Reposted from my old now defunct blog and updated
I'm acareful paranoid person... sadly very few people share my specific fears about email and do not take any steps to secure their communications from 3rd parties on the Internet. This is mostly because people are scared of the 'complexity' this security brings with it... but it doesn't have to be difficult to setup or time consuming to operate. Apple Mail.app and Mozilla Thunderbird make it a snap. And today I'll be giving you step by step instructions on how to install GnuPG on a Mac, creating a key and getting ready to use a more secure method of communication.
I'm a
Lets start with the basics of why you need to encrypt your email.
Communicating with plaintext email today is akin to writing a post it note, going to a crowded building and posting this note on a cork-board for everyone to see. Most people will ignore it but others will read it. This is due to the way email is send via several servers which all keep a temporary ghost image of your email in their logs and memory. Anyone with access to one of the servers in the middle can easily collect your email and process it. It is alleged that Echelon and Carnivore collect millions of emails every day that are indexed and archived in a database for potential further processing.
Why is this a problem for me, I'm a law abiding citizen... Well so am I, but there has been evidence of Governments passing on trade secrets they intercept to companies they are friendly with.
This seems to prevalent enough that the german Bundesministerium für Wirtschaft und Technologie (BMWI)[Federal Ministry of the Economy and Technology] has released several warning to companies to use encryption as they allege that foreign intelligence will pass on their trade secrets they collect to friendly company.
It also lead the BMWI to help finance the GNU Privacy Projekt for email encryption. So now you are asking: why should I trust encryption freely made available by the Germans? Its open source... everyone can read the source and see if there are backdoors or vulnerabilities... so far none have been discovered.
But we are also not using the GnuPP here but rather the completely independent GnuPrivacy Guard which is based on PGP developed by Phil Zimmermanns and is commonly considered one of the best solutions available for email security. Phil has a plenitude of information and essays about encryption on this website... A strongly recommended read.
Lets get started
1.) We goto http://macgpg.sourceforge.net/ and download the newest version of their mac port for GnuPG. Its 1.4.8 as of this writing and its a 11 megabyte download... Now mount the .dmg image by double clicking on it and simply execute the installer. You will need your master password for the install but it should just be a matter of seconds.
2.) Now we go back to http://macgpg.sourceforge.net/ and also download GPG Keychain Access (version 0.7.0) and GPGPreferences (1.2.2)
3.) Lets do GPG Preferences first: Mount the .dmg image and double click the GnuPG.prefPane... this will install it in your preferences, again your master password will be required. You don't have to change anything here at this time. We just installed it in case of future need.
4.) GPG Keychain Access is easy to install, just unzip the downloaded file open the folder it creates and move the program to your applications folder.
5.) Now go to the homepage for the GPGMail plugin and download the version for your Mac OS, I'm assuming its 10.4.x or 10.5.x. At this point I should tell you if you haven't bought Leopard yet, it is well worth it. And you can do it by clicking here.
After the download close Mail.app and lets install the plug in by mounting the .dmg image and double clicking Install GPGMail and following the instructions... very straight forward, no?
Alternatively on the newest GPGMail plug in beta it requires you to do a couple of extra steps. (These are taken directly from the readme)
- copy GPGMail.mailbundle into $HOME/Library/Mail/Bundles folder (create it if necessary)
- Quit Mail and in terminal, type (only necessary if you don't already have a beta version installed):
- defaults write com.apple.mail EnableBundles -bool yes
defaults write com.apple.mail BundleCompatibilityVersion -int 3 - Relaunch mail
Lets make a key
Access GPG Keychain Access from your applications folder if it does not ask you to automatically create a key go to Keys on the top menu and choose Generate. It will bring up the assistant/wizzard to generate your new GnuPG key.
Simply click continue
Choose from one of the Options DSA and ElGamal are the suggested options these days. The GPG FAQ has more information on the different options. But for now lets just choose DSA and ElGamal.
Now its time to choose a keysize, at the very least you should choose a key larger than 2048. The larger the key the more processing power will be used from encrypting and decrypting. There is no reason to not use a 4096 key with todays fast computers. Its the safest option across the board.
Now select an experation date, you can have the key without an experation date but I personally prefer to make a new key every year for added security. (even after the key expires you will be able to decrypt data but people will no longer be able to encrypt new data with this key.)
Enter here the email address you would like to use for this key and a comment such as 'Valid for '07' or something along those lines.
Think of a passphrase, take your time... It should be something you will never forget but no one else could ever guess. So do NOT use your birthdate, your anniversary or any other information and smart attacker would be able to gather by researching you. Mine is two sentences long but make it as long as you are comfortable with.
Double check all the information and click continue...
This will take a while, you may think it crashed but odds are it didn't. I mean a while... give it 15 or so minutes to finish its calculations.
Now lets open mail.app and create a new message... you should immediately see the new GnuPG interface above the email body text entry field. From there you can now decide to sign email or encrypt it if you have a users GnuPG/PGP key. You can retrieve these with GPG Key Access.
Have fun communicating securely.
Tomorrow I'll do instructions for FireGPG which is a Gmail Firefox plug in. And will compare the two.
1 comment:
Thanks Pete, this was completely non-obvious without your guide, even for a relatively tech-minded person.
Post a Comment