UCAR security policy requires that all sysadmins be capable of reading and writing email messages that are encrypted with PGP. GPG is the Gnu (free) version of PGP. On the Mac, you want to install GPGTools in order to get the command-line "gpg" command. You may also want GPGMail to give GPG capability to Apple Mail.
I had some success with Mailvelope, but it only handles mail messages, not files outside of a mail reader, so I settled on gpg.
With GMail, to decrypt a message, do this:
With GMail, to decrypt a message, do this:
There are several resources for information about PGP and GPG. Here are the ones I liked best:
As of 2013-01, install GPGTools by downloading the installer from http://www.gpgtools.org/.Clicking on GPGTools.mpkg will take you through the steps. It installs
/usr/local/bin/gpg2, and links to it so "gpg" is the same as "gpg2".
/Library/LaunchAgents/org.gpgtools.macgpg2.gpg-agent.plist, which causes launchd to start gpg-agent as a daemon at login time. See Managing my secret key with gpg-agent
When you installed GPGTools, you installed GPGMail as part of the package. It probably wasn't the latest GPGMail, so you'll want to install GPGMail separately to be sure you have the latest version. To see what version of GPGMail is installed, start Apple Mail and do Preferences -> GPGMail. Download the GPGMail installer from http://www.gpgmail.org/.
When you start Mail, you may get a dialog box that says
You don't have any OpenPGP key. You can't use GPGMail to encrypt or sign messages.
If you want to be able to encrypt or sign messages with OpenPGP, you need a personal OpenPGP key. To create a OpenPGP key, download and install MacGPG's GPG Keychain Access from http://macgpg.sourceforge.net/
I think this means that Mail needs access to your PGP private key, which means your USB drive needs to be mounted and the gnupg.dmg disk image needs to be mounted.
Once you're past that, and you've restarted Mail, Mail will read the bundle and you'll see new controls in Mail, like a "PGP" tab under "Preferences".I learned some of the rest of this at http://www.swissunixsupport.com/mactips. That webpage says that gnupg2 requires that a gpg-agent process be running and that you need a package called pinentry-mac.app to handle display of dialog boxes. I followed the directions and then found that I could decrypt messages even when gpg-agent wasn't running. I got pinentry at http://media.arthurkoziel.com/pinentry-mac.0.02-1.tar.gz. I copied pinentry-mac.app to /Applications, then put this in ~/.gnupg/gpg-agent.conf (create if it doesn't exist):
I have an account at Lighthouse that lets me access the mailing lists for the GPGTools. See 1Password.
Edit the ~/.gnupg/gpg.conf file. Set:
keyserver-options auto-key-retrieve no-include-revoked
Verify your keys with
Generate a public key with
gpg --export --armor firstname.lastname@example.org > ~/.gnupg/my-key.asc
To allow other users to get your public key, you want to register it with keyservers.
If/when the UCAR hkp server is up, register my public key with the UCAR keyserver:
gpg --send-keys --keyserver hkp://keyserver.ucar.edu E4BA9BEC
Register my public key with the public keyservers:
gpg --send-keys --keyserver pgp.mit.edu E4BA9BEC
First, register your public key with the UCAR keyserver as described above. Then get a paper copy of the form and fill in the fields with the key ID and fingerprint displayed by this command:
Hint: the fingerprint is 10 blocks of 4 hexadecimal characters, and the key ID is the last 8 characters of the fingerprint.
Once accepted, the UCAR security guys will sign the key that you stored in the UCAR keyserver, which verifies that it is valid. Then they'll send you a test email message that is encrypted. You'll have to read the message and respond to it to demonstrate that you can do PGP email.
Each person has a public key. To make your public key available so others can send you encrypted mail, you should publicize your public key on a keyserver, and/or put it on a webpage somewhere. To read signed or encrypted mail sent to you, you need to have the sender's public key. To ease the problem of accessing a lot of other people's public keys, gpg maintains a "public keyring" in ~/gnupg/pubring.gpg. You store people's public keys in your public keyring as you learn them, and the mail reader uses the keys to decrypt incoming mail and/or to verify signatures in incoming mail messages.
