Welcome to the MacNN Forums.

gemigene · Jan 19, 2008, 01:36 AM

Hi,

I would like to encrypt certain "sensitive" files on my HD and also send encrypted emails to friends using PGP on Winboxes and Macs.

I've read quite a few articles and it seems like GnuPG - 1.4.8 and Gpg Tools - 1.2.1 are highly recommended.

Feedback or other recommendations anyone?
Gene

iMac (Intel), OS-X 10.5.1

TETENAL · Jan 19, 2008, 06:45 AM

To encrypt files on your HD either use FileVault or create an encrypted (sparse) disk image with Disk Utility.

JKT · Jan 19, 2008, 09:45 AM

That won't help for the OP's windows using friends - they won't be able to mount or read them.

Mail can already encrypt messages (and their attachments). You just need to create a certificate for yourself using Keychain Access and obtain those of your friends - from Mail help, run a search for encrypting messages:

Signing and encrypting messages
A signed message (which includes any attachments) enables your recipients to verify your identity as the sender, and provides assurance that your message wasn't tampered with in transit. To send a signed message, you must have a personal certificate installed in Keychain Access.

An encrypted message (which includes any attachments) offers a higher level of security than a signed message. To send an encrypted message, you must have a personal certificate and the certificate of each recipient installed in Keychain Access.

To sign and encrypt a message:

Choose File > New Message and, in the Account pop-up menu, choose the account for which you have a personal certificate installed in your keychain.

A Signed icon (a checkmark) on the upper-right side above the message text indicates the message will be signed when you send it.

Address the message to recipients.

■ If you’re sending the message to a mailing list, you should send it unsigned. Many mailing lists reject signed messages (because the signature is an attachment). To send the message unsigned, click the Signed icon; an “x” replaces the checkmark.

■ An Encrypt (closed lock) icon appears next to the Signed icon if you have a personal certificate for a recipient in your keychain; the icon indicates the message will be encrypted when you send it.

■ If you don’t have a certificate for all the recipients, you’re asked to cancel the message or send the message unencrypted. To send the message unencrypted, click the Encrypt icon; an open lock icon replaces the closed lock icon.

If your recipients use Mail, security headers marked Signed and Encrypted are visible in the messages they receive. If they’re using a mail application that doesn’t use signed and encrypted messages, the certificate might be in the form of an attachment. If recipients save the attachment as a file, they can add your certificate to their keychains.

Related Topics
encryption

JKT · Jan 19, 2008, 09:47 AM

From Keychain Access (search for creating a certificate):

Creating a self-signed certificate
You can create a certificate using the Certificate Assistant in Keychain Access. The certificate you create is called a self-signed certificate. Self-signed certificates don’t provide the guarantees of a certificate signed by a certificate authority.

To create a self-signed certificate:

Open Keychain Access, located in the Utilities folder in the Applications folder.

Open Keychain Access

Choose Keychain Access > Certificate Assistant > “Create a Certificate.”

Enter a name for the certificate, choose a type, and then click Continue.

■ For an explanation of certificate types, click Learn More.

■ If you want to manually specify the information in the certificate, such as key pairs, extensions, and encryption, click “Let me override defaults,” and then follow the instructions. If you have questions while creating your certificate, click “Learn More.”

Review the certificate and click Done.

Related Topics
digital certificates
Certificate Assistant

gemigene · Jan 19, 2008, 07:11 PM

Thanks for the info on Certificates.

I searched and came across something interesting:

freenigma gmbh

Which is an "on-the fly" encryption service using GnuPG and FireFox extension to encrypt email on Gmail, Hotmail, etc..

Cheers,
Gene

BTW: According to the responses I got, doesn't seem to be many GnuPG users out there.

gemigene · Jan 19, 2008, 08:03 PM

Afterthought...

Phil Zimmermann "invented" PGP quite a few years ago and GnuPG will be celebrating their 11th anniversary soon. I wonder why in this age of "User Friendly, ready to run out of the box" software, there are still programs that demand quite a bit of technical expertise to install and run (command line or third-party interfaces to fill in the gap) and are still problematic to use. When are those people are going to come out of the "dark ages"?

