Penn Computing

Penn Computing

Computing Menu Computing A-Z
Computing Home Information Systems & Computing Penn

 

Friday, October 24, 2014

 
  New Resources
Travel Tips for Data Security
Free Security/Privacy Training Resources
Penn+Box
Two-step verification
Combating Malware
SafeDNS
Phishing Archive
Cloud Computing and Data Outsourcing
Best Practices for Applications with Confidential University Data
 
  Security "Greatest Hits"
Managing Passwords
E-mail Harassment & Forgery
Hoaxes, frauds & scams
Spam
Phishing
Wireless Networking
Encryption & digital signatures
 
  Best Practices
Secure desktop computing
Secure servers
Secure data deletion
Securing printers
Tips for safe computing
Computing policies
 
  More in-depth information for
Local support providers
System administrators
 
  Security initiatives
Critical host compliance
Authentication & authorization
Penn Security & Privacy Assessment (SPIA)
Security Liaisons (Restricted Access)
Secure Share
Secure Space
Vulnerability Scanner
 
  Related links
Electronic privacy
PennKey
Viruses
Worms, trojans, backdoors

Using Apple Mail with GPG

Installation

  1. GPG (GNU Privacy Guard) from macgpg.sourceforge.net: http://prdownloads.sourceforge.net/macgpg/GnuPG1.4.8.dmg?download
  2. GPGMail to allow signing, encrypting, and decrypting within Apple Mail: http://www.sente.ch/software/GPGMail/English.lproj/GPGMail.html
  3. GPG Keychain Access for GUI key management: http://prdownloads.sourceforge.net/macgpg/GPG_Keychain_Access.0.7.0.1.zip?download

Configuration

Set preferences for GPGMail in Apple Mail: Mail-> Preferences->PGP so that messages are signed, but not encrypted by default:
  • On the "Composing" tab: unset default checkbox for "Encrypt when all keys are available"
  • If the user never leaves the computer unattended without locking the screen or logging out, you can improve ease of use by allowing the passphrase to be cached. If this is appropriate in your environment, on the "Keys" tab, check "Remember passphrases during session" and set Timeout to some length appropriate in your environment.

Use

  • By default, all messages will be PGP-signed. That default can be changed in the Mail->Preferences->PGP window on the "Composing" tab.
  • In the New Message window, check the "Encrypted" checkbox if you wish to encrypt the message.
  • As you address a message you wish to encrypt, GPG will automatically select the appropriate key for any recipients on your keychain.
  • If you don't have a particular recipient's key, you can use the "Keys" drop-down menu to the right of the Encrypted checkbox to select "Download" and search a key server for the recipient's key.
  • Before using a key you've downloaded, you should (at minimum) contact the recipient by phone or in person to verify that the specific key ID you found actually belongs to them. In the search results window, the key ID is the first item in the description, beginning with 0x and a series of 8 hexadecimal characters.

Caveats

  • When viewing a reply to a PGP-signed message, it will appear to be signed, even if the reply itself is not signed. Clicking "Verify" will show who signed it, at which point it's clear who did the signing.
  • GPG Keychain Access doesn't show signatures.
  • GPG Mail uses Mail's private internal API, so it lags OS releases. Officially it's still beta for Leopard, but we've used it without incident.
  • GPG Mail allows a new key to be downloaded at time of message creation, but doesn't show signatures or fingerprints.
  • The default key server for downloading keys is hkp://subkeys.pgp.net, although ldap://keyserver.pgp.com can be selected. We've recommended keyserver.pgp.comsince it does initial verification of of new keys, and semi-annual re-verification. However, it does not support updates to key signatures, so subkeys.pgp.net is a better source for getting signed keys. It also appears to update keys published to keyserver.pgp.com, so it's probably the best near-term source for finding keys.
  • GnuPG Preferences (a GUI for setting GPG options) doesn't work on an Intel-based Mac. Thus, this documentation assumes it is not used. However, the key search results window in Mail does refer to it.
  • Testing was done in November 2008 with Mail 3.5.

Last updated: Monday, December 1, 2008

top

Information Systems and Computing
University of Pennsylvania
Comments & Questions


Penn Computing University of Pennsylvania
Information Systems and Computing, University of Pennsylvania