Apple Mail Encryption with GPGMail and OpenPGP

I've dabbled with encryption several times over the past few decades, never really getting serious about it.  It started when, in college, I would see that the faculty in the CS department had these weird signature blocks appended to the their USEnet posts containing something called a public key.

This is like setting a can of lighter fluid and box of blue-tip matches in front of a 10 year-old boy -- irresistible.

What I found in the later years is that using encryption for email is a lot like being one of the early adopters of the telephone.  Now that I have one, who am I going to call?  My family certainly doesn't use encryption in their email...those that have discovered email anyway.

Co-workers aren't likely to invest the time and effort into encryption simply because we're all too busy with work to be playing spy-games with our de-coder rings.

And, Dorothy, we're not in Academia anymore where, I imagine, it's really in use.  Closeted anarchists posting semi-heretical Berkeley-esqe rants against the Proletariat and all that.

And then there's the whole nouveau post-9/11 trend of "Guilty until Proven Innocent" thing happening.  I imagine some fedora-capped DHS agent squinting at me in a menacing fashion while I try to reason a plausible excuse for being so brazen as to need encryption for my emails in the first place...

So, at this point, let's assume that, like me, you're willing to whack the hornet's nest with a stick and use encryption for your emails and that you actually have someone on the other end willing to dust-off the de-coder ring and play with you.  We'll also assume that you know what PGP, GPG and OpenPGP actually are, and that you know how basic public-key encryption works.  (If not, leave comments to this article and I will do a future article explaining same.)

Standard Disclaimer: I am providing this tutorial as a hands-on, learn-with-me type of tutorial.  I am not an expert, nor do I pretend to claim anything other than neophyte status when it comes to encryption.  I do not advocate, support, or intend for you to use this, or any, technology as a means to intentionally bending, fracturing, or breaking laws in one or more jurisdictions.  MY only intent is to share what I've recently learned with you and to have some fun.

OK - that crap out of the way, let's get started.  First, as the title implies, this set-up is for Apple Mail under OS X Lion.  The release of the OS I'm currently working on is 10.7.4.

Download and install the GPGTools utility  (Version 2012.03.18 as of this writing.)

Although this article is for Apple mail, the GPGTools utility includes support for Enigmail in Thunderbird 7.  When you launch the installation utility, you'll be presented with a list of packages to install.  I installed all packages.

Once the install has been completed, you'll see a little dialog box appear on your desk top telling you the installation was successful, and would you like to read the Quickstart Tutorial?  This would be a good thing to do because I am not going to walk you thought the next steps in any great detail.  This reference, however, does.  With pictures.  So... go there and follow the installation step to:

Generate a key

You will generate a public and a private key.  Anyone with whom you wish to exchange encrypted email with must also have done the same.  They're called public and private keys for a reason.  One you share with the public and one you do not.  Key, using the nomenclature, are stored on what's called a keyring.  There are public and private key-rings.  GPGTools refers to key-rings as  keychains - these are one and the same things.

Please note that for whichever email account you're going to use to generate a key-pair for, that account must already exist in Apple mail.  The email address is case-sensitive so make sure you type it in exactly as it is stored in Apple Mail -- otherwise, your encryption will not work.

Over the years, I have created several key-pairs for various email addresses I have had.  What's critically important to remember is this:  write down your pass-phrase.  Also, click on the Advanced options tab, and set an expiration date (a couple of years is fine and 4-years is the current default - point being: set an expiration date) for your keys.  That way if, after a few years, you return to a previous email account address, and you've certainly forgotten your passphrase from lack of use, then you'll still be able to generate a new key pair if the old one has expired.  To remove a key pair, most public key rings require you to enter your passphrase.  This is known as a conundrum.

Once you've created your passphrase and uploaded your key, and you can see your new key in your keychain, open Apple Mail.  Send an email to

the email address you've just created (I know...) and you should see two buttons appear in the lower-right corner of the header bar as shown in the image on the right.

The two buttons, as shown above, allow you to either sign or encrypt your mail message.