I posted my original question on 4 forums to get as much feedback as possible from GnuPG users but to no avail. I assume that it isn't a very popular program.

Gene

Chuckit · Jan 19, 2008, 10:53 PM

Strong encryption is not a common need on the personal level.

gemigene · Jan 20, 2008, 01:50 AM

To JKT,

I obtained a certificate from Comodo and installed it. I can't see any differences in Mail and the certificate is in my keychain but seems to need some kind of configuration (drop-down boxes). The email account I used for this one is a Gmail (POP account setup) account and after sending myself test messages, Mail doesn't retrieve any messages at all but are in my Gmail inbox.

Any ideas?
Gene

besson3c · Jan 20, 2008, 03:17 AM

Originally Posted by Chuckit

Strong encryption is not a common need on the personal level.

Sure it is... What if you want to email somebody sensitive information such as a password or credit card number or something?

I use GnuPG all the time, as does our security department where I work. PGP signing files is something we are required to do as legal evidence.

You can use GnuPG to sign individual files (gnupg --sign), and you can use GnuPG along with both Thunderbird and OS X Mail (the Enigmail extension in Thunderbird is much better). If you are going to sign various files before passing them on, I would also suggest creating md5 hashes and signing them too so that the recipient can determine whether or not the file(s) you are passing on have been tampered with.

besson3c · Jan 20, 2008, 03:22 AM

Originally Posted by gemigene

To JKT,

I obtained a certificate from Comodo and installed it. I can't see any differences in Mail and the certificate is in my keychain but seems to need some kind of configuration (drop-down boxes). The email account I used for this one is a Gmail (POP account setup) account and after sending myself test messages, Mail doesn't retrieve any messages at all but are in my Gmail inbox.

Any ideas?
Gene

This thread lacks focus and is getting confusing very fast. Let me try to help sort things out...

Filevault encrypts the contents of your home directory for your personal protection. It will not do anything when it comes to encrypting files you wish to send to others.

SSL mail certificates are okay, but they really don't offer a whole lot in the form of assurance. Anybody can create themselves a free SSL email cert. When you see a cert offered in an email, all this really tells you is that somebody requested a cert for their email - there is really no authenticity provided.

PGP is your best bet for signing and encrypting files. Signing and encrypting files are separate functions used for different purposes, and they also have different requirements. If you pass somebody on a PGP signed file (or an email), if they do not have a PGP decrypter or your public key installed on their machine, they simply cannot authenticate your files. If your files are encrypted however, they literally cannot access them without these requirements.

I could go in greater depth as to how PGP works, but I'll stop here for now...

TETENAL · Jan 20, 2008, 10:04 AM

A self-created mail certificate obviously doesn't prove anything about the identity of the sender, but they can be used to encrypt e-mails in Mail. This works right out of the box. There is no need for PGP.

threestain · Jan 20, 2008, 11:05 AM

bit clamps works quite well for just sending encrypted files...

JKT · Jan 20, 2008, 11:54 AM

Originally Posted by gemigene

To JKT,

I obtained a certificate from Comodo and installed it. I can't see any differences in Mail and the certificate is in my keychain but seems to need some kind of configuration (drop-down boxes). The email account I used for this one is a Gmail (POP account setup) account and after sending myself test messages, Mail doesn't retrieve any messages at all but are in my Gmail inbox.

Any ideas?
Gene

You need to configure your New Message window to include the encryption and certificate buttons, to ensure that you are adding the certificate to your messages. To do so, create a new message. Click the button that looks like three lines on a page, located at the bottom left of the address fields etc, but above the content area, and select Customise... from the options. Put a tick by the buttons as circled below:

When you send a message, make sure the certificate button is clicked and has a tick in it which signifies that you have signed your message (a cross in place of the tick indicates that you have not):

If your recipient already has your certificate and public key and you have theirs, then you will also be able to encrypt the message by clicking the padlock next to the certificate button.

besson3c · Jan 20, 2008, 01:18 PM

It would definitely be nice if Apple included PGP support in OS X Mail, but then again, there are many other features OS X Mail is missing too...

infowarrior · Jan 20, 2008, 01:27 PM

As a security geek i use PGP extensively both for email signing/encrypting and also file/folder security; frankly although I don't approve of the activation process used by PGP now that it's a commercial product, I do think it's a fine program and has served me well for nearly....geez, 15 years now.

