First steps - where do I start, where do I begin?
Why hello there beautiful!
Glad you made it here and thanks for your interest.
In this article you'll learn how to setup your own GPG key and send your first secure email.
So let's get started, shall we?
If you've already downloaded and installed GPG Suite, you can skip right to "Setup your GPG key".
Otherwise, download and run the GPG Suite installer.
You've successfully installed GPG Suite? Great!
Now it's time to setup your GPG key.
We're very sorry, but you'll have to answer a very complicated question now and based on that, you'll take different steps through this tutorial. Scaaary!
Do you already have a GPG key?
Simply skip to "Add your address used in Mail.app to an existing GPG key"
There's really no need to create a new one.
If you don't have a GPG key yet, you'll learn how to easily
create your first one in the next section.
Just keep reading. :)
GPG Keychain Access is the application you will use to manage
It will let you create new keys, edit existing ones, search for your friends keys, and much much more.
The first thing you'll see in GPG Keychain Access is a wizard which will guide you through creating your first key.
When asked for your email address in the "New key" dialog,
type in the email address you use in Mail.app to send mails from.
Make sure that the address is identical to the one in Mail.app (Double check with the mail address specified in Mail.app -> Preferences -> Accounts).
You'll have the chance to add other email addresses to your key later.
Upload key after generation
If this checkbox is enabled, your public key is uploaded to a keyserver.
This is generally a good thing, since it will make it much easier for others to start sending you encrypted messages by simply importing your key from a keyserver, BUT, once a key is uploaded to the keyserver, it can not be removed.
So if you should not be happy with the name you've chosen, you'll not be able to remove it.
Simply consider that.
Also, there's always the possibility to upload your public key to a keyserver at a later time.
You'll be asked for your passphrase, which is a fancy name for password.
As every other password you use, it should be pretty long and it's better to use a very long password (a sentence you can remember) than a very short one with symbols and numbers.
Got a passphrase and ready to rumble?
Hit "Generate key"!
Important: If you should forget
your password, there's no way to recover it.
So make sure you will remember it or store it in a safe place (and no, a text note is not a safe place).
After clicking "OK", you'll be asked to re-enter the passphrase again, to make sure you didn't make a typo.
Woohoo, that's it! You'll see a new entry in GPG Keychain Access with your email address showing sec/pub in the type column.
The sec/pub type might be a little confusing at first,
but simply consider that each time you create a new key, actually a
new key pair is created. So your key consists of a secret key and a
The public key is to be shared with others, so they can send you encrypted messages.
Unless you really know what you are doing, you should *never
delete your secret key*.
You'll lose the option to revoke your key and open encrypted message or files among other things.
This wasn't too hard, was it?
Now let's dive into sending "Your first encrypted mail!"
Congrats, you've almost made it!
Let's verify if you have everything necessary to get started with this part:
Do you have a secret key matching the mail address used in Mail.app?
- No? GAME OVER! Go back to the beginning!
- Yes? That's all you need for your first test!
Note: Since you already have your own public key in GPG Keychain Access, nothing else is required. If you want to encrypt to other recipients you need to retrieve their public key first.
Now open Mail.app, and start to compose a new message.
You'll notice two additional buttons in your composing window.
A lock icon (encrypt) and a star icon (sign).
Your star icon should be shown with a dark grey color, which
means, that you are ready to sign messages with your
When you click that icon, it will show a check mark in the star icon, which means that your message will be signed.
Your lock icon however will be shown with a light grey
The reason is, that you have to enter a recipient first, before you can encrypt a message.
So for our test, enter your own email address in the "To:" field (the same that you use to send emails from).
After that, you'll notice that your lock icon will change its color to a dark grey.
Yeah, you are now ready to encrypt your message.
So click on it, and it will change into a closed lock, which means, your email will now be encrypted.
You'll also notice that once you press the lock or star button,
the OpenPGP indicator in the top right corner will turn green.
This indicator will show you that your mail is gonna be signed and/or encrypted.
For review, your complete email should look something like this
As you can see, the indicator is green, the lock button shows a closed lock, so the message will be encrypted and the star button shows a check mark in the star, so the message will be signed.
Aaaand now... SEND!
You'll be asked for your passphrase, in order to sign the
After a short moment, you should receive your own mail and you'll see that it is encrypted and signed.
Make sure to click "Details".
You'll see an open lock, which means that the message was successfully decrypted.
If everything worked as expected, you should never see the closed lock, but if you see it, that indicates there was an error decrypting your message.
If there is no lock at all it means that the message wasn't encrypted.
Congrats, you've made it!
Alright, to be completely honest we have to admit, we've cheated
Encrypting a message can be slightly more effort since it requires you to have the public key of the recipient(s). However adding their public keys is a task that you only do once for each recipient.
First off, we hope we could show you, that sending secure messages isn't that much harder than sending unsecure messages, once you understand the basic concept.
Second, and it might already be clear, but encrypting your
messages will prevent the NSA and everyone else but the dedicated
recipients, from reading your messages.
Others will only see some random garbage.
Now third might not be as clear: why should you sign messages?
You can compare signing a message to the process of sending a
sealed mail in real life.
(Yeah, we know, who does that, right?)
For one, the recipient will be able to tell if the "seal" was
If anyone has been fiddling with your message your recipients will immediately see that the signature is invalid.
On the other hand, they can also be sure that the message did indeed come from you and not an imposter, since only you can create that signature, with your secret key.
One could fake your email address, your name, but not your signature. And that's why signing is important.
And this actually also explains why it's EXTREMELY IMPORTANT to
keep your secret key and your passphrase safe.
Otherwise, if someone did get a hold of your secret key and your passphrase, they could forge your signature and pose as you. In addition, they could read your encrypted messages, and you really wouldn't want that.
*Use GPGTools - 'cause it's worth protecting what you love. :)*
- How can I generate debugging information?
- Can I store my passphrase so I don't get asked for it for every single mail I decrypt?
- Can I use GPGTools to communicate with people on Linux / Windows?
- How can I get the most out of this support forum?
- Where can I find the version info of my installed tools?
- View all (10 more)