First steps - where do I start, where do I begin? (Setup GPGTools, Create a new key, Your first encrypted Mail)

German version: Erste Schritte

Welcome. Glad you made it here and thanks for your interest. In this article you'll learn how to setup your own GPG key and send your first secure email.

Setup GPG Suite

The first step is to download and run GPG Suite. When that is done, it's time to setup your GPG key.

If you already have a GPG key, please Add your address to an existing GPG key, because in that case you don't need to create any new key. If you do not have a GPG key yet, follow up with the next section:

Create a new key

GPG Keychain is the application you will use to manage your keys. It will let you create new keys, edit existing ones and search for your friends keys. The first thing you'll see in GPG Keychain is a wizard which will guide you through creating your first key.

Create a new key

Email Address
GPG Keychain fills the data from your OS X address book. But the fields are editable and you can change them at your will. Enter the email address you normally use when sending mail. Make sure that it is typed identical to the one used in Preferences > Accounts. Double check that capitalisation matches, since it matters. More email addresses can be added to your key later.

Upload key after generation
If you enable this checkbox, after the key creation is done, your public key will be uploaded to a key server. Generally this is a good thing, since it will make it much easier for others to start sending you encrypted messages by simply importing your key from a key server, but once a key is uploaded to the key server, it can not be removed. So should you not be happy with the name you've chosen, you'll not be able to remove it. Simply consider that. You can always upload your public key to a key server at a later time.

Enter your passphrase, which is a fancy name for password. As every other password you use, it should be pretty long and it's better to use a very long password (a sentence you can remember) than a very short one with symbols and numbers.

Important: Should you forget your password, there's no way to recover it. Make sure you will remember it or store it in a safe place (no, a text note on your writing table is not a safe place).

Hit "Generate key"!

After a short while, you'll see a new entry in GPG Keychain with your email address showing sec/pub in the type column.

Each time you create a new key, actually a new key pair is created. It consists of a secret key and a public key. This is why your own key shows as sec/pub in the Type column. The public key is to be shared with others, so they can send you encrypted messages. You should never delete your secret key. If you do, you won't be able to read encrypted messages or files amongst other trouble that it might cause.

Your first encrypted mail

Great, you're almost there! All you need for this first test is a sec/pub key in GPG Keychain matching the mail address used in If you want to encrypt to other recipients than yourself, you need to retrieve their public key first.
Open, and create a new message. You'll notice two additional buttons in your composing window.

A lock icon (encrypt) and a star icon (sign). Your star icon should be shown with a dark grey color, which means, that you are ready to sign messages with your key. When you click that icon, it will show a check mark in the star icon, which means that your message will be signed.

Your lock icon however will be shown with a light grey color. The reason is, that you have to enter a recipient first, for whom you have a public key, before you can encrypt a message. So for our test, enter your own email address in the "To:" field (the same that you use to send emails from). After that, you'll notice that your lock icon will change its color to a dark grey.

You are now ready to encrypt your message. So click on the lock, and it will change into a closed lock, which means, your email will now be encrypted.

Once you press the lock or star button, the OpenPGP indicator in the top right corner will turn green. This will show you that your mail will be signed and/or encrypted.

For review, your email should look something like this: The indicator is green, the lock button shows a closed lock, so the message will be encrypted and the star button shows a check mark in the star, so the message will be signed.

And now... SEND! You'll be asked for your passphrase, in order to sign the message. Allow a short moment until the mail is delivered to yourself. You'll see that it is encrypted and signed: it shows a closed lock, indicating that the message was encrypted and since you can read the mail-content it has been successfully decrypted for you. If there is no lock at all, it means that the message wasn't encrypted.

Congrats, you've made it!

To be completely honest we have to admit, we've cheated a little. Encrypting a message can be slightly more effort, since it requires you to have the public key of the recipient(s). However adding their public keys is a task that you only do once for each recipient.

Find out how to get your friend's public key

Why should you really bother with all this hassle?

First, we hope we could show you, that sending secure messages isn't much harder than sending unsecure messages, once you understand the basic concept.

Second, and it might already be clear, but encrypting your messages will prevent the NSA and everyone else but the dedicated recipients, from reading your messages. Others will only see some random garbage.

Third and this might not be as clear: why should you sign messages? You can compare signing a message to the process of sending a sealed letter in real life. For one, the recipient will be able to tell if the "seal" was broken. If anyone has been fiddling with your message your recipients will immediately see that the signature is invalid. On the other hand, they can also be sure that the message did indeed come from you and not an imposter, since only you can create that signature, with your secret key. One could fake your email address, your name, but not your signature. And that's why signing is important. This also explains why it's EXTREMELY IMPORTANT to keep your secret key and your passphrase safe. Otherwise, if someone gets a hold of your secret key and your passphrase, they could forge your signature and pose as you. In addition, they could read your encrypted messages, and you really wouldn't want that.

Use GPGTools - 'cause it's worth protecting what you love.

Further info