It also has a nice script drop-in for Entourage and (I think) Mail that makes encrypting/signing messages very easy and quick.

Cold Warrior · Jan 20, 2008, 01:30 PM

Originally Posted by infowarrior

It also has a nice script drop-in for Entourage and (I think) Mail that makes encrypting/signing messages very easy and quick.

Do you know if this script works with Entourage 2008?

infowarrior · Jan 20, 2008, 01:32 PM

No idea -- I loaded up Office08 on a demo account I use for testing and there's no PGP installed there so I have no way to test it.....plus PGP gets all ornery when you try to activate more than 1 copy on a machine.

I presume since it's really just an applescript that it should be easy to setup either by the vendor or if it's not there, the end user.

besson3c · Jan 20, 2008, 01:41 PM

Originally Posted by TETENAL

A self-created mail certificate obviously doesn't prove anything about the identity of the sender, but they can be used to encrypt e-mails in Mail. This works right out of the box. There is no need for PGP.

What is needed on the recipient's end to decrypt an email sent this way?

Chuckit · Jan 20, 2008, 01:42 PM

Originally Posted by besson3c

Sure it is... What if you want to email somebody sensitive information such as a password or credit card number or something?

1. I don't find people very often e-mail these things to each other.

2. If they did, most people would just e-mail the info.

Go out in the middle of the street and ask random people if they use GPG. If even one person says yes, I will be surprised.

besson3c · Jan 20, 2008, 01:44 PM

Originally Posted by infowarrior

As a security geek i use PGP extensively both for email signing/encrypting and also file/folder security; frankly although I don't approve of the activation process used by PGP now that it's a commercial product, I do think it's a fine program and has served me well for nearly....geez, 15 years now.

It also has a nice script drop-in for Entourage and (I think) Mail that makes encrypting/signing messages very easy and quick.

Have you looked into GnuPG? What does the commercial PGP solution offer that GnuPG doesn't?

besson3c · Jan 20, 2008, 01:46 PM

Originally Posted by Chuckit

1. I don't find people very often e-mail these things to each other.

2. If they did, most people would just e-mail the info.

Go out in the middle of the street and ask random people if they use GPG. If even one person says yes, I will be surprised.

Many workplaces either require SSL or PGP to be used in any/all email. Just because this is foreign to you, I would suggest not making assumptions about the rest of the world without further investigation.

Chuckit · Jan 20, 2008, 01:48 PM

Originally Posted by besson3c

Many workplaces either require SSL or PGP to be used in any/all email. Just because this is foreign to you, I would suggest not making assumptions about the rest of the world without further investigation.

I would turn that around: Just because your workplace does this, don't assume everybody does it at home. I feel fairly confident I could go to a bar on Friday night and ask everybody who uses e-mail whether they use GPG and I'd get nothing but blank stares.

besson3c · Jan 20, 2008, 01:55 PM

Originally Posted by Chuckit

I would turn that around: Just because your workplace does this, don't assume everybody does it at home. I feel fairly confident I could go to a bar on Friday night and ask everybody who uses e-mail whether they use GPG and I'd get nothing but blank stares.

What is your point? My point is that many companies and individual people use PGP, and this is really not all that disputable. Is your point that this is not mainstream technology? If so, I agree, but how did this enter the picture here?

Chuckit · Jan 20, 2008, 02:06 PM

Originally Posted by besson3c

What is your point? My point is that many companies and individual people use PGP, and this is really not all that disputable. Is your point that this is not mainstream technology? If so, I agree, but how did this enter the picture here?

