Tim's Weblog
Tim Strehle’s links and thoughts on Web apps, software development and Digital Asset Management, since 2002.
2013-07-09

First steps – encrypting e-mail and files with GPGTools

As Tim Bray puts it: “There are lots of perfectly-legal reasons to want privacy. If you act all the time in a way that sensibly preserves yours, when one of those legal reasons becomes important you suddenly won’t be acting different in an attention-catching way.” Back in 2011, I already created an OpenPGP key, then forgot about it. Now seems the right time to actually start encrypting e-mails… Likely too few people will bother setting up their e-mail client for encryption. But I’d still like to understand how it’s done, and be ready for it. (I’m a newbie – if you’re doing encrypted e-mail, you’re welcome to send me a test mail that helps me verify my setup… Thanks!)

I’m on a Mac, using Apple Mail on OS X 10.8 for my personal e-mail (tim@strehle.de). So I installed GPGMail from GPGTools, followed their First steps instructions and soon could use the nice “Encrypt” button when composing an e-mail to myself.

My own key, and the keys of people I want to exchange encrypted e-mails with, are managed in a separate application, GPG Keychain Access (“GPG Schlüsselbund” in German). These keys are stored locally on my computer, but there’s a central registry for OpenPGP keys, the “key servers”. I sent my public key to the key server, so you can retrieve it using the key ID 1F20C9AD or my tim@strehle.de address. As I understand it, one should verify the “fingerprint” of the key after retrieving it from the key server – my key’s fingerprint is “C29E 9A3B 786C F2CD 0943 7763 8B3D A0A0 1F20 C9AD”. (I’m also publishing the key ID, fingerprint, and even the full public key on my homepage.)

There’s an ugly but helpful OpenPGP Keyserver Web interface where you can search by name, e-mail or key ID (prepend the ID with “0x”, i.e. “0x1F20C9AD” for mine).

What’s nice is that GPGTools come with a command line “gpg2” executable that lets me encrypt a file for someone (“gpg2 -se -r tim@strehle.de tmp.txt”, turning tmp.txt into tmp.txt.gpg) and decrypt a file encrypted for me (“gpg2 -d tmp.txt.gpg > tmp.txt”).

Unfortunately, the GPGServices can only decrypt text in any OS X application, not encrypt it. Not sure how to work around this; it would be nice to easily both encrypt and decrypt text anywhere.