First steps - where do I start, where do I begin? (Setup GPGTools, Create a new key, Your first encrypted Mail)

First Steps (en)
Erste Schritte (de)
Premiers pas ou commencer (fr)

Welcome. Glad you made it here and thanks for your interest. In this article you'll learn how to setup your own GPG key and send your first secure email.

Setup GPG Suite

The first step is to download and run GPG Suite. When that is done, it's time to setup your GPG key.

If you already have a GPG key, please Add your address to an existing GPG key, because in that case you don't need to create any new key. If you do not have a GPG key yet, follow up with the next section:

Create a new key

GPG Keychain is the application you will use to manage your keys. It will let you create new keys, edit existing ones and search for your friends keys. The first thing you'll see in GPG Keychain is a wizard which will guide you through creating your first key.

Create a new key

Email Address
GPG Keychain fills the data from your macOS address book. But the fields are editable and you can change them at your will. Enter the email address you normally use when sending mail. Make sure that it is typed identical to the one used in Preferences > Accounts. Double check that capitalisation matches, since it matters. More email addresses can be added to your key later.

Upload key after generation
If you enable this checkbox, your public key will be uploaded to a key server once key creation is done. Generally this is a good thing, since it will make it much easier for others to start sending you encrypted messages by simply importing your key from a key server, but once a key is uploaded to the key server, it can not be removed. This means: you will not be able to change your name once the key has been uploaded. You can always upload your public key to a key server at a later time.

Enter your password. As with every other password you use, it should be very strong and it's best to use a very long password,a sentence you can remember, comprised of symbols and numbers.

Important: Should you forget your password, there's no way to recover it. Make sure you will remember it or store it in a safe place (no, a text note on your desk is not a safe place).

Hit "Generate key"!

After a short while, you'll see a new entry in GPG Keychain with your email address showing sec/pub (secret/public) in the type column.

Every time you create a new key, a new key pair is created. It will consist of a secret key and a public key. The public key is to be shared with others, so they can send you encrypted messages.

Important: If you delete your secret key, you will no longer be able to read encrypted messages.

Your first encrypted mail

Great, you're almost there! All you need for this first test is a sec/pub key in GPG Keychain matching the mail address used in If you want to encrypt to other recipients than yourself, you need to retrieve their public key first.

On macOS 10.14 Mojave you need to enable GPG Mail. This is a new mechanism Apple introduced in 10.14.

Open and create a new message. You'll notice two additional buttons in your composing window.

A lock icon for encryption and a star icon for the signature. For both icons: grey means disabled, black means enabled. As you have just created a key, your star icon will be enabled. You are now ready to sign messages with your key. After you click the star icon you will see a check mark indicating that your message will be signed.

Your lock icon however will be displayed in grey as you must first enter a recipient, for whom you have a public key.

For this test: enter your email address in the "To:" field (the same address that you use to send emails from). Then your lock icon will change to black.

You are now ready to encrypt your message. Click to close the lock. Your mail will now be encrypted.

After pressing the lock or star button, the OpenPGP indicator in the top right corner will turn green. This indicates that your mail will be signed and/or encrypted.

Your email should look like this: The OpenPGP indicator is green, the lock icon is locked, your message will be encrypted and a small checkmark is displayed on the star button (the message will be signed).

Press send: If your password is not stored on your computer you will be asked to enter it manually (in order to sign the message). Shorty, the mail will be delivered to yourself. You'll see that it is encrypted and signed: the lock is closed, indicating that the message was encrypted and since you can read the mail-content, it has been successfully decrypted for you. If you don't see the lock icon the message wasn't encrypted. > Preferences > GPGMail allows to adjust the defaults for encrypting and signing new mails.

Congrats, you've made it!

To be completely honest we have to admit, we've cheated a little. Encrypting a message can be slightly more effort, since it requires you to have the public key of the recipient(s). However adding their public keys is a task that you only do once for each recipient.

Find out how to get your friend's public key

Why all this hassle?

First, sending an encrypted message isn't more difficult than sending unsecure messages, once you've understood the basic concept.

Second, by sending encrypting messages you will prevent unwanted eyes (NSA) from reading the contents of your personal mails.

Third and this might not be as clear: why should you sign messages? You can compare signing a message to the process of sending a sealed letter in real life. For one, the recipient will be able to tell if the "seal" was broken. If anyone has been fiddling with your message your recipients will immediately see that the signature is invalid. On the other hand, they can also be sure that the message did indeed come from you and not an imposter, since only you can create that signature, with your secret key. One could fake your email address, your name, but not your signature. And that's why signing is important. This also explains why it's EXTREMELY IMPORTANT to keep your secret key and your password safe. Otherwise, if someone gets a hold of your secret key and your password, they could forge your signature and pose as you. In addition, they could read your encrypted messages, and you really wouldn't want that.

Further info