First steps - where do I start, where do I begin?

Um diesen Artikel auf deutsch zu lesen, bitte hier entlang: Erste Schritte - wo fange ich an?

Why hello there beautiful!
Glad you made it here and thanks for your interest.
In this article you'll learn how to setup your own GPG key and send your first secure email.

So let's get started, shall we?

Setup GPGTools

If you've already downloaded and installed GPG Suite, you can skip right to "Setup your GPG key".

Otherwise, download and run the GPG Suite installer.

You've successfully installed GPG Suite? Great!
Now it's time to setup your GPG key.

Setup your GPG key

We're very sorry, but you'll have to answer a very complicated question now and based on that, you'll take different steps through this tutorial. Scaaary!

Do you already have a GPG key?
Simply skip to "Add your address used in Mail.app to an existing GPG key"
There's really no need to create a new one.

If you don't have a GPG key yet, you'll learn how to easily create your first one in the next section.
Just keep reading :)

Create a new key

GPG Keychain Access is the application you will use to manage your keys.
It will let you create new keys, edit existing ones, search for your friends keys, and much much more.

The first thing you'll see in GPG Keychain Access is a wizard which will guide you through creating your first key.

Create a new key

Email Address
When asked for your email address in the "New key" dialog,
type in the email address you use in Mail.app to send mails from.
Make sure that the address is identical to the one in Mail.app (Double check with the mail address specified in Mail.app -> Preferences -> Accounts).
You'll have the chance to add other email addresses to your key later.

Upload key after generation
If this checkbox is enabled, your public key is uploaded to a keyserver.
This is generally a good thing, since it will make it much easier for others to start sending you encrypted messages by simply importing your key from a keyserver, BUT, once a key is uploaded to the keyserver, it can not be removed.
So if you should not be happy with the name you've chosen, you'll not be able to remove it.
Simply consider that.
Also, there's always the possibility to upload your public key to a keyserver at a later time.

Passphrase
You'll be asked for your passphrase, which is a fancy name for password.
As every other password you use, it should be pretty long and it's better to use a very long password (a sentence you can remember) than a very short one with symbols and numbers.
Got a passphrase and ready to rumble?

Hit "Generate key"!

Important: If you should forget your password, there's no way to recover it.
So make sure you will remember it or store it in a safe place (and no, a text note is not a safe place).

After clicking "OK", you'll be asked to re-enter the passphrase again, to make sure you didn't make a typo.

Woohoo, that's it! You'll see a new entry in GPG Keychain Access with your email address showing sec/pub in the type column.

The sec/pub type might be a little confusing at first, but simply consider that each time you create a new key, actually a new key pair is created. So your key consists of a secret key and a public key.
The public key is to be shared with others, so they can send you encrypted messages.

Unless you really know what you are doing, you should never delete your secret key.
You'll lose the option to revoke your key and open encrypted message or files among other things.

This wasn't too hard, was it?
Now let's dive into sending "Your first encrypted mail!"

Your first encrypted mail

Congrats, you've almost made it!

Let's verify if you have everything necessary to get started with this part:

Do you have a secret key matching the mail address used in Mail.app?

  • No? GAME OVER! Go back to the beginning!
  • Yes? That's all you need for your first test!

Note: Since you already have your own public key in GPG Keychain Access, nothing else is required. If you want to encrypt to other recipients you need to retrieve their public key first.

Now open Mail.app, and start to compose a new message.
You'll notice two additional buttons in your composing window.

A lock icon (encrypt) and a star icon (sign).

Your star icon should be shown with a dark grey color, which means, that you are ready to sign messages with your key.
When you click that icon, it will show a check mark in the star icon, which means that your message will be signed.

Your lock icon however will be shown with a light grey color.
The reason is, that you have to enter a recipient first, before you can encrypt a message.

So for our test, enter your own email address in the "To:" field (the same that you use to send emails from).

After that, you'll notice that your lock icon will change its color to a dark grey.

Yeah, you are now ready to encrypt your message.
So click on it, and it will change into a closed lock, which means, your email will now be encrypted.

You'll also notice that once you press the lock or star button, the OpenPGP indicator in the top right corner will turn green.
This indicator will show you that your mail is gonna be signed and/or encrypted.

For review, your complete email should look something like this

As you can see, the indicator is green, the lock button shows a closed lock, so the message will be encrypted and the star button shows a check mark in the star, so the message will be signed.

Aaaand now... SEND!

You'll be asked for your passphrase, in order to sign the message.
After a short moment, you should receive your own mail and you'll see that it is encrypted and signed.
Make sure to click "Details".
You'll see an open lock, which means that the message was successfully decrypted.
If everything worked as expected, you should never see the closed lock, but if you see it, that indicates there was an error decrypting your message.
If there is no lock at all it means that the message wasn't encrypted.

Congrats, you've made it!

Alright, to be completely honest we have to admit, we've cheated a little.
Encrypting a message can be slightly more effort since it requires you to have the public key of the recipient(s). However adding their public keys is a task that you only do once for each recipient.

Find out "how to get your friend's public key"

So why should you really bother with all this hassle?

First off, we hope we could show you, that sending secure messages isn't that much harder than sending unsecure messages, once you understand the basic concept.

Second, and it might already be clear, but encrypting your messages will prevent the NSA and everyone else but the dedicated recipients, from reading your messages.
Others will only see some random garbage.

Now third might not be as clear: why should you sign messages?

You can compare signing a message to the process of sending a sealed mail in real life.
(Yeah, we know, who does that, right?)

For one, the recipient will be able to tell if the "seal" was broken.
If anyone has been fiddling with your message your recipients will immediately see that the signature is invalid.
On the other hand, they can also be sure that the message did indeed come from you and not an imposter, since only you can create that signature, with your secret key.
One could fake your email address, your name, but not your signature. And that's why signing is important.

And this actually also explains why it's EXTREMELY IMPORTANT to keep your secret key and your passphrase safe.
Otherwise, if someone did get a hold of your secret key and your passphrase, they could forge your signature and pose as you. In addition, they could read your encrypted messages, and you really wouldn't want that.

Use GPGTools - 'cause it's worth protecting what you love. :)


Suggested Reading