UCAR security policy requires that all sysadmins be capable of reading and writing email messages that are encrypted with PGP. GPG is the Gnu (free) version of PGP. On the Mac, you want to install GPGTools in order to get the command-line "gpg" command. You also want GPGMail, which is bundled with GPGTools, but may be installed separately to get a newer version of GPGMail than the one that comes with GPGTools.
There are several resources for information about PGP and GPG. Here are the ones I liked best:
As of 2013-01, install GPGTools by downloading the installer from http://www.gpgtools.org/.Clicking on GPGTools.mpkg will take you through the steps. It installs
/usr/local/bin/gpg2, and links to it so "gpg" is the same as "gpg2".
/Library/LaunchAgents/org.gpgtools.macgpg2.gpg-agent.plist, which causes launchd to start gpg-agent as a daemon at login time. See Managing my secret key with gpg-agent
When you installed GPGTools, you may have installed GPGMail as part of the pagkage. It probably wasn't the latest GPGMail, so install GPGMail separately to be sure you have the latest version. Download the GPGMail installer from http://www.gpgmail.org/.
When you start Mail, you may get a dailog box that says
You don't have any OpenPGP key. You can't use GPGMail to encrypt or sign messages.
If you want to be able to encrypt or sign messages with OpenPGP, you need a personal OpenPGP key. To create a OpenPGP key, download and install MacGPG's GPG Keychain Access from http://macgpg.sourceforge.net/
I think this means that Mail needs access to your PGP private key, which means your USB drive needs to be mounted and the gnupg.dmg disk image needs to be mounted.
Once you're past that, and you've restarted Mail, Mail will read the bundle and you'll see new controls in Mail, like a "PGP" tab under "Preferences".I learned some of the rest of this at http://www.swissunixsupport.com/mactips. That webpage says that gnupg2 requires that a gpg-agent process be running and that you need a package called pinentry-mac.app to handle display of dialog boxes. I followed the directions and then found that I could decrypt messages even when gpg-agent wasn't running. I got pinentry at http://media.arthurkoziel.com/pinentry-mac.0.02-1.tar.gz. I copied pinentry-mac.app to /Applications, then put this in ~/.gnupg/gpg-agent.conf (create if it doesn't exist):
Of course, the PGP parts of Mail work better if
I have an account at Lighthouse that lets me access the mailing lists for the GPGTools. See 1Password.
Edit the ~/.gnupg/gpg.conf file. Set:
keyserver-options auto-key-retrieve no-include-revoked
okapi$ gpg2 --gen-key gpg (GnuPG) 1.4.3; Copyright (C) 2006 Free Software Foundation, Inc. This program comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under certain conditions. See the file COPYING for details. Please select what kind of key you want: (1) DSA and Elgamal (default) (2) DSA (sign only) (5) RSA (sign only) Your selection? 1 DSA keypair will have 1024 bits. ELG-E keys may be between 1024 and 4096 bits long. What keysize do you want? (2048) Requested keysize is 2048 bits Please specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years Key is valid for? (0) 0 Key does not expire at all Is this correct? (y/N) y You need a user ID to identify your key; the software constructs the user ID from the Real Name, Comment and Email Address in this form: "Heinrich Heine (Der Dichter) <email@example.com>" Real name: Pete Siemsen Email address: firstname.lastname@example.org Comment: You selected this USER-ID: "Pete Siemsen <email@example.com>" Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o You need a Passphrase to protect your secret key. We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. +++++++++++++++++++++++++.+++++++++++++++++++++++++++++++++++ We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. +++++++++++++++.+++++.+++++..++++b+.+++++++++++++++b+++++k..x gpg: /Users/siemsen/.gnupg/trustdb.gpg: trustdb created gpg: key E4BA9BEC marked as ultimately trusted public and secret key created and signed. gpg: checking the trustdb gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u pub 1024D/E4BA9BEC 2006-05-23 Key fingerprint = D311 1402 4026 21AF 2F81 D861 4172 CF6A E4BA 9BEC uid Pete Siemsen <firstname.lastname@example.org> sub 2048g/331EA98A 2006-05-23 okapi$
Verify your keys with
Generate a public key with
gpg --export --armor email@example.com > ~/.gnupg/my-key.asc
To allow other users to get your public key, you want to register it with keyservers.
If/when the UCAR hkp server is up, register my public key with the UCAR keyserver:
gpg --send-keys --keyserver hkp://keyserver.ucar.edu E4BA9BEC
Register my public key with the public keyservers:
gpg --send-keys --keyserver pgp.mit.edu E4BA9BEC
gpg --send-keys --keyserver hkp://wwwkeys.pgp.net E4BA9BEC
First, register your public key with the UCAR keyserver as described above. Then get a paper copy of the form and fill in the fields with the key ID and fingerprint displayed by this command:
Hint: the fingerprint is 10 blocks of 4 hexadecimal characters, and the key ID is the last 8 characters of the fingerprint.
