Apple Mail Encryption with GPGMail and OpenPGP

I've dabbled with encryption several times over the past few decades, never really getting serious about it.  It started when, in college, I would see that the faculty in the CS department had these weird signature blocks appended to the their USEnet posts containing something called a public key.

This is like setting a can of lighter fluid and box of blue-tip matches in front of a 10 year-old boy -- irresistible.

What I found in the later years is that using encryption for email is a lot like being one of the early adopters of the telephone.  Now that I have one, who am I going to call?  My family certainly doesn't use encryption in their email...those that have discovered email anyway.

Co-workers aren't likely to invest the time and effort into encryption simply because we're all too busy with work to be playing spy-games with our de-coder rings.

And, Dorothy, we're not in Academia anymore where, I imagine, it's really in use.  Closeted anarchists posting semi-heretical Berkeley-esqe rants against the Proletariat and all that.

And then there's the whole nouveau post-9/11 trend of "Guilty until Proven Innocent" thing happening.  I imagine some fedora-capped DHS agent squinting at me in a menacing fashion while I try to reason a plausible excuse for being so brazen as to need encryption for my emails in the first place...

So, at this point, let's assume that, like me, you're willing to whack the hornet's nest with a stick and use encryption for your emails and that you actually have someone on the other end willing to dust-off the de-coder ring and play with you.  We'll also assume that you know what PGP, GPG and OpenPGP actually are, and that you know how basic public-key encryption works.  (If not, leave comments to this article and I will do a future article explaining same.)

Standard Disclaimer: I am providing this tutorial as a hands-on, learn-with-me type of tutorial.  I am not an expert, nor do I pretend to claim anything other than neophyte status when it comes to encryption.  I do not advocate, support, or intend for you to use this, or any, technology as a means to intentionally bending, fracturing, or breaking laws in one or more jurisdictions.  MY only intent is to share what I've recently learned with you and to have some fun.

OK - that crap out of the way, let's get started.  First, as the title implies, this set-up is for Apple Mail under OS X Lion.  The release of the OS I'm currently working on is 10.7.4.

Download and install the GPGTools utility  (Version 2012.03.18 as of this writing.)

Although this article is for Apple mail, the GPGTools utility includes support for Enigmail in Thunderbird 7.  When you launch the installation utility, you'll be presented with a list of packages to install.  I installed all packages.

Once the install has been completed, you'll see a little dialog box appear on your desk top telling you the installation was successful, and would you like to read the Quickstart Tutorial?  This would be a good thing to do because I am not going to walk you thought the next steps in any great detail.  This reference, however, does.  With pictures.  So... go there and follow the installation step to:

Generate a key

You will generate a public and a private key.  Anyone with whom you wish to exchange encrypted email with must also have done the same.  They're called public and private keys for a reason.  One you share with the public and one you do not.  Key, using the nomenclature, are stored on what's called a keyring.  There are public and private key-rings.  GPGTools refers to key-rings as  keychains - these are one and the same things.

Please note that for whichever email account you're going to use to generate a key-pair for, that account must already exist in Apple mail.  The email address is case-sensitive so make sure you type it in exactly as it is stored in Apple Mail -- otherwise, your encryption will not work.

Over the years, I have created several key-pairs for various email addresses I have had.  What's critically important to remember is this:  write down your pass-phrase.  Also, click on the Advanced options tab, and set an expiration date (a couple of years is fine and 4-years is the current default - point being: set an expiration date) for your keys.  That way if, after a few years, you return to a previous email account address, and you've certainly forgotten your passphrase from lack of use, then you'll still be able to generate a new key pair if the old one has expired.  To remove a key pair, most public key rings require you to enter your passphrase.  This is known as a conundrum.

Once you've created your passphrase and uploaded your key, and you can see your new key in your keychain, open Apple Mail.  Send an email to

the email address you've just created (I know...) and you should see two buttons appear in the lower-right corner of the header bar as shown in the image on the right.

