It is no good just setting up your email encryption on your Mac, although that’s a good start. You have to also make sure that your iOS devices are similarly protected. There are bound to be occasions when you’ve got an email that is coming to your mail inbox on your iPhone or your iPad encrypted. Therefore, it only makes sense to make sure you have at least one application set up so you can decrypt the message. Otherwise you will have to wait until you get back home or get to a place where you can use your new MacBook. I have tried a couple of applications on iOS and they both work fine. These are applications that will let you hook into your Pretty Good Privacy key pairs you have already set up on your Mac. With iPGMail you can also create your PGP key pair if you want to. With iPGMail, same as with oPenGPG Lite you can import keys you have created using GPG Tools Keychain application on your Mac. It’s recommended you use the iTunes file sharing to move the file you create, a .ASC file if you have included a secret key/private key. This is the route to take for moving the files if you want to have maximum security. You do have to be as careful as possible to protect the secret key, so your email privacy is not compromised. If somebody wants to get their hands on your private key, all you can do is to use the revocation certificate. You created that usually at the time when you made the key. The revocation certificate is also important and you will have installed that on a thumb drive off some sort and perhaps put it into a safe.
The basics of Pretty Good Privacy encryption
If you want to send an encrypted email to a friend you have to encrypt the message using HER public key.
If you want to receive encrypted email from your friend he will have to encrypt using YOUR public key.
It really is as simple as that! You only have to remember that PGP keys have come in pairs. You have a public key which you can publish wherever you like and give to whomever you wish. You have a private or secret key and you don’t let anybody have it or see it. If you wish to decrypt an encrypted message it has to be done with the secret key corresponding to the public key used to encrypt it.
Who did the email come from?
The other side of privacy and security is to make sure when you receive an email you are certain who sent it. For this we have the process where you can sign your emails with your secret key. This does not encrypt the message, all it does is to tell the recipient who sent the message. You can send an unencrypted message that has been signed. When you set up your email app plug-in with Apple mail the default is to sign all messages. This alerts recipients that you are using PGP encryption so they can obtain your public key and reply with an encrypted message. When both parties are using PGP encryption within the email app the plug-in makes it work automatically. It knows that your communications with that person should be encrypted and signed. When an email comes in from your friend using encryption it is decrypted automatically. Unless you have changed the default so you need to click on the decrypt button first. You might want to do it that way if you’re working in an office and there is a chance someone could be reading over your shoulder.
Get the GPG Cheatsheet.
The first step to get you started with email encryption using GPG or Pretty Good Privacy. This will help you get your he around the concepts of using a private and a public key pair for encryption.
Creating a Web of Trust
When I trust a key belonging to my friend is uncompromised and most definitely his key, I can sign that key. This means if a message comes in and it looks like it’s from my friend, but not using that key, I might want to do some checking to see if the message is trustworthy. If you are working with a group of people you could all sign each other’s keys. The more signatures a key has then the more likely it is to be trusted. If somebody outside of the group was to create a spoof key, that it would not have the signatures you would normally see from members of your group. Even if the message looked like it came from within the group, it wouldn’t take you long to work out the message and the sender of the message probably shouldn’t be trusted.
With all the various scenarios possible, miscreants could use to do something naughty with email it could get complicated. For most of us ordinary users we don’t need to worry about it too much. We don’t need to think much more than the basics of using public and private keys. It’s only going to be where there is information or data of higher value, you will have people trying to get around security measures you’ve taken. So don’t worry too much about the higher end security features of Pretty Good Privacy. For a start off they are taken care of with the web of trust created by key signing. Secondly, it is only going to be in edge case situations where it’ll have any relevance for you.
I have a book available on the Amazon bookstore called – Good and Geeky Email Privacy and Security. In the book there are step-by-step guides to help you set up your Pretty Good Privacy email encryption. You can also use PGP to encrypt files and folders on your computer whether you are sending them as a message or not. I also use certificates you can get from StartSSL for S/Mime encryption. I can interact with those friends who prefer to use that instead. I think it is a good idea to have both encryption possibilities on your computers.