Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

How to keep your email private with PGP encryption on your Mac

Glenn Fleishman | March 3, 2015
In our last episode of Private I, I explained the basics of public-key (PK) cryptography, a way to scramble messages in a way that only someone possessing a particular key can decrypt, without that key ever having to be publicly disclosed or shared. It's an effective system that has no known theoretical exploits, and currently deployed implementations are considered robust.

Checking on the keys

But let's turn to the existential problem. You have a key that's associated with your email address, and you post the public key to a keyserver. How can someone be sure it's your key? If they email you at the address, it's possible your email has been tampered with, and the message is intercepted, and responded to without you ever knowing about it. One method of validating a key is to call someone, because there's about zero probability that a man-in-the-middle could know you were making the call, intercept it, and speak in real time the fingerprint of a false key. Once you've verified a key by voice or in person using its fingerprint, you're set.

The reason I'm so sure, though, that public-key messaging might rise in popularity, though, is due to, currently an invitation-only and free public-key service that manages keys and handles encryption tasks in the browser or via command-line tools — but which also provides substantive and useful ways to validate your public key to other people's satisfaction.

Visit my profile on, and you see that I've verified myself in several ways. I posted a tweet with a code provided by Keybase, posted an item to my Github repository, added a special text-only DNS record, and uploaded a file to my web site. This is probably a good set of vectors that no other person should be able to hijack without being noticed.

The nice part of Keybase is that as it expands outside of its invitation-only phase, it will provide a common place for people to upload keys or generate new ones, and validate themselves all at once. Although Keybase doesn't operate keyserver software (for a variety of reasons, obscure and otherwise), you can click on the key of anyone's profile, and up pops a window from which you can save that person's public key or copy it.

GPG Keychain lets you paste a public key into the main window or import the public key file. Then you can immediately confirm that key against the fingerprint on the site in the same pop-up window.

None of this is, shall we say, straightforward. But neither does it require the level of tweakiness and complexity of years past. Once set up, you can send and receive encrypted emails with other people who use PGP simply by remembering or retrieving your key's passphrase. And that takes us a lot closer to reliably encrypted communications on demand than we have been until now.


Previous Page  1  2  3 

Sign up for Computerworld eNewsletters.