The two buttons, as shown above, allow you to either sign or encrypt your mail message.

Signing your email is flagging the email to the recipient assuring them that it was actually you who sent the mail.  In order to sign an email, OpenPGP has to have access to your private key. (You did keep your private key private, right?)  Since you're the only one, presumably, with access to your private key, then signing the mail guarantees to the recipient that the mail did come from you.

The recipient does not need to have your public key, nor do you need to have the recipient's public key, to sign an email.  Think of this as the "certified mail" from the US Post Office equivalent for email.

If you have a recipient's public key, then you may send them an encrypted email.  The recipient will need to have your public key in order to decrypt and read the email -- this is why we store public keys on public key rings.

[codesyntax lang="text" lines="no" capitalize="no"]


Version: GnuPG/MacGPG2 v2.0.18 (Darwin)



That's pretty much it -- once you send a signed an encrypted mail, you can rest assured that (hopefully) your emails are safe from casually-prying eyes as they're no longer being sent in clear-text across the ether sphere.

Here's the raw-text (what's sent out over the ether) of an encrypted email message:


[codesyntax lang="text" lines="no" capitalize="no"]

Return-Path: <mshallop@gmail.com>

Received: from [] (c-50-136-203-107.hsd1.ca.comcast.net. [])
by mx.google.com with ESMTPS id qu6sm6794406pbc.36.2012.
(version=TLSv1/SSLv3 cipher=OTHER);
Fri, 18 May 2012 09:54:58 -0700 (PDT)
Content-Type: multipart/encrypted; boundary="Apple-Mail=_4C5344B9-76FE-43EF-8620-073841EBF944"; protocol="application/pgp-encrypted";
Subject: test both
Mime-Version: 1.0 (Apple Message framework v1278)
X-Pgp-Agent: GPGMail 201 (a30)
From: Micheal Shallop <mshallop@gmail.com>
Date: Fri, 18 May 2012 09:54:56 -0700
Content-Transfer-Encoding: 7bit
Message-Id: <407C94BA-32A1-4930-B9F6-BBFE7900D213@gmail.com>
Content-Description: OpenPGP encrypted message
To: Micheal Shallop <mshallop@gmail.com>
X-Mailer: Apple Mail (2.1278)

This is an OpenPGP/MIME encrypted message (RFC 2440 and 3156)
Content-Transfer-Encoding: 7bit
Content-Type: application/pgp-encrypted
Content-Description: PGP/MIME Versions Identification

Version: 1

Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
Content-Type: application/octet-stream;
Content-Description: OpenPGP encrypted message

Version: GnuPG/MacGPG2 v2.0.18 (Darwin)





Reference Pages and Additional Reading:

GPGTools First Steps Secure Email in Thunderbird and Apple Mail with GPG

Review: AZIO KB333BM Bluetooth Wireless Keyboard for Mac, iPad, iPhone

I have an iMac 27" I7 -- I wanted to try this keyboard because I needed to recover space on my desktop. I run my iMac in Windows via Bootcamp quite a bit when I'm not working/coding to play games so it was important that his kb also work under bootcamp. When I unpacked the keyboard, I was instantly disappointed in the style and construction. It's not quite as small as the mac wireless keyboard, measuring almost 2" wider and about 1" wider. It also has a cheap feel to it -- there's something rattling around in the antenna housing and the keys are a die-cut plastic. On Apple kb's, the keys are smooth giving the kb an almost rubberized texture -- they're also solidly mounted so there's no "play" or travel in the keys. On the Azio, the keys feel tactically different and there's a ton of play in the keys -- it's almost like they're mounted on swivels.

Installing the batteries was fairly easy -- but the battery door is cheap, thin, plastic. It's definitely a failure point over time. Pressing the connect button isn't easy -- the placement is on the bottom of the keyboard, along the back edge, so the button has to be recessed so you don't tap it during normal use. There's no tactile feedback when you do click the button to initiate a connect -- you have to flip the kb over to see if the blue light has lit.