The OP commented that GPG is "not a very popular program," and I explained that most people don't use any program of this type at all, so of course it's not going to be a popular program. I doubt another program would get a much bigger response.

besson3c · Jan 20, 2008, 02:28 PM

Originally Posted by Chuckit

The OP commented that GPG is "not a very popular program," and I explained that most people don't use any program of this type at all, so of course it's not going to be a popular program. I doubt another program would get a much bigger response.

Ahhhh... I missed that part.

PGP or email certs *should* be pushed to become more commonplace, because WAY too many send each other sensitive information over email without even thinking twice, and of course many people don't realize that their free email accounts (GMail, Hotmail, etc.) are being data mined.

I feel that internet security is become a hairier issue every day, and that the solution is to start getting people thinking about this sort of stuff. Therefore, I think Apple should lead and provide PGP support. Your counter argument might be "it's not mainstream enough", but then again neither is IPv6, encrypted disk images, stealth mode, etc. I think staying ahead of the curve is a good idea.

TETENAL · Jan 20, 2008, 02:58 PM

Mail already supports encryption.

Chuckit · Jan 20, 2008, 03:38 PM

Originally Posted by besson3c

Ahhhh... I missed that part.

PGP or email certs *should* be pushed to become more commonplace, because WAY too many send each other sensitive information over email without even thinking twice, and of course many people don't realize that their free email accounts (GMail, Hotmail, etc.) are being data mined.

I feel that internet security is become a hairier issue every day, and that the solution is to start getting people thinking about this sort of stuff. Therefore, I think Apple should lead and provide PGP support. Your counter argument might be "it's not mainstream enough", but then again neither is IPv6, encrypted disk images, stealth mode, etc. I think staying ahead of the curve is a good idea.

I don't think it would hurt, but since most theft of sensitive information still happens through phishing or giving system access to somebody dishonest, I personally wouldn't place an extremely high priority on it. More good could be accomplished in other areas of security.

besson3c · Jan 20, 2008, 05:35 PM

Originally Posted by TETENAL

Mail already supports encryption.

I don't think it works the way you think it does. What does the recipient need to decrypt a message you encrypt?

besson3c · Jan 20, 2008, 05:37 PM

Originally Posted by Chuckit

I don't think it would hurt, but since most theft of sensitive information still happens through phishing or giving system access to somebody dishonest, I personally wouldn't place an extremely high priority on it. More good could be accomplished in other areas of security.

I disagree. Phishing is an attack designed to lure Joe six pack into having his computer exploited. If I wanted very specific data from a very specific network, sniffing email might be a good way to do this.

TETENAL · Jan 20, 2008, 05:58 PM

Originally Posted by besson3c

I don't think it works the way you think it does. What does the recipient need to decrypt a message you encrypt?

Nothing.

You need one signed e-mail from the recipient to be able to send him an encrypted e-mail.

besson3c · Jan 20, 2008, 06:13 PM

Originally Posted by TETENAL

Nothing.

You need one signed e-mail from the recipient to be able to send him an encrypted e-mail.

So what is stopping me from creating myself an SSL cert as somebody else, and sending you a message with false info?

SSL email certs provide flimsy security at best.

TETENAL · Jan 20, 2008, 06:38 PM

And how does PGP prove the identity of the sender? It doesn't. You have the exact same problem.

And it's your choice to not accept self-signed certificates and only go with certificates that have been issued by authorities that verify the owner.

besson3c · Jan 20, 2008, 06:51 PM

Originally Posted by TETENAL

And how does PGP prove the identity of the sender? It doesn't. You have the exact same problem.

And it's your choice to not accept self-signed certificates and only go with certificates that have been issued by authorities that verify the owner.

Sorry man, you're wrong on both counts.

In order to send out a message as an individual you need the private key that is associated with the public key. When this pairing is severed, you cannot decrypt messages. Private keys are stored on the sender's machine, and are password protected. Even if somebody were to steal the user's private key, they would still need the correct password. This is the basis of security in all challenge/response type security - Kerberos does this, as does SSH public key authentication.

