The basics of Pretty Good Privacy encryption
If you want to send an encrypted email to a friend you have to encrypt the message using HER public key.
If you want to receive encrypted email from your friend he will have to encrypt using YOUR public key.
It really is as simple as that! You only have to remember that PGP keys have come in pairs. You have a public key which you can publish wherever you like and give to whomever you wish. You have a private or secret key and you don’t let anybody have it or see it. If you wish to decrypt an encrypted message it has to be done with the secret key corresponding to the public key used to encrypt it.
[Tweet “How to Encrypt and Decrypt on your Mac.”]
Who did the email come from?
The other side of privacy and security is to make sure when you receive an email you are certain who sent it. For this we have the process where you can sign your emails with your secret key. This does not encrypt the message, all it does is to tell the recipient who sent the message. You can send an unencrypted message that has been signed. When you set up your email app plug-in with Apple mail the default is to sign all messages. This alerts recipients that you are using PGP encryption so they can obtain your public key and reply with an encrypted message. When both parties are using PGP encryption within the email app the plug-in makes it work automatically. It knows that your communications with that person should be encrypted and signed. When an email comes in from your friend using encryption it is decrypted automatically. Unless you have changed the default so you need to click on the decrypt button first. You might want to do it that way if you’re working in an office and there is a chance someone could be reading over your shoulder.
[thrive_leads id=’27925′]
Creating a Web of Trust
When I trust a key belonging to my friend is uncompromised and most definitely his key, I can sign that key. This means if a message comes in and it looks like it’s from my friend, but not using that key, I might want to do some checking to see if the message is trustworthy. If you are working with a group of people you could all sign each other’s keys. The more signatures a key has then the more likely it is to be trusted. If somebody outside of the group was to create a spoof key, that it would not have the signatures you would normally see from members of your group. Even if the message looked like it came from within the group, it wouldn’t take you long to work out the message and the sender of the message probably shouldn’t be trusted.
With all the various scenarios possible, miscreants could use to do something naughty with email it could get complicated. For most of us ordinary users we don’t need to worry about it too much. We don’t need to think much more than the basics of using public and private keys. It’s only going to be where there is information or data of higher value, you will have people trying to get around security measures you’ve taken. So don’t worry too much about the higher end security features of Pretty Good Privacy. For a start off they are taken care of with the web of trust created by key signing. Secondly, it is only going to be in edge case situations where it’ll have any relevance for you.
I have a book available on the Amazon bookstore called – Good and Geeky Email Privacy and Security. In the book there are step-by-step guides to help you set up your Pretty Good Privacy email encryption. You can also use PGP to encrypt files and folders on your computer whether you are sending them as a message or not. I also use certificates you can get from StartSSL for S/Mime encryption. I can interact with those friends who prefer to use that instead. I think it is a good idea to have both encryption possibilities on your computers.