UCAR security policy requires that all sysadmins be capable of reading and writing email messages that are encrypted with PGP. GPG is the Gnu (free) version of PGP. On the Mac, you want to install GPGTools in order to get the command-line "gpg" command.
Note: GPGMail is an add-on for Apple Mail. It is a component of GPGTools. I use Gmail to read mail, so I don't use GPGMail.
I had some success with Mailvelope, but it only handles mail messages, not files outside of a mail reader, so I settled on gpg.
With GMail, to decrypt a message, do this:
With GMail, to decrypt a message, do this:
There are several resources for information about PGP and GPG. Here are the ones I liked best:
As of 2013-01, install GPGTools by downloading the installer from http://www.gpgtools.org/.Clicking on GPGTools.mpkg will take you through the steps. It installs
/usr/local/bin/gpg2, and links to it so "gpg" is the same as "gpg2".
/Applications/GPG Keychain Access.app
/Library/LaunchAgents/org.gpgtools.macgpg2.gpg-agent.plist, which causes launchd to start gpg-agent as a daemon at login time. See Managing my secret key with gpg-agent
I have an account at Lighthouse that lets me access the mailing lists for the GPGTools. See 1Password.
Edit the ~/.gnupg/gpg.conf file. Set:
Verify your keys with
Generate a public key with
To allow other users to get your public key, you want to register it with keyservers.
If/when the UCAR hkp server is up, register my public key with the UCAR keyserver:
Register my public key with the public keyservers:
First, register your public key with the UCAR keyserver as described above. Then get a paper copy of the form and fill in the fields with the key ID and fingerprint displayed by this command:
Hint: the fingerprint is 10 blocks of 4 hexadecimal characters, and the key ID is the last 8 characters of the fingerprint.
Once accepted, the UCAR security guys will sign the key that you stored in the UCAR keyserver, which verifies that it is valid. Then they'll send you a test email message that is encrypted. You'll have to read the message and respond to it to demonstrate that you can do PGP email.
Each person has a public key. To make your public key available so others can send you encrypted mail, you should publicize your public key on a keyserver, and/or put it on a webpage somewhere. To read signed or encrypted mail sent to you, you need to have the sender's public key. To ease the problem of accessing a lot of other people's public keys, gpg maintains a "public keyring" in ~/.gnupg/pubring.gpg. You store people's public keys in your public keyring as you learn them, and the mail reader uses the keys to decrypt incoming mail and/or to verify signatures in incoming mail messages.
The GPG keyring is different than the Mac "keychain", even though the Mac keychain can store PGP keys. It seems that people don't use the Mac keychain to store public keys - they use the GPG keyring instead. As I understand it, there's no benefit to storing public keys in the keychain.
The GPG keyring is stored in ~/.gnupg/pubring.gpg. I need a copy of it on each machine that I readmail on.
There is also a secret GPG keyring, named secring.gpg, in which you
store your secret key. It is needed when you want to sign or encrypt
an outgoing mail message. UCAR policy says to store your secret key
on an encrypted disk image on a flash drive, so I do that. To
minimize the mounting/unmounting of that drive, I copy my secret to
gpg-agent when I log in, using a bash function I wrote named "ssho".
The details of this are described in the
To facilitate sharing keys easily, people can register their keys in a public keyserver. I use one of two keyservers: keyserver.ucar.edu or pgp.mit.edu. The first is the keyserver maintained by the UCAR security guys, and holds the keys of all the UCAR sysadmins. The second is the MIT one that is public.
GPG can be configured to look up keys on one keyserver automatically. GPG won't forward on key lookups - it only talks to one keyserver. I configured GPG to look them up from the UCAR keyserver.
Keys that you retrieve from a keyserver might be bullshit, so after you retrieve a key you have to assign it a "validity" or "trustworthiness" level. You only have to import a person's public key and then trust it once - the trust level you assign is stored with the key in your public keyring.
Every once in a while, you'll want to update the GPG keyring, aka ~/.gnupg/pubring.gpg so that you can verify signed messages. As of 2016-08-02, I receive signed messages from these people:
As of 2014-04-07, I have their keys in my GPG keyring, so I can verify their signed messages. If I receive a signed message for someone that I don't have in my keyring, here's how to add them:
first use the person's email address to find the their key ID:
Then, use the their key ID to load their public key into the keyring:
After you do that, if you click on another email message in Apple Mail and click back on the original message, Mail should show "The message has been signed with PGP" instead "Missing Key 0xaaaaaaaa".
To see the keys in your local keyring:
To load a key into the local keyring, cut the key id from wherever and paste it into one of these:
To sign a key that's in your keyring:
To assign a trust level to a key, it's easiest to use GPG Keychain Access.
GPG Keychain Access app to
display/import/export/delete them. The alternative is the
If you want to assign a trust level (a.k.a.) validity, highlight an entry and do GPG->Update Trust Database.... It'll open a Terminal window to ask for the trust level - kludgy. Then, it doesn't let you assign trust levels for a specific key, but only for whatever keys don't have trust levels defined - so how do you change the trust level of a key?