When I went to sync the kb, I was in windows 7, and attempting the sync immediately brought the computer down with the BSOD. Seeing how it was windows, it didn't surprise me much so I re-booted into Leopard. Pairing the device didn't work -- when it asked me to type in the sequence of numbers, there was no feedback to the screen so eventually Apple asked me to identify the key to the right of the right shift key.

Which is an up-arrow. Which wasn't recognized by Apple as a key. Which meant I had to select from a menu of choice of what type of keyboard I had. So I selected the only viable option - US/English 101 key.

I rebooted trying to get into Bootmanager -- as the computer rebooted and I heard the start-up tone, I pressed and held-down the option key. The blue light on the kb flashed furiously for a second or two, then the machine booted me into Mac mode, bypassing completely the bootmanager. I re-paired the device by removing it and re-discovered. This time, without the feedback (which I realize may be an Apple issue and not an Azio issue), I just blindly typed-in the numbers without pause and the computer accepted the keyboard pairing.

Rebooting the machine, however, produced the same results as before - the kb was not recognized, not was my holding down the option key during boot, and again the Bootmanager was bypassed.

The keyboard itself feels cramped and awkward. The keys appear to be both slightly (about 1/8") smaller than Apple's kb, and they're set closer-together. There additional width of the keyboard is allocated to keys along the right side, two columns, F13-F16, home, end, delete, page-up/down, and the 4-arrow keys. Totally unnecessary to add these keys and increase the form-factor imo. Even tho this is advertised as a mac kb, they couldn't break the windows dependencies...there's also the unnecessary function key just to screw up your typing, right under the left shift key.

I'll try this kb out with my iPad -- perhaps it will encourage me to use my iPad more for text-input. Otherwise, this device is simply garage-sale fodder. If you want a smaller keyboard, then get the keyboard here on Amazon (Super Slim USB kb) -- it's wired, but it works well. Or spend the big-bucks and try the Apple keyboard.

tl;dr: Keyboard feels cheap and loose. Could not access bootmanager. Pairing causes BSOD in windows

OS X Lion - First Looks

I downloaded Lion, Apple's latest upgrade to Mac OS X yesterday afternoon.  I used my work connection to do so and completed the download in about 20 minutes.  When finished, I had a new application installed named "Install Mac OS X Lion" in my /Applications folder.  I burned it to a DVD and scurried home to install the upgrade on my 27" I7 iMac.

What follows are some first impressions about the new operating system.  This is just the kinks and quirks that I've discovered.  If you want a painfully in-depth review, I suggest the Ars-Technica review.  All 20 pages worth.

I was somewhat worried about the install as I'd heard, through co-workers, that there were problems with the install and that your system had to absolutely be up-to-date with the latest software upgrades in order for the installation to be seamless.  So, I ensured that, before installing, I hit software-update off the main menu and installed everything Apple recommended that I install.

That took about a half-hour because there were a lot of 10.8 updates (iTunes, iWhatever) to install.  When that finished, I copied over the "Install Mac OS X Lion" folder from the DVD into my Applications folder and double-clicked.

It took about three minutes for the installation prelims to sort themselves out.  Then my machine re-started itself and began the install in earnest.  It informed me that I had about 30 minutes to go.  Watching the progress bar tick across isn't all that absorbing, and Sarah had a chicken wings cooking, so I left the upgrade to it's own fate and left to go scarf a couple pounds of her awesome chicken wings.

When I returned, the computer had finished the install and was displaying the Lion login screen waiting for me to sign-in.  I did so, and was presented with the new welcome dialog box and the new-ish desktop.  So far, so good....and, uh-oh.  Up popped a dialog box telling me that Lion had detected incompatible software on my system and had removed said software to a folder called "Incompatible Software" on my install drive.