The GPG keyring is different than the Mac "keychain", even though the Mac keychain can store PGP keys. Most people don't use the Mac keychain to store public keys - they use the GPG keyring instead. This is mainly because the GPGMail system uses the GPG keyring, not the keychain. As I understand it, there's no benefit to storing public keys in the keychain.
The GPG keyring is stored in ~/.gnupg/pubring.gpg. I need a copy of it on each machine that I readmail on, so I arrange to copy it from cisl-irving to my other machines where I read mail (cisl-valencia).
There is also a secret GPG keyring, named secring.gpg, in which you
store your secret key. It is needed when you want to sign or encrypt
an outgoing mail message. UCAR policy says to store your secret key
on an encrypted disk image on a flash drive, so I do that. To
minimize the mounting/unmounting of that drive, I copy my secret to
gpg-agent when I log in. The details of this are described in the
To facilitate sharing keys easily, people can register their keys in a public keyserver. I use one of two keyservers: keyserver.ucar.edu or pgp.mit.edu. The first is the keyserver maintained by the UCAR security guys, and holds the keys of all the UCAR sysadmins. The second is the MIT one that is public.
GPG can be configured to look up keys on one keyserver automatically. GPG won't forward on key lookups - it only talks to one keyserver. I configured GPG to look them up from the UCAR keyserver.
Keys that you retrieve from a keyserver might be bullshit, so after you retrieve a key you have to assign it a "validity" or "trustworthiness" level. Once it's been trusted, Mail with GPGMail can decrypt mail messages from the person. You only have to import a person's public key and then trust it once - the trust level you assign is stored with the key in your public keyring.
Every once in a while, you'll want to update the GPG keyring, aka ~/.gnupg/pubring.gpg so that you can verify signed messages. As of 2016-08-02, I receive signed messages from these people:
As of 2014-04-07, I have their keys in my GPG keyring, so I can verify their signed messages. If I receive a signed message for someone that I don't have in my keyring, here's how to add them:
DO THIS ON CISL-IRVING, where the "master" pubring.gpg resides, so it gets automatically copied to cisl-valencia when you do the next synchronize-petes-files.
first use the person's email address to find the their key ID:
Then, use the their key ID to load their public key into the keyring:
After you do that, if you click on another email message in Apple Mail and click back on the original message, Mail should show "The message has been signed with PGP" instead "Missing Key 0xaaaaaaaa".
To see the keys in your local keyring:
To load a key into the local keyring, cut the key id from wherever and paste it into one of these:
gpg2 --recv-keys --keyserver hkp://wwwkeys.pgp.net 0xaaaaaaaa
gpg2 --recv-keys --keyserver hkp://keyserver.ucar.edu 0xaaaaaaaa
To sign a key that's in your keyring:
gpg2 --sign-key AAAAAAAA
To assign a trust level to a key, it's easiest to use GPG Keychain Access.
GPG Keychain Access app to
display/import/export/delete them. The alternative is the
If you want to assign a trust level (a.k.a.) validity, highlight an entry and do GPG->Update Trust Database.... It'll open a Terminal window to ask for the trust level - kludgy. Then, it doesn't let you assign trust levels for a specific key, but only for whatever keys don't have trust levels defined - so how do you change the trust level of a key?
Because GPG_Keychain_Access seems so kludgy, I downloaded Seahorse from http://seahorse.sourceforge.net/.
I got http://ftp.gnome.org/pub/GNOME/sources/seahorse/0.8/seahorse-0.9.1.tar.gz and Stuffit Expander created a seahorse-0.9.1 directory under Desktop. I copied it to /usr/src. When I tried to build it, it complained because XML::Parser wasn't in the Perl libraries. Seahorse seems to have lots of other dependencies, so I gave up. Sigh.
I keep my SSH keys and my GPG secret keyring on a flash drive. This section describes how to write my secrets to an empty flash drive.
CSAC requires that sysadmins keep their GPG keys on a flashdrive.