Signing your email is flagging the email to the recipient assuring them that it was actually you who sent the mail.  In order to sign an email, OpenPGP has to have access to your private key. (You did keep your private key private, right?)  Since you're the only one, presumably, with access to your private key, then signing the mail guarantees to the recipient that the mail did come from you.

The recipient does not need to have your public key, nor do you need to have the recipient's public key, to sign an email.  Think of this as the "certified mail" from the US Post Office equivalent for email.

If you have a recipient's public key, then you may send them an encrypted email.  The recipient will need to have your public key in order to decrypt and read the email -- this is why we store public keys on public key rings.

[codesyntax lang="text" lines="no" capitalize="no"]

-----BEGIN PGP SIGNATURE-----

Version: GnuPG/MacGPG2 v2.0.18 (Darwin)

iQEcBAEBAgAGBQJPtnyiAAoJEC4S4zGLhwvBFNMH/1Yoh59etAcYZpAhZ+htpd81
QzZWDxOR2PeXtPkY3GWl4vdW7GABJ9ysl8vpdErsDtXs6LEVZXag5mV6CGTDNXmm
pdozUJCgNwbHTgoIUdjinmAXLR+4pYSfALTB1S2qpxzMpykBkR7SMuPm3+0LC77/
dwnsSVx5CNtJd8cPoPjwXJ6zaStJCNK+H17MItS5kpw3MqMU35qZdNCDV6ehhA8j
FmTyFoh1TeTmuBrNECWz9z3KniG6SWVl3K21LmS8PQExeHq8qcHGBz5yK2YhoW/w
bn4PIyHaUiXKQTNhYBSd1DrCPUWJKDJ+VCKQ0L97aUPeVPQBI14jsFOgc1dwUjs=
=xfmB
-----END PGP SIGNATURE-----

[/codesyntax]

That's pretty much it -- once you send a signed an encrypted mail, you can rest assured that (hopefully) your emails are safe from casually-prying eyes as they're no longer being sent in clear-text across the ether sphere.

Here's the raw-text (what's sent out over the ether) of an encrypted email message:

 

[codesyntax lang="text" lines="no" capitalize="no"]

Return-Path: <mshallop@gmail.com>

Received: from [192.168.0.2] (c-50-136-203-107.hsd1.ca.comcast.net. [50.136.203.107])
by mx.google.com with ESMTPS id qu6sm6794406pbc.36.2012.05.18.09.54.57
(version=TLSv1/SSLv3 cipher=OTHER);
Fri, 18 May 2012 09:54:58 -0700 (PDT)
Content-Type: multipart/encrypted; boundary="Apple-Mail=_4C5344B9-76FE-43EF-8620-073841EBF944"; protocol="application/pgp-encrypted";
Subject: test both
Mime-Version: 1.0 (Apple Message framework v1278)
X-Pgp-Agent: GPGMail 201 (a30)
From: Micheal Shallop <mshallop@gmail.com>
Date: Fri, 18 May 2012 09:54:56 -0700
Content-Transfer-Encoding: 7bit
Message-Id: <407C94BA-32A1-4930-B9F6-BBFE7900D213@gmail.com>
Content-Description: OpenPGP encrypted message
To: Micheal Shallop <mshallop@gmail.com>
X-Mailer: Apple Mail (2.1278)

This is an OpenPGP/MIME encrypted message (RFC 2440 and 3156)
--Apple-Mail=_4C5344B9-76FE-43EF-8620-073841EBF944
Content-Transfer-Encoding: 7bit
Content-Type: application/pgp-encrypted
Content-Description: PGP/MIME Versions Identification

Version: 1

--Apple-Mail=_4C5344B9-76FE-43EF-8620-073841EBF944
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename=encrypted.asc
Content-Type: application/octet-stream;
name=encrypted.asc
Content-Description: OpenPGP encrypted message