I had two programs in this folder - one I don't use anymore, can't remember what it was called, and really didn't care.  The other was visor, my terminal program hider which I did, very much, care about.  I checked the author's website and, sure enough, a replacement program was already available for download and installation.

I didn't have a lot of time to play with the new OS, but this is what I learned in the hour or so that I did have.

-- I crashed terminal once, after SSH'ing into a remote server.  The crash report popped and I sent it off to Apple.  I relogged into the remote server and it's not crashed since.

-- Safari failed to display the Netflix plug-in necessary to display/run/show movies.  Chrome worked without issue.

-- The new email program is really cool.  A lot like the iOS mail program in terms of the UX.

-- I have a dual-boot set-up with Windows 7 running off another partition on the same drive.  After installing Lion, I checked and tested and the partition was accessible and stable.  (As stable as Win7 can be at any rate.)  The only difference I noted was that, before since Win 7 was the last OS installed, it booted by default; I had to hold-down the option key to boot into Mac.  Now, Lion boots by default and I hold down the option key to select the Win 7 bootable partition.

-- I have a recovery partition now in addition to the Win 7 and Lion partitions...I had read about this in the Ar review so no surprise.  It's nice to see that I have this parachute though in case things really head south.

-- Not sure if all my mac-ports software will still function.  I do some development at home and I know that whenever you change OS versions, you have to pretty much R&R ports which is a real pain in the patoot.  I'll need to test this later today when I get home...

-- The application formerly known as spaces is very new, interesting, and will take some getting used to.  Overall, I prefer the new UX.

Everything at this stage is superficial as I've not checked CPU burn or memory usage.  Does it feel faster?  Ah, meh.  I've not run any serious apps under it so I can't say at this point.  As I explore more, I'll share what I discover...

[Edit: July 22, 2011]

Mac Ports is definitely broken.  It requires a re-install of Xcode which is, in itself, a total pain in the ass apparently to download and install.  I've been trying now for over a day to get Apple to push this application down to me and it's only been in the last hour that I've started to see some bits and bytes squick down the line to me.  You can only install this app from the AppStore, unfortunately.

(And, while I'm thinking of it -- why the hell do I have to keep plugging in my AppStore password every single goddamn time I access the store?  Wasn't there a reason you had me store this information?  (System Preferences -> MobileMe?)  FFS, Apple, one of the reasons why the Android Market is so much better than the iPhone AppStore is that I'm not forced to enter my password each and every time I want to do something.)

Anyway, when I tried to update ports, I got errors.  So I checked-out the source and went to build from source and was informed that I don't have a worthy C-compiler installed.  You *have* to download the XCode package for Lion and install that first.

Also, I cannot recover my Lion install from sleep mode.  Key presses, power-button flicks, mouse shaking, nothing seems to work other than a hard re-boot.  I called Apple Support and scheduled a call -- which was incredibly unsuccessful.  I was advised to try the following:

-- turn off your computer and remove the power cord for 15 seconds.  Me:  Why?  How is this different from shutting off all power to the computer during a reboot?  Them:  Well, it's different if there's no power to the computer.  Me:  Oh.  So, when I shut off the computer by holding down the power button for 5-seconds, and it goes black, it really continues to run?  Them:  Uh, no.  It's, ah, just better to not have power.

-- boot from the restore partition and run the equivalent of fixperms (reset all file/directory file permissions on the filesystem)  Me:  You're saying that Lion messed up my permissions during installation?  It was working, I installed Lion, it's not working, and you're telling me file permissions are keeping my computer from waking from sleep?  Them:  Uh, no - this is just what it says on the support forums.  (Thank you, Support Forums, for not suggesting that immersing my computer in water is also a solution.)

-- Reset the pROMS by booting holding down option-R until it beeps twice. Me:  Are you serious? How about you just acknowledge this as a hardware-interrupt driven software failure and tell me you'll file the bug and send me on my way?  Them:  Uh, can you send in your system report, please?

Jeez.  What a waste of time that was...