Once accepted, the UCAR security guys will sign the key that you stored in the UCAR keyserver, which verifies that it is valid. Then they'll send me a test email message that is encrypted. I'll have to read the message and respond to it to demonstrate that I can do PGP email.
Each person has a public key. To make the key available so others can send encrypted mail to the person, each person should publicize their public key on a keyserver, and/or put their public key on a webpage somewhere. To read signed or encrypted mail sent to you, you need to have the sender's public key. To ease the problem of accessing other people's public keys, gpg maintains a "public keyring" in ~/gnupg/pubring.gpg. That keyring is different than the Mac "keychain", even though the Mac keychain is capable of storing PGP keys. Most people (me included) store public keys in their public keyring, and don't use the Mac keychain to store public keys. This is mainly because the methods for updating the keyring use the "gpg" command, and the GPGMail system uses the keyring, not the keychain. As I understand it, there's no benefit to storing public keys in the keychain. You store people's public keys in your public keyring as you learn them, and the mail reader uses the keys to decrypt mail and/or to verify signatures in mail messages.
There is also a secret keyring, in which you store your secret key.
It is needed when you want to sign or encrpyt an outgoing mail
message. UCAR policy says to store your secret key on an encrypted
disk image on a flash drive, so I do that and to minimize that
mounting/unmounting of that drive, I copy my secret to gpg-agent when
I log in. The details of this are described in the
To facilitate sharing keys easily, people can register their keys in a public keyserver. I use one of two keyservers: keyserver.ucar.edu or pgp.mit.edu. The first is the keyserver maintained by the UCAR security guys, and holds the keys of all the UCAR sysadmins. The second is the MIT one that is public.
GPG can be configured to look up keys on one keyserver automatically. GPG won't forward on key lookups - it only talks to one keyserver. I configured GPG to look them up from the UCAR keyserver.
Keys that you retrieve from a keyserver might be bullshit, so after you retrieve a key you have to assign it a "validity" or "trustworthiness" level. Once it's been trusted, Mail with GPGMail can decrypt mail messages from the person. You only have to import a person's public key and then trust it once - the trust level you assign is stored with the key in your public keyring.
To get a person's key from a keyserver, first use the person's email address to find the their key ID:
okapi$ gpg2 --search-keys --keyserver hkp://wwwkeys.pgp.net Alex_Hsia@noaa.gov gpg: searching for "Alex?Hsia@noaa.gov" from hkp server wwwkeys.pgp.net (1) Alex Hsia
1024 bit DSA key 80C14108, created: 2003-03-27 (2) Alex Hsia 1024 bit DSA key 1D663A0A, created: 2003-03-27 Keys 1-2 of 2 for "Alex?Hsia@noaa.gov". Enter number(s), N)ext, or Q)uit > q okapi$
Then, use the their key ID to load the person's key into the keyring:
okapi$ gpg2 --recv-keys --keyserver hkp://wwwkeys.pgp.net 0x80C14108 gpg: requesting key 80C14108 from hkp server wwwkeys.pgp.net gpg: key 80C14108: public key "Alex Hsia
" imported gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 1 signed: 1 trust: 0-, 0q, 0n, 0m, 0f, 1u gpg: depth: 1 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 1f, 0u gpg: next trustdb check due at 2011-01-22 gpg: Total number processed: 1 gpg: imported: 1 okapi$
After you do that, if you click on another email message in MacMail and click back on the original message, MacMail should show "The message has been signed with PGP" instead "Missing Key 0xaaaaaaaa".
To see the keys in your local keyring:
To load a key into the local keyring, cut the key id from wherever and paste it into one of these:
gpg2 --recv-keys --keyserver hkp://wwwkeys.pgp.net 0xaaaaaaaa
gpg2 --recv-keys --keyserver hkp://keyserver.ucar.edu 0xaaaaaaaa
To sign a key that's in your keyring:
gpg2 --sign-key AAAAAAAA
To assign a trust level to a key, it's easiest to use GPG Keychain Access.
GPG Keychain Access app to
display/import/export/delete them. The alternative is the
If you want to assign a trust level (a.k.a.) validity, highlight an entry and do GPG->Update Trust Database.... It'll open a Terminal window to ask for the trust level - kludgy. Then, it doesn't let you assign trust levels for a specific key, but only for whatever keys don't have trust levels defined - so how do you change the trust level of a key?