-----BEGIN PGP MESSAGE-----
Version: GnuPG/MacGPG2 v2.0.18 (Darwin)

hQEMAy4S4zGLhwvBAQf/YX1vGFhG0CLd7UU79fjHd4/nIHH9DVVsi8oqsmIwBNpl
zXvDZf3+uw3B7Shk3bls1fHcUdU8LZprY+HbQVZlh7IiGZ28K67rNIHKUtwuoX2I
DpZcLdRPGn1iGi7TNRs/3Fn3fjCCT15uVAbZZRvR1G3XqUc+//3TstCMTaNtg5Rl
KZbKnnrOaIt/OAou7BFCLQgGKAAIa3m/gFHEQxxLVaAQ3JISeX4/UZ7YlXAj5SYp
juVRKfekmjpoFoM4erf0Jjaw63lSjAZWXJi1m6IY8uSkzQZRUwANMYE577mBiZhw
d1kIBJfBlxWjUOK6FYV3bDZFjc2Fn2WM4+tEloOrcNLpASNVPOh332341GjxwVAg
USYLkh1Co7yqaQ1c830CD58XxmYsR/x0B8etL1bYQtZDJYITMa649tYCYtrAvHSw
GsgwDD67yaICruIJqwPAtz5+fkoF9xnlltz0UTUSsmzrlGkdbkHSnVrvOdgbvJEz
60UM1p7idKEcR5SCkNuLD9hYJaD/C7qRhyxYfjyjPlwtSSb9aSY+TBa0t/lRmPtU
q5N/EHRdm3CmTVqE3eT1IOoRsFibYfRJNJnkqgmVZdoHm/QhTOmuyK1SeBbB3P7F
Lnw7hS6aB7RMISg8rWiPGap+QVO8lzMjIXhd5BDu1Kxkk5dr7FLOC37aSC7X52VT
QcwvYlYPSV5s+ivFk/uKtB8L3k9rHsYHHkP13lli2a9ELy+KTv0SFp0Q8ClaC9Xm
RoWXKQxrTV2wxub4/V0UfSSUfct0mHfTFDltpDPAfaEL/ARgvIUI2SD6WXvfbums
yG2fS4Rr9NHr9bgkZJqt+anNGQOmly7654ecckD+Nj2PtmXnowBOrub91VvXSfKB
TKHZ7xmX9GOnk6qsFZppiXIxDXR9zYeLb5Ks0hCF3XDhXu8DAkS4vbmPm7BIn6fu
N1niCzihe187mJ3bKAj5rLSHpbBrMt/XcbaL+eNz7xIEtpWQjk+8qFUaxl5NxIX1
KtCwLhxUeZUCKHIv/cGOJKPANfdhN2SYHasFJvJ1Jts4us4JJg4rBjH50hiYaQ3W
OhGSQP7kvcKqMzHBhSXBKPpnwBtJ+tkXy5IpeMHUrREpGt39EOO4oiiyRYSrrm2T
GswOJwvv4Z32hreR2eAgfPAXZW3R6MtGA07xN3mqPtV1IO+izegbflVpQEi8Zlq3
KfT/ljoLiDTKdIsrlfIgtgec+G5SH6znO9Kv1IidYg9wtdL6G2bsTP9pCV24bCem
srTw3NDKfTK56Yu1ESQpf0WYMTzpGjzDhyHW86F5ej+jJV2rd4kicxvy0HJXOGbI
iHPvKVVoA7bMvvfVARoMIlqiQ5gzm41+
=z4VQ
-----END PGP MESSAGE-----

--Apple-Mail=_4C5344B9-76FE-43EF-8620-073841EBF944--

[/codesyntax]

 

Reference Pages and Additional Reading:

GPGTools First Steps Secure Email in Thunderbird and Apple Mail with GPG

Setting-up a Linux Development Client - Part 2 - CentOS 6 Install

In the last install, I wrote about how I decided to try Fedora Linux after a nearly 10-year hiatus from the product.  Unfortunately, as it turned out, my fears were not groundless and I am going to scrap the install in favor of CentOS before I get in so deep that making the switch-out becomes prohibitive.

I am going to continue to try Gnome as my desktop, however, as I did like what I saw for Gnome under Fedora.  While I have always used KDE in the past, it was always accompanied by a wistful bit of: "I'll bet the grass is greener over there..." kind of thinking.  Anyone that's ever spent anytime looking over the Gnome application offerings vs. the KDE application offerings will agree.