As for the self-signed vs. commercial cert issue, you can get free commercial SSL certs that email clients will happily accept, and there is no form of authenticity or authorization here. When you get a message that is secured by an SSL email cert, all this tells you is that somebody requested a cert for the address in question, but there is no telling who.

TETENAL · Jan 20, 2008, 07:16 PM

There is no principle difference in how Mail mail signatures and encryption and PGP work. That's what you don't understand.

The only thing that's different is that one is built in and works without hassle and installing third party software and the other isn't.

besson3c · Jan 20, 2008, 07:21 PM

Originally Posted by TETENAL

There is no principle difference in how Mail mail signatures and encryption and PGP work. That's what you don't understand.

The only thing that's different is that one is built in and works without hassle and installing third party software and the other isn't.

You need to learn more about this stuff Tetenal... I'm sorry, but the facts do not support what you are saying. There are indeed differences between PGP and SSL mail certs. Again, PGP is based on public/private key pairing and rings of trust, SSL certificates are simply a way to claim an identity.

If you want to claim otherwise, please make an argument.

TETENAL · Jan 20, 2008, 07:27 PM

Originally Posted by besson3c

PGP is based on public/private key pairing

And so are mail certificates.

and rings of trust

With PGP you create your keys yourself. There is nothing that stops you from creating keys pretending to be someone else.

besson3c · Jan 20, 2008, 07:33 PM

Originally Posted by TETENAL

And so are mail certificates.

No. SSL certs are verified against the root certs available in the OS, but all this tells the user is that the certificate itself is valid. Anybody can go and create themselves a free commercial SSL certificate, which is the problem.

With PGP you create your keys yourself. There is nothing that stops you from creating keys pretending to be someone else.

Yes there is. The way that public keys are offered to users is via a public key server. If a key has already been registered to the key server, there is no way to offer a conflicting key without the original owner of the key revoking this key from the key server. Moreover, if the key was not uploaded to the key server the private key signature still needs to match the public key, or else there is a key mismatch.

Please, read up on this before continuing this with me further, okay? I don't claim to be some sort of PGP guru, but clearly there is a lapse in your understanding as to how this works.

TETENAL · Jan 20, 2008, 07:54 PM

Originally Posted by besson3c

The way that public keys are offered to users is via a public key server.

That's not required. A spoofer can simply not do that, mail the public key, and you are in the exact same situation with mail certificates.

With mail certificates you can choose the method how the identity is verified: by e-mail, by snail-mail, by passport. It's up to you which class of certificate you are willing to trust.

gemigene · Jan 20, 2008, 07:59 PM

LOL! This is turning into quite a controversial thread.

Some of us do need some kind of protection as far as our rights to privacy go (journalists, human rights activists groups, "whistleblowers", lawyer/client communication, offshore investment, sending personal data over the Net, etc.) and as some of you know, governmental agencies now have the "right" to intercept electronic communications and use it against you, even though you might only be expressing your opinion on something or other.

To get back on track, how good is GnuPG and GPG Tools? How difficult are they to set up?

Cheers,
Gene

besson3c · Jan 20, 2008, 08:06 PM

Originally Posted by TETENAL

That's not required. A spoofer can simply not do that, mail the public key, and you are in the exact same situation with mail certificates.

So what is the public key checked against then? Sorry dude, I don't mean to come across as an ass or somebody who is willing to argue this to the bitter end, but you really don't understand how this works. Maybe we should just move on?

With mail certificates you can choose the method how the identity is verified: by e-mail, by snail-mail, by passport. It's up to you which class of certificate you are willing to trust.

I'm not sure what snail-mail and passports have to do with email security, but okay...

gemigene · Jan 20, 2008, 08:11 PM

To JKT:

I don't see the extra fields for encryption, all I get are the standard options.

