PGPTools Email Encryption

How to send secure email with Apple Mail

Today, everything is about protecting data stored locally on a hard drive, against both people with physical access and potential remote attacks. But did you know that your data is much more vulnerable in transit, as it passes between end points or via servers.

This problem is effectively solved for instant messages with Telegram, which uses strong end-to-end encryption designed in such a way that even Telegram is not able to decrypt your messages.
Even though Telegram passes through intermediate points on the Internet, there’s no opportunity for others to grab the plain text, images, and audio within it.

Why it’s still a mess for email, whether Mail in iOS or OS X, or third-party email software.

One of the biggest problems past and present in Apple’s Mail.app is, in fact, because Google has an odd setup for its IMAP service, and Apple dances around, fully embracing it. Google can’t break IMAP entirely, because then millions of users who pull in Gmail messages through Outlook or other software would be out in the cold, and potentially switch away. (Android has three separate email apps, in fact: two that work with Gmail in different ways, and a third one for “regular” email accounts.) Likewise, Apple can’t invent a new, superior way to send email because every mail server in the world would need to be updated to receive it.

In the last few years, enough standardization and upgrading have taken place that one aspect is well secured: the connection between an email client and an email server. Email flows from a client to a server run by your ISP or company or email host, and from there typically directly to the recipient’s corresponding email server. By default, Apple’s mail clients and those of other companies try to set up a new account to use SSL/TLS, the same session-based encryption technology used for secure Web interactions.

But SSL/TLS protects just the link between an email client and an email server. The data is encrypted in transit for that session, and then decrypted at the server, before being packaged and sent on to the next server. Now, in practice, even that’s becoming more secure. Most email servers—all of those run by major companies—are in data centers. And after the Edward Snowden disclosure, Google and other companies have stepped up the security of links among their own data centers.

The weak points still remain when email is decrypted, whether it’s for microseconds on a server before being wrapped up to send to another server over an encrypted link, or for much longer, when a server communicates insecurely—which is typical—with another email server. At those weak points, a criminal or government agent could gain access.

Secure your email with PGPTools, a variant of PGP (originally standing for Pretty Good Privacy)

Through the use of public-key (PK) cryptography, something that’s been available for encrypting documents and email messages since 1991 in one form or another.

Public-key cryptography relies on an algorithm that can create a set of numbers used to derive two complementary keys: one public, one private. The public key may be freely distributed.
The private key must be kept utterly secure, because its possession allows the party to “prove” that they are you! There’s no known or practical way to derive the private key if you have the public one at present, nor likely in the foreseeable future.

With someone else’s public key, you can encrypt a message that only he or she can decrypt with the corresponding private key. You can also take a message and “sign” it, producing a cryptographic summary that allows anyone with your public key to confirm that the message wasn’t tampered with and that only you could have signed.

PK isn’t practical to encrypt long messages, and the genius of PGP’s inventor, Phil Zimmermann, was using the public-key portion only to encrypt a strong symmetrical session key—an encryption key unique to the document that both encrypts and decrypts the data—and that could only be extracted with the right private key. (When a message is sent to several people, the session key is encrypted with each party’s public key separately.)

The power of the PGP approach, which is instantiated as free software under the GPG (GNU Privacy Guard) name, is that it solves the problem of how to share a strong encryption key without it being compromised, because that session key could be used by any party to decrypt a message or encrypt new ones that can’t be verified on their own. The PK portion lets you share the document’s key safely.
But you can see the problem immediately, and the reason why PGP and its variants remains in low use a decade after my optimistic review. In order to use PGP, all your recipients need to have tools to manage finding and using public keys and to validate that they belong to the parties who claim them, and have access to email plug-ins that interact with your local private key and your storehouse of others’ public keys to manage encryption and decryption.


 

GPGTools for Mac
GPGTools for Mac

Through the use of public-key (PK) cryptography, something that’s been available for encrypting documents and email messages since 1991 in one form or another.

Public-key cryptography relies on an algorithm that can create a set of numbers used to derive two complementary keys: one public, one private. The public key may be freely distributed.
The private key must be kept utterly secure, because its possession allows the party to “prove” that they are you! There’s no known or practical way to derive the private key if you have the public one at present, nor likely in the foreseeable future.

With someone else’s public key, you can encrypt a message that only he or she can decrypt with the corresponding private key. You can also take a message and “sign” it, producing a cryptographic summary that allows anyone with your public key to confirm that the message wasn’t tampered with and that only you could have signed it.

PK isn’t practical to encrypt long messages, and the genius of PGP’s inventor, Phil Zimmermann, was using the public-key portion only to encrypt a strong symmetrical session key—an encryption key unique to the document that both encrypts and decrypts the data—and that could only be extracted with the right private key. (When a message is sent to several people, the session key is encrypted with each party’s public key separately.)

The power of the PGP approach, which is instantiated as free software under the GPG (GNU Privacy Guard) name, is that it solves the problem of how to share a strong encryption key without it being compromised, because that session key could be used by any party to decrypt a message or encrypt new ones that can’t be verified on their own. The PK portion lets you share the document’s key safely.
But you can see the problem immediately, and the reason why PGP and its variants remains in low use a decade after my optimistic review. In order to use PGP, all your recipients need to have tools to manage finding and using public keys and to validate that they belong to the parties who claim them, and have access to email plug-ins that interact with your local private key and your storehouse of others’ public keys to manage encryption and decryption.


PGPTools Email Encryption
PGPTools Email Encryption

Enough, let’s get started with the configuration

First, we need to download the GPG Suite 2018.1. The link to download it is: https://releases.gpgtools.org/GPG_Suite-2018.1.dmg
Of course the next step is, the installation of GPG Suite on your computer (Just make sure Apple Mail is close).
Once it’s done, let’s go in the folder application then open “GPG Keychain”.
Now, it’s time to create a key so click on “new” then, enter your informations and save.

GPGTools Apple Mails Settings
GPGTools Apple Mails Settings

* Please note that this key should be share with the one who you want to send secure email.

** Keep in mind that, the others must do this processing to send you secure email (the installation, create and share their key).


Let’s see what happened in “Apple Mail” now

Go in Apple Mail preferences and click on the GPH Mail icon.
creating a new email…Just make sure all checkbox are checked in the composing area then close this and go back in Apple Mail.

PGPTool Options Apple Mail
PGPTool Options Apple Mail
Let’s create a secure email now.

Now if you compose a new email you will find 3 new icons (The locked, checked and the OpenPGP menu at the top right).

Apple Mail OpenPGP Encryption
Apple Mail OpenPGP Encryption

Now, all you have to do is to choose a contact, put a subject and write your email…
And of course send this secure email and Voilà!

The whole process can look pretty scary but in reality it takes a big 5 minutes. 
So why not take the time to secure your email communications now!

 Yes I know, tons of people tell me: “You know I have nothing to hide…”.
Ok, but maybe the day your account will be hacked you’ll change your mind!

On this, happy secure communications!