Time to stop wondering and start trying.  I've downloaded the CentOS 6 x86_64 CD ISO and have booted into the desktop.  It's not nearly as polished, pretty, as the Fedora desktop -- it looks more like a traditional windows set-up with the desktop icons falling down the left-side of the screen and the top-bottom menu bars.  While simpler in appearance, it's also intuitive and easier to use.  Less eye-candy also means less CPU/GPU crunching resulting in improved responsiveness.  (Dragging a window around in the Fedora desktop on my hardware platform was like a bit like being on a strong hallucinogenic.  Or so I've been told.)

Anyway, I locate the "Install to Hard Drive" icon and click it...

The CentOS 6 installer opens a window in the middle of desktop (as opposed to Fedora taking over the entire desktop) and presents you with the same two start-up options: installation language and installation destination.  (As I mentioned in the previous article, CentOS is a child of Fedora.  I expect things to be similar.  Stuff working is one such expectation.)

CentOS gives me the same options as the Fedora installer - except with less eye-candy.  For example: when asking to input the root password, I'm not shown a bar indicating password strength.  I just type in my password and that's pretty much it.  Also, like the previous install, I'm not going to choose the encrypted filesystem, and I'm going to go with the defaults for filesystem partitioning.

While this is installing, I'll yak about why I've chosen these two distributions as my first-two choices.  Ubuntu offers a great installation and configuration experience.  However, after messing around with Linux distributions for 30 years, I can't quite shake the feeling that Ubuntu in the Granimal of linux installs.

Don't get me wrong - it's a great install in that everything works, is highly automated, and requires little, if any, user intervention from the machine's administrator.  And that's probably what bugs me the most about Ubuntu.  As a Linux guy, I want (need) more interaction with my OS.  If I was content to let me OS run off and make all the most-important decisions without asking me, I'd use Windows.  Ubuntu fulfills a great niche - it introduces Windows users to Linux.  I'd install Ubuntu on my Dad's PC.

I've also bypassed SuSE Linux -- which is surprising considering that, for nearly a decade-and-a-half, all I would consider running and installing was SuSE.  This flavor of Linux, like most things German, is precise, exacting and mechanically sound.  Correct, even.  It's also overbearing, heavy-handed and leaves deep footprints.  The other problems that I have with SuSE is that it can be difficult to find packages tailored for it's installation base.  While SuSE enjoys a wide-variety of software, there always seems to be those few-dozen packages you want to install but can't locate the ports to the SuSE distribution.  In that, it's like the Dewey (Malcolm in the Middle reference) of Linux installs: unprepossessing and brilliant but relatively scarce when it comes to applicable resourcing.

I've never been a big fan of Debian simply because they move in geological-timeframes when it comes to engineering releases.  Oh, look, kernel 2.26.9999 is out!  (Debian: happy with 2.123, thank you.)  Geh.  What it lacks in contemporary packaging, it more than makes up with in stability.  I, on the other hand, tend to blow through distributions like the end is near so Debian isn't really for me.

I tried Mandriva once and, as a result, got sucked into this weird mail hell back when I was running my own DNS and MX servers.  I really tried to make it work but it just got too ... weird for me.  It may have improved in recent years but I've never had enough of it catch my eye to really care enough to revisit it.

Rebooting the CentOS 6 Live CD was better than the Fedora Live CD as CentOS actually gave me a 'reboot' option whereas Fedora would only let me 'suspend'...whatever that means...

I configured the user and the network time and then was presented with an alert: "Insufficient Memory to Start kdump" ... which made me think I had crashed the install...turns out, it was just telling me I couldn't start the monitor itself.

On to the login...

Well, CentOS 6 is definitely a derivative of Fedora 15.  Although the desktop is radically different, the first thing I try is FireFox -- and am immediately told that I can't access any off-site web page.  Although I can ping and resolve hosts from terminal, FireFox cannot do so from the browser.  So the same crappy DNS issue which plagues Fedora was inherited by CentOS.  Great.  Starting to get an idea of where all this is eventually going to end up...

