Penn Computing

Penn Computing

Computing Menu Computing A-Z
Computing Home Information Systems & Computing Penn


Friday, February 23, 2018

  New Resources
Security Logging Service
Travel Tips for Data Security
Free Security/Privacy Training Resources
Two-step verification
Combating Malware
Phishing Archive
Cloud Computing and Data Outsourcing
Best Practices for Applications with Confidential University Data
  Security "Greatest Hits"
Managing Passwords
E-mail Harassment & Forgery
Hoaxes, frauds & scams
Wireless Networking
  Best Practices
Secure desktop computing
Secure servers
Secure data deletion
Securing printers
Tips for safe computing
Computing policies
  More in-depth information for
Local support providers
System administrators
  Security initiatives
Critical Component compliance
Authentication & authorization
Penn Security & Privacy Assessment (SPIA)
Security Liaisons (Restricted Access)
Secure Share
Secure Space
Vulnerability Scanner
  Related links
Electronic privacy
Worms, trojans, backdoors

Using Apple Mail with GPG


  1. GPG (GNU Privacy Guard) from
  2. GPGMail to allow signing, encrypting, and decrypting within Apple Mail:
  3. GPG Keychain Access for GUI key management:


Set preferences for GPGMail in Apple Mail: Mail-> Preferences->PGP so that messages are signed, but not encrypted by default:
  • On the "Composing" tab: unset default checkbox for "Encrypt when all keys are available"
  • If the user never leaves the computer unattended without locking the screen or logging out, you can improve ease of use by allowing the passphrase to be cached. If this is appropriate in your environment, on the "Keys" tab, check "Remember passphrases during session" and set Timeout to some length appropriate in your environment.


  • By default, all messages will be PGP-signed. That default can be changed in the Mail->Preferences->PGP window on the "Composing" tab.
  • In the New Message window, check the "Encrypted" checkbox if you wish to encrypt the message.
  • As you address a message you wish to encrypt, GPG will automatically select the appropriate key for any recipients on your keychain.
  • If you don't have a particular recipient's key, you can use the "Keys" drop-down menu to the right of the Encrypted checkbox to select "Download" and search a key server for the recipient's key.
  • Before using a key you've downloaded, you should (at minimum) contact the recipient by phone or in person to verify that the specific key ID you found actually belongs to them. In the search results window, the key ID is the first item in the description, beginning with 0x and a series of 8 hexadecimal characters.


  • When viewing a reply to a PGP-signed message, it will appear to be signed, even if the reply itself is not signed. Clicking "Verify" will show who signed it, at which point it's clear who did the signing.
  • GPG Keychain Access doesn't show signatures.
  • GPG Mail uses Mail's private internal API, so it lags OS releases. Officially it's still beta for Leopard, but we've used it without incident.
  • GPG Mail allows a new key to be downloaded at time of message creation, but doesn't show signatures or fingerprints.
  • The default key server for downloading keys is hkp://, although ldap:// can be selected. We've recommended keyserver.pgp.comsince it does initial verification of of new keys, and semi-annual re-verification. However, it does not support updates to key signatures, so is a better source for getting signed keys. It also appears to update keys published to, so it's probably the best near-term source for finding keys.
  • GnuPG Preferences (a GUI for setting GPG options) doesn't work on an Intel-based Mac. Thus, this documentation assumes it is not used. However, the key search results window in Mail does refer to it.
  • Testing was done in November 2008 with Mail 3.5.

Last updated: Monday, December 1, 2008

Information Systems and Computing
University of Pennsylvania
Comments & Questions

Penn Computing University of Pennsylvania
Information Systems and Computing, University of Pennsylvania