Cheers,
Gene

gemigene · Jan 20, 2008, 08:16 PM

Originally Posted by besson3c

Yes there is. The way that public keys are offered to users is via a public key server. If a key has already been registered to the key server, there is no way to offer a conflicting key without the original owner of the key revoking this key from the key server. Moreover, if the key was not uploaded to the key server the private key signature still needs to match the public key, or else there is a key mismatch

Besson3c, seems that you agree with me on this whole privacy issue, care to help me out a bit? I need a mentor...

Should I install GnuPG and Tools?

Cheers,
Gene

TETENAL · Jan 20, 2008, 08:17 PM

Originally Posted by besson3c

I'm not sure what snail-mail and passports have to do with email security, but okay...

How do you verify the identity of a person? In this country it's the identity card or the passport. Show that and you get your mail certificate.

TETENAL · Jan 20, 2008, 08:19 PM

Originally Posted by gemigene

To JKT:

I don't see the extra fields for encryption, all I get are the standard options.

Cheers,
Gene

As has been mentioned you need your own mail certificate to be able to sign and encrypt mails in Mail. Either create a self-signed certificate as JKT described above or get one from a Certificate Authority. Just follow the instructions from here: joar.com > Using encryption and digital signatures in Mail

If you did all that and still don't see those buttons open a new blank message in Mail, click the popup button on the left side of the header area (three lines with a arrow) and select the Customize command. Then enable the sign and encrypt buttons.

besson3c · Jan 20, 2008, 08:34 PM

Originally Posted by gemigene

Besson3c, seems that you agree with me on this whole privacy issue, care to help me out a bit? I need a mentor...

Cheers,
Gene

I can try!

Here is what I would do if you want to get into PGP security:

1) Install XCode off of Apple's Tiger/Leopard DVD
2) Install Macports
3) Install gnupg via Macports by doing a:

sudo port -v install gnupg

4) Install MacGPG: Sen:te - GPGMail (if you are running Leopard, the beta d51 build has been working just fine for me).

5) MacGPG looks for gpg in /usr/local/bin, Macports installs it into /opt/local/bin. Therefore, create a symbolic link to /opt/local/bin as follows:

sudo ln -s /opt/local/bin/gpg /usr/local/bin/gpg

6) If GPGMail has been installed correctly, you should see the pref pane in OS X Mail. Now you need to create your public/private keypair:

gpg --gen-key

once your private/public key pair have been created this should be recognized by OS X Mail (you may have to quit and restart it first). You can now sign your email messages with your public key, or else encrypt your messages. If you encrypt your messages your public key will need to be uploaded to the key server. I can't remember whether or not this happens automatically since I first start using my PGP setup in Enigmail for Mozilla Thunderbird where there was a clear interface for uploading public keys, but there is a key search interface within your "window" menu to search for keys on the public key servers.

besson3c · Jan 20, 2008, 08:40 PM

Originally Posted by TETENAL

How do you verify the identity of a person? In this country it's the identity card or the passport. Show that and you get your mail certificate.

This is not required for a free email cert, is it?

The public/private key binding, registered public keys on a public key server, and basic challenge/response authentication offered by PGP are really the only technological means for proper authentication of emails and files. PGP signed files complete with PGP signed md5 hashes are legally binding. We are asked to preserve data this way for various users on our systems on an almost weekly basis this way, and our preservations have been used as legal evidence within several cases now.

gemigene · Jan 20, 2008, 08:46 PM

Looks like there's a self installing version at versiontracker:

GnuPG - 1.4.8, install GnuPG without having to compile it

That's the package I downloaded. What's your opinion?

Thanks,
Gene

besson3c · Jan 20, 2008, 08:54 PM

Gene: that should be just fine!

gemigene · Jan 20, 2008, 08:54 PM

Found this installation guide on the developer's page, how does that look to you?

Thanks again,
Gene

besson3c · Jan 20, 2008, 09:17 PM

Originally Posted by gemigene

Found this installation guide on the developer's page, how does that look to you?

Thanks again,
Gene

They look very old. I'd start with mine and see how far you can get... The binary gnupg installer should be a functional shortcut if you don't wish to compile gnupg yourself.