
-rw-r--r--    1 jsmith  jsmith         685 Mar  9 15:12 changes.txt
-rw-r--r--    1 jsmith  jsmith         922 Mar  9 15:11 secret.gpg
tungsten:~/Desktop jsmith$

 

Installing and Using GPGMail

Now that you have Mac GPG installed, you can install GPGMail, which lets you easily encrypt and decrypt email messages in Apple's Mail.app. The first step is to download GPGMail. After you have downloaded and mounted the disk image, you will see that you can either manually install GPGMail (the file named GPGMail.mailbundle) or run the AppleScript installer. If you wish to install in manually, it should be placed in ~/Library/Mail/Bundles.

NOTE: Regardless of how you install GPGMail, if Mail is running you will need to restart it after installing GPGMail. See Fig. 1.

GPGMailFig. 1

If you choose to run the installer, you will see a welcome message with details about the install. Click "Run" to install GPGMail. See Fig. 2.

GPGMail installerFig. 2

After GPGMail has been installed, you will see another message stating that is has been installed. From here you can either launch Mail or quit the installer. See Fig. 3.

Launch GPGMail Fig. 3

After you open Mail, you can begin sending encrypted messages. Every new message will contain options for how you would like the message to be encrypted. See Fig. 4.

Fig. 4 Fig. 4

You can change GPGMail's default preferences in Mail's preference window, just like the application's other preferences. To view or change GPGMail's preferences, select Preferences... from the File menu and click the GPG icon along the top of the window. See Fig. 5.

 Fig. 5

Last modified: 2014/01/27 10:32:33.668960 US/Eastern by joshua.g.davis.1
Created: 2007/11/06 13:43:35.185000 US/Eastern by brian.r.brinegar.1.

Categories

Search

Type in a few keywords describing what information you are looking for in the text box below.

Admin Options: Edit this Document