GPGMail on 10.9.5: How are Draft Emails Stored Encrypted without providing password?

John Sullivan's Avatar

John Sullivan

23 Aug, 2016 05:47 PM

Which of our tools is giving you problems? GPG in Apple Mail

Paste version-info of all components (how to: https://gpgtools.tenderapp.com/kb/faq/where-can-i-find-version-info...): Version 1.3.1 (1223)

Describe your problem. Add as much detail as possible. How is security maintained if GPG is able to store email drafts encrypted without me first providing my password? GPG obviously must access my private key to store these files, and yet I specifically require GPG to ask for my password. Thus, I've concluded that anyone with my computer is able to access my private key.

What did you expect instead Two things:
GPG should ask for a key before storing a draft email on the server.
GPG should only store ONE draft. Instead, GPG stores one draft every few minutes. When I go offline for several hours, GPG stores hundreds of drafts, each containing a snapshot of a single draft email.

Describe steps leading to the problem. Turn off internet.
Require GPG to ask for password to access private key.
Start an email in Apple Mail.
Leave the email open for a while (20 minutes). Add some text every once in a while.
Close email and save as draft.
Turn internet back on.
Notice that there are tons of email drafts (I had 900+ of the same email draft at one point).
Notice the emails are all encrypted using my private key, even though I never entered the password to decrypt said key.

Are you using any other Mail.app plugins? No

  1. Support Staff 1 Posted by Steve on 23 Aug, 2016 05:53 PM

    Steve's Avatar

    Hey John,

    welcome to the GPGTools community support platform. Sorry you are having problems using GPG Suite.

    Encryption requires only access to the public key part, thus your password is not required to encrypt the draft. Send an encrypted mail (encrypted only - not signed!) to yourself and you'll observe this behavior.

    Regarding the many drafts, are you using pop or imap for your mail account?

    All the best,
    steve

  2. 2 Posted by John Sullivan on 23 Aug, 2016 06:05 PM

    John Sullivan's Avatar

    Hey Steve,
    Thanks for the fast reply.
    Your answer makes sense: the session key is encrypted with the public key, hence I only need to type the password to decrypt the message.

    I'm using gmail, which is IMAP. Here's more complete instructions to reproduce the behavior:
    Mac OS 10.9.5 13F1911
    Mail Version 7.3 (1878.6)
    GPG Version 1.3.1 (1233) (I just upgraded a couple minutes ago)
    1: Disconnect internet (wifi, etc)
    2: Make new message and type "Hello" in the body.
    3: Wait 5 minutes. Browse reddit or whatever.
    4: Type "World" in the body.
    5: Close the message and save the draft.
    6: Connect internet (wifi, etc)
    7: Sync Mail
    8: I see several versions of the same draft. 3 say "Hello" and 1 says "Hello World"

  3. Support Staff 3 Posted by Steve on 18 Sep, 2016 08:31 AM

    Steve's Avatar

    Hi John,

    I assume step 2 referring to creating a new message in mail.app?

    If so, what your settings regarding storing drafts on the server? Go to Mail.app > Preferences > Accounts > Mailbox behavior. The first option shows wether you store drafts on the server or not.

  4. 4 Posted by John Sullivan on 21 Sep, 2016 04:33 PM

    John Sullivan's Avatar

    Hey Steve,
    Yes, I have the "Store draft messages on the server" option checked.
    For reference, I've attached a screenshot of my latest "draft" folder on gmail, where each draft message is encrypted with PGP.

  5. Support Staff 5 Posted by Steve on 21 Sep, 2016 04:34 PM

    Steve's Avatar

    Should you be available, could you hop on our live chat here:
    https://www.hipchat.com/gi8zHW4K3

    We can't promise a solution, but we'd like to inspect this problem in more detail.

    All the best
    steve

  6. Support Staff 6 Posted by Steve on 26 Sep, 2016 01:08 PM

    Steve's Avatar

    Hi John,

    the issue in GPGPreferences has been fixed. If you want to test the fix, please download our latest nightly GPG Suite. That page also has sig and SHA1 to verify the download.

    Should the problem persist, please re-open this discussion and let us know. For more questions that are not related to this specific problem, you are welcome to create a new discussion any time.

    Best, steve

    Disclaimer: This is a development version which has not been thoroughly tested yet, so bugs or crashes are to be expected. Thanks for helping us test this fix.

  7. Steve closed this discussion on 26 Sep, 2016 01:08 PM.

  8. Support Staff 7 Posted by Steve on 07 Mar, 2018 01:11 PM

    Steve's Avatar

    The bug where Mail.app created multiple drafts has been fixed by Apple in macOS 10.13. If you are still affected by this issue, consider updating to macOS 10.13 High Sierra.

  9. Steve closed this discussion on 07 Mar, 2018 01:11 PM.

  10. pparednet.elt re-opened this discussion on 08 Mar, 2018 03:49 AM

  11. 8 Posted by pparednet.elt on 08 Mar, 2018 03:49 AM

    pparednet.elt's Avatar

    Hey Steve,
    Thanks for letting me know. We're still using 10.9.5... before that we used 10.6.8; slow upgrade cycle over here.

    John Sullivan
    Problem Solver

  12. Support Staff 9 Posted by Steve on 08 Mar, 2018 05:15 PM

    Steve's Avatar

    No problem. Sadly, I don't think Apple will backport their fix to even macOS 10.12.

  13. Steve closed this discussion on 08 Mar, 2018 05:15 PM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac