First steps - where do I start, where do I begin? (Setup GPGTools, Create a new key, Your first encrypted email)

First Steps (en)
Erste Schritte (de)
Premiers pas ou commencer (fr)

Welcome. Glad you made it here and thanks for your interest. In this article you will learn how to setup your own OpenGPG key and send your first secure email.

Setup GPG Suite

The first step is to download and run GPG Suite. When that is done, it's time to setup your GPG key.

If you already have a GPG key, please Add your address to an existing GPG key, because in that case you don't need to create any new key. If you do not have a GPG key yet, follow up with the next section:

Create a new key

GPG Keychain is the application used to manage your keys. It will let you create new keys, edit existing ones and search for your friends keys. The first thing you see in GPG Keychain is a wizard which guides you through creating your first key.

Create a new key

Email Address
GPG Keychain fills the data from your macOS address book. The email field is editable and you can change that information at your will. Enter the email address you normally use when sending email. Make sure that it is typed identical to what is used in Mail > Settings > Accounts. Double check that capitalisation matches, since it matters. When using more than one email address, you can add additional addresses to your key later.

Enter a password you want to protect your OpenPGP key with. As with every password it's best to use a long password.

Important: Make sure you will remember your password. Store it in a secure location and no, a text note on your desk is not a secure location. Please use a password manager or bank deposit instead. If you lose or forget your password, there is no way to recover it and you may lose access to all your encrypted messages.

Generate key and uploading to the key server

Clicking "Generate Key" will create your key and after a short while you are asked to upload your public key to the key server. We recommend doing that. If you are unsure, you can always do that later. Learn more about the Key Server and how to upload and verify a key. You will now see a new entry in GPG Keychain with your email address showing sec/pub (secret/public) in the type column.

Now is a good time to create a backup of your secret/public key. Store the exported file in a secure location. We recommend a password manager which can also store files or a USB drive which you can then store in a secure location.

Every time you create a new key, a new key pair is created. It will consist of a secret key and a public key. The public key is to be shared with others, so they can send you encrypted messages.

Your first encrypted email

Great, you're almost there! All you need for this first test is a sec/pub key in GPG Keychain matching the email address used in Mail app. If you want to encrypt to other recipients than yourself, you need to retrieve their public key first.

On macOS 10.14 Mojave you need to enable GPG Mail. This is a new mechanism Apple introduced in 10.14.

Open Mail app and create a new message. You'll notice two additional buttons in your composing window.

A lock icon for encryption and a star icon for the signature. For both icons: grey means disabled, black means enabled. As you have just created a key, your star icon will be enabled. You are now ready to sign messages with your key. After you click the star icon you will see a check mark indicating that your message will be signed.

Your lock icon however will be displayed in grey as you must first enter a recipient, for whom you have a public key.

For this test: enter your email address in the "To:" field (the same address that you use to send emails from). Then your lock icon will change to black.

You are now ready to encrypt your message. Click to close the lock. Your email will now be encrypted.

After pressing the lock or star button, the OpenPGP indicator in the top right corner will turn green. This indicates that your email will be signed and/or encrypted.

Your email should look like this: The OpenPGP indicator is green, the lock icon is locked, your message will be encrypted and a small checkmark is displayed on the star button (the message will be signed).

Press send: If your password is not stored on your computer you will be asked to enter it manually (in order to sign the message). Shortly after the email will be delivered to yourself. You'll see that it is encrypted and signed: the lock is closed, indicating that the message was encrypted and since you can read the email-content, it has been successfully decrypted for you. If you don't see the lock icon the message wasn't encrypted.

Mail > Settings > GPG Mail allows to adjust the defaults for encrypting and signing new mails.

Congrats, you've made it!

To be completely honest we have to admit, we've cheated a little. Encrypting a message can be slightly more effort, since it requires you to have the public key of the recipient(s). However adding their public keys is a task that you only do once for each recipient.

Find out how to get your friend's public key

Why all this hassle?

First, sending an encrypted message isn't more difficult than sending unsecure messages, once you've understood the basic concept.

Second, by sending encrypting messages you will prevent unwanted eyes (NSA) from reading the contents of your personal mails.

Third and this might not be as clear: why should you sign messages? You can compare signing a message to the process of sending a sealed letter in real life. For one, the recipient will be able to tell if the "seal" was broken. If anyone has been fiddling with your message your recipients will immediately see that the signature is invalid. On the other hand, they can also be sure that the message did indeed come from you and not an imposter, since only you can create that signature, with your secret key. One could fake your email address, your name, but not your signature. And that's why signing is important. This also explains why it's EXTREMELY IMPORTANT to keep your secret key and your password safe. Otherwise, if someone gets a hold of your secret key and your password, they could forge your signature and pose as you. In addition, they could read your encrypted messages, and you really wouldn't want that.

Further info