Because GPG_Keychain_Access seems so kludgy, I downloaded Seahorse from http://seahorse.sourceforge.net/.
I got http://ftp.gnome.org/pub/GNOME/sources/seahorse/0.8/seahorse-0.9.1.tar.gz and Stuffit Expander created a seahorse-0.9.1 directory under Desktop. I copied it to /usr/src. When I tried to build it, it complained because XML::Parser wasn't in the Perl libraries. Seahorse seems to have lots of other dependencies, so I gave up. Sigh.
On 2017-07-19, Rich Johnson emaied out an encrypted message containing a file named "msg.asc". It contained an updated list of keys for UCAR personnel. I decrypted it with
Then I started the GPG Keychain app, and dragged msggg.asc into the app window. This updated my ~/.gnupg/pubring.gpg file. Yet the app requires that the gnupg drive be mounted. I don't understand yexactly what it's doing.
I keep my SSH keys and my GPG secret keyring on a flash drive. This section describes how to write my secrets to an empty flash drive.
CSAC requires that sysadmins keep their GPG keys on a flashdrive.
Greg Woods described how to do it on Macs in
Greg's description mentions FAT32,
but I use FAT16 because it's just as good for drives smaller
than 128GB, it's what the
NCAR best practice is to store my GPG secret key on a flashdrive in an encrypted form, so that if I lose the flashdrive, others won't be able to get the key. They recommend creating an AES-encrypted disk image on the flashdrive.
At this point, you're either creating your primary flashdrive, or making a backup flashdrive. Either way, you need to have a secret keyring file (secring.gpg) to put on the new flashdrive. This file is usually stored only on flashdrives - it is only on the Mac's hard disk while you are in the process of creating flashdrives. When you first create your primary flashdrive, your secring.gpg file is sitting in ~/.gnupg because you created it as described in the Generate PGP keys section of this document. When you are making a backup flashdrive, you need to put a temporary copy of the file onto the Mac's hard disk like so:
Now comes the one-time step: copying the secret key to the flash drive and deleting it from the Mac. From this point forward, you'll need to have your flashdrive inserted in order to sign or decrypt email. Also, to initialize new flashdrives, you'll have to copy the gnupg disk image from one flashdrive to another - like my ssh key, it's not anywhere on the Mac's hard disk.
Then configure GPG to get the secret key from the flashdrive. Edit ~/.gnupg/gpg.conf and set
See my USB flash drive notes details.
Under Mail -> Preferences, GPGMail, under Reading, make sure "Enable OpenPGP/MIME" is checked.
This happened to me when I started Mail and I had a symbolic link named "~/.gnupg/secring.gpg" that pointed to "/Volumes/gnupg/secring.gpg" (on a USB drive) and I didn't have the USB drive mounted and the "gnupg" dmg mounted. Mounting them and restarting Mail made the error go away.
This happened to me when installing GPGTools and when trying to
when I had a symbolic link named
"~/.gnupg/secring.gpg" that pointed to "/Volumes/gnupg/secring.gpg"
(on a USB drive)
and I didn't have the USB drive mounted and the "gnupg" dmg mounted.
Mounting them and restarting Mail made the error go away.
If, when you click "Verify", Mail displays "Missing Key 0xaaaaaaaa", then you need to load the person's public key into your local public keyring. I use the command line. You can get the person's key from a keyserver, or as a block of text that you get from the person's webpage or something.
If, when you click "Decrypt", Mail displays "<username> no secret key", then you probably don't have the flashdrive mounted. Put the flash drive into the slot and do
Enter the password. Then try again.
If, when signing or encrypting an an outbound message, you get a dialog box that says
PGP Encryption Failed
No valid personal key has been found. Either none
was selected, or selected key is revoked, disabled or
Mail couldn't find your personal secret key, probably because you don't have the flashdrive mounted. Put the flash drive into the slot and do
Enter the password. Then try again.
Briefly, gpg-agent is a superset of ssh-agent - it stores secret (private) keys in a process so you don't have to keep a sensitive file mounted all the time.
As described above, UCAR policy says my secret key has to
be stored in an inconvenient place: in a secret keyring on an
encrypted drive on a USB flash drive. This means that to use
PGP, I have to go through this
To make it worse, I have to tell Mail/GPGMail where the
secret keyring is by configuring my gpg.conf file with
This is so onerous that people wouldn't use PGP at all, so someone came up with a solution: gpg-agent. Gpg-agent is a daemon that stores your secret key so you have to go through the Royal Pain much less often. You endure the Royal Pain once at login time to save the key in gpg-agent. Then Mail/GPGMail and the rest of the gpg system gets the key from gpg-agent. The GPGTools folks anticipated that you'll do this, so they set up gpg-agent for you - it's started as a launchd daemon at boot time. The trick is to get your secret key into gpg-agent at login time.
So we assume gpg-agent is already running, and we just have to load our secret key into it. The new Less Royal Pain procedure is
ABKey is a plug-in for Address Book that shows GPG information in Address Book entries. See http://www.far-blue.co.uk/projects/keymanager.html. It works, but as the author warns, you have to move the mouse over an email address in an Address Book entry to activate it.