Greg Woods described how to do it on Macs in
Greg's description mentions FAT32,
but I use FAT16 because it's just as good for drives smaller
than 128GB, it's what the
NCAR best practice is to store my GPG secret key on a flashdrive in an encrypted form, so that if I lose the flashdrive, others won't be able to get the key. They recommend creating an AES-encrypted disk image on the flashdrive.
At this point, you're either creating your primary flashdrive, or making a backup flashdrive. Either way, you need to have a secret keyring file (secring.gpg) to put on the new flashdrive. This file is usually stored only on flashdrives - it is only on the Mac's hard disk while you are in the process of creating flashdrives. When you first create your primary flashdrive, your secring.gpg file is sitting in ~/.gnupg because you created it as described in the Generate PGP keys section of this document. When you are making a backup flashdrive, you need to put a temporary copy of the file onto the Mac's hard disk like so:
Now comes the one-time step: copying the secret key to the flash drive and deleting it from the Mac. From this point forward, you'll need to have your flashdrive inserted in order to sign or decrypt email. Also, to initialize new flashdrives, you'll have to copy the gnupg disk image from one flashdrive to another - like my ssh key, it's not anywhere on the Mac's hard disk.
Then configure GPG to get the secret key from the flashdrive. Edit ~/.gnupg/gpg.conf and set
# I added these 2006-06-02 to implement getting my secret key from my
# flashdrive. See
See my USB flash drive notes details.
Under Mail -> Preferences, GPGMail, under Reading, make sure "Enable OpenPGP/MIME" is checked.
This happened to me when I started Mail and I had a symbolic link named "~/.gnupg/secring.gpg" that pointed to "/Volumes/gnupg/secring.gpg" (on a USB drive) and I didn't have the USB drive mounted and the "gnupg" dmg mounted. Mounting them and restarting Mail made the error go away.
This happened to me when installing GPGTools and when trying to
when I had a symbolic link named
"~/.gnupg/secring.gpg" that pointed to "/Volumes/gnupg/secring.gpg"
(on a USB drive)
and I didn't have the USB drive mounted and the "gnupg" dmg mounted.
Mounting them and restarting Mail made the error go away.
If, when you click "Verify", Mail displays "Missing Key 0xaaaaaaaa", then you need to load the person's public key into your local public keyring. I use the command line. You can get the person's key from a keyserver, or as a block of text that you get from the person's webpage or something.
If, when you click "Decrypt", Mail displays
Enter the password. Then try again.
open /Volumes/PETES\ KEYS\gnupg.dmg
If, when signing or encrypting an an outbound message, you get a dialog box that says
PGP Encryption Failed
No valid personal key has been found. Either none
was selected, or selected key is revoked, disabled or
Mail couldn't find your personal secret key, probably because you don't have the flashdrive mounted. Put the flash drive into the slot and do
Enter the password. Then try again.
open /Volumes/PETES\ KEYS\gnupg.dmg
Briefly, gpg-agent is a superset of ssh-agent - it stores secret (private) keys in a process so you don't have to keep a sensitive file mounted all the time.
As described above, UCAR policy says my secret key has to
be stored in an inconvenient place: in a secret keyring on an
encrypted drive on a USB flash drive. This means that to use
PGP, I have to go through this
This is so onerous that people wouldn't use PGP at all, so someone came up with a solution: gpg-agent. Gpg-agent is a daemon that stores your secret key so you have to go through the Royal Pain much less often. You endure the Royal Pain once at login time to save the key in gpg-agent. Then Mail/GPGMail and the rest of the gpg system gets the key from gpg-agent. The GPGTools folks anticipated that you'll do this, so they set up gpg-agent for you - it's started as a launchd daemon at boot time. The trick is to get your secret key into gpg-agent at login time.
So we assume gpg-agent is already running, and we just have to load our secret key into it. The new Less Royal Pain procedure is
ABKey is a plug-in for Address Book that shows GPG information in Address Book entries. See http://www.far-blue.co.uk/projects/keymanager.html. It works, but as the author warns, you have to move the mouse over an email address in an Address Book entry to activate it.