Because GPG_Keychain_Access seems so kludgy, I downloaded Seahorse from http://seahorse.sourceforge.net/.
I got http://ftp.gnome.org/pub/GNOME/sources/seahorse/0.8/seahorse-0.9.1.tar.gz and Stuffit Expander created a seahorse-0.9.1 directory under Desktop. I copied it to /usr/src. When I tried to build it, it complained because XML::Parser wasn't in the Perl libraries. Seahorse seems to have lots of other dependencies, so I gave up. Sigh.
I keep my SSH keys and my GPG secret keyring on a flash drive. This section describes how to write my secrets to an empty flash drive.
CSAC requires that sysadmins keep their GPG keys on a flashdrive.
Greg Woods described how to do it on Macs in
Greg's description mentions FAT32,
but I use FAT16 because it's just as good for drives smaller
than 128GB, it's what the
NCAR best practice is to store my GPG secret key on a flashdrive in an encrypted form, so that if I lose the flashdrive, others won't be able to get the key. They recommend creating an AES-encrypted disk image on the flashdrive.
At this point, you're either creating your primary flashdrive, or making a backup flashdrive. Either way, you need to have a secret keyring file (secring.gpg) to put on the new flashdrive. This file is usually stored only on flashdrives - it is only on the Mac's hard disk while you are in the process of creating flashdrives. When you first create your primary flashdrive, your secring.gpg file is sitting in ~/.gnupg because you created it as described in the Generate PGP keys section of this document. When you are making a backup flashdrive, you need to put a temporary copy of the file onto the Mac's hard disk like so:
Now comes the one-time step: copying the secret key to the flash drive and deleting it from the Mac. From this point forward, you'll need to have your flashdrive inserted in order to sign or decrypt email. Also, to initialize new flashdrives, you'll have to copy the gnupg disk image from one flashdrive to another - like my ssh key, it's not anywhere on the Mac's hard disk.
Then configure GPG to get the secret key from the flashdrive. Edit ~/.gnupg/gpg.conf and set
# I added these 2006-06-02 to implement getting my secret key from my
# flashdrive. See
See my USB flash drive notes details.
Under Mail -> Preferences, GPGMail, under Reading, make sure "Enable OpenPGP/MIME" is checked.
This happened to me when I started Mail and I had a symbolic link named "~/.gnupg/secring.gpg" that pointed to "/Volumes/gnupg/secring.gpg" (on a USB drive) and I didn't have the USB drive mounted and the "gnupg" dmg mounted. Mounting them and restarting Mail made the error go away.
This happened to me when installing GPGTools and when trying to
when I had a symbolic link named
"~/.gnupg/secring.gpg" that pointed to "/Volumes/gnupg/secring.gpg"
(on a USB drive)
and I didn't have the USB drive mounted and the "gnupg" dmg mounted.
Mounting them and restarting Mail made the error go away.
If, when you click "Verify", Mail displays "Missing Key 0xaaaaaaaa", then you need to load the person's public key into your local public keyring. I use the command line. You can get the person's key from a keyserver, or as a block of text that you get from the person's webpage or something.
If, when you click "Decrypt", Mail displays
Enter the password. Then try again.
open /Volumes/PETES\ KEYS\gnupg.dmg
If, when signing or encrypting an an outbound message, you get a dialog box that says
PGP Encryption Failed
No valid personal key has been found. Either none
was selected, or selected key is revoked, disabled or
Mail couldn't find your personal secret key, probably because you don't have the flashdrive mounted. Put the flash drive into the slot and do
Enter the password. Then try again.
open /Volumes/PETES\ KEYS\gnupg.dmg
As described above, UCAR policy says my secret key has to
be stored in an inconvenient place: in a secret keyring on an
encrypted drive on a USB flash drive. This means that to use
PGP, I have to go through this
This is so onerous that people wouldn't use PGP at all, so someone came up with a solution: gpg-agent. Gpg-agent is a daemon that stores your secret key so you have to go through the Royal Pain much less often. You endure the Royal Pain once at login time to save the key in gpg-agent. Then Mail/GPGMail and the rest of the gpg system gets the key from gpg-agent. The GPGTools folks anticipated that you'll do this, so they set up gpg-agent for you - it's started as a launchd daemon at boot time. The trick is to get your secret key into gpg-agent at login time.
So we assume gpg-agent is already running, and we just have to load our secret key into it. The new Less Royal Pain procedure is
ABKey is a plug-in for Address Book that shows GPG information in Address Book entries. See http://www.far-blue.co.uk/projects/keymanager.html. It works, but as the author warns, you have to move the mouse over an email address in an Address Book entry to activate it.