The network configuration applet in CentOS allows me to edit and add google's nameserver and things start to work in the browser immediately thereafter. For some reason, I wasn't able to get this to work in Fedora so, bonus.  Also, my screen resolution is at the highest at 1280 x 1024 and that gives me a happy, too.

I start the software update and am informed that all my software is currently up-to-date and I do not need to additional software.  That strikes me more as a software fail...so I run yum update from the command line as root (side note: either I didn't see the option to create my new user as an admin, or it didn't exist, but regardless, I can't sudo...) and I'm suddenly off-and-installing 237 total packages... so, clearly something in the GUI version of the software update failed and now I'm thinking that, because I didn't have sudo privileges, it was my account exec'ing the command.

CentOS 6 will allow you to login graphically as root.  And thereafter puts so many scare-ware pops on the screen that you eventually, submissively, quietly and quickly edit the sudousers file and logout.  Now that my main account has sudo access, I never need to hit root again.

Quick download and now Chrome is my default browser...time to try to install some development tools...

The first package I'm going to install, from the Add/Remove Software package manager, is the MySQL server and related files package which is an 8.1mb download...I have to also install dependent packages for perl support and client programs and shared libs, which is ok...PHP 5.3.2 is the next item to be installed and I install all packages except for postgres.

At this point, I have a LAMP stack installed, but it's not running...  starting off with mysql:

[cc lang='bash' line_numbers='false']

# sudo chkconfig --level 2345 mysqld on

# sudo /etc/init.d/mysqld start

# mysql -uroot

mysql> use mysql;

mysql> update mysql set password=password('yourPasswordHere') where user='root';

mysql> exit;

[/cc]

This set of commands sets-up mysql to run at start time (run levels 2, 3, 4, and 5) and then starts the mysql server.  Next, you invoke mysql as root and reset the root password to something other than the default, which is nothing.

--> mySQL is now running.

For Apache, we're going to leave virtual hosts alone for a future article, and just make sure that the webserver will execute at boot, and that we can serve system information...

[cc lang='bash' line_numbers='false']

# sudo chkconfig --level 2345 httpd on

# sudo /usr/sbin/apachectl start

[/cc]

If you ps -ef | grep httpd you'll see a list of the running apache servers...you can also open up http://localhost in a browser window and you should see the CentOS Apache 2 Test Page.  Now we have to confirm that we have PHP installed and running, along with a few other modules.  By default, your web server DocumentRoot is in /var/www/html.  Using the terminal, cd into this directory and type the following:

[cc lang='bash' line_numbers='false']

# sudo vi snitch.php

i

<?php

phpinfo();

<esc>:wq

[/cc]

This creates a little snitch file in your DocumentRoot which you can load in a browser -- it then dumps your LAMP configuration to your browser window.  At the very top of the display, it should tell you what version of PHP you're running.  (Mine reports version 5.3.2.)  Important to me, at this stage, is that I have memcache, soap, mysql, and ODBC drivers installed.

The last stage for me is to install my IDE.  I own a license for JetBrains PHPStorm which I personally prefer.  It's not freeware but if you can afford the license costs, it's probably the best IDE you can get for the price.  I use it on all environments (Mac, Windows and Linux).  I also noticed that you can install the Eclipse IDE using the software installer -- this is very similar to PHPStorm.

To get PHPStorm up and running, I need the SUN/Oracle version of the JDK -- not the openJDK.  I did get it running, but not without DIRE and URGENT messages prophesying  the END OF THE WORLD, or at least my video display, should I continue.  Point is, I did get it installed, configured, licensed.  Then I de-installed the openJDK and went hunting for the SUN/Oracle JDK.

Which will be covered in the next installment...

Under Construction...

I'm in the process of moving my Linux server, which has been online in various incarnations since 1994, to a cloud-hosted server in order (a) improve performance, and (b) retire this machine and avoid yet another round of upgrades. I've consolidated three blogs into this blog and so will (hopefully) be better organized in the future.

Thanks for your patience...

Testing code post:

public class Hello {
  public static void main(String[] args) {
    System.out.println("Hello World!");
  }
}