Tuesday, August 20, 2013

Encrypt Your Email on Your Mac

After you're done Torifying, as described in my last post, the next step in securing your online life is email encryption. As it's now common knowledge that our emails are basically government property, you'll want some technology on your side to keep your emails private when they absolutely have to be. The technology is called PGP, or Pretty Good Privacy. Most people can install it to work with their email clients relatively painlessly, but for PowerPC users, there are a few hoops to jump through first.

You're gonna need to install GnuPG. GPGTools used to be the go-to people for distributing OS X binaries, but they stopped developing for PowerPC, so we're gonna have to compile it ourselves, which requires XCode. You can then compile gnupg with Macports or Tigerbrew (see this Tigerbrew issue first), or roll your own following the easiest build instructions ever. Linux users can simply install gnupg with your package manager. Let me interject with a brief cautionary tale. If OS X users are thinking of installing gnupg2 instead, don't, unless you can work the command line to make gpg-agent play nice with Enigmail (UPDATE: Or maybe it's a pinentry problem. Hmmmm.). If you don't know what that means or don't care, stick with gnupg and you'll save yourself some serious hair-pulling.

Now that gnupg is nestled safe in one of our various /bins, it's time to start up our email client. This is where all of you are going to convert to Tenfourbird, you pissant holdouts, and use a client for grown-ups. You're gonna need the add-on Enigmail, but you can't install it the normal way 'cause it's not compiled for PowerPC. So you need to go to Tenfourbird's download page, pick up the Enigmail add-on for your processor, then install it by dragging it to Tenfourbird's Add-ons Manager (invoked by Tools --> Add-ons) or choosing "Install Add-on From File..." from the tool menu inside said Add-on Manager.

Linux users can simply install Enigmail with your package manager (I'm beginning to sense a pattern). If you're on Debian, you're using Icedove, and on Ubuntu it's Thunderbird, but Tenfourbird, Thunderbird, Icedove, they're all the same.

Now when you restart Tenfourbird, you'll see a new menu item, OpenPGP. This is where you create your public and private keys. You need one public key to share with your contacts and one private key to keep to yourself. Then you can start encrypting and decrypting like you're Julian Assange wanted by the world police. From the OpenPGP menu, select Preferences and make sure it's pointing to the correct gpg binary, whether it's in /opt/local/bin or /usr/local/bin or wherever. Close that, then from the OpenPGP menu, select Setup Wizard and from there it's pretty self-explanatory. By default it sets your keys to expire in five years, but you can change that later using gpg from the command line. In fact, you could do all this from the command line which would give you a better understanding of how all this stuff works. Anyhow, once the Setup Wizard generates your keys, you should export them to file for keeping in a safe place with OpenPGP --> Key Management and then right-clicking on your key and selecting Export Keys to File. It may also have been necessary to go into Tools --> Account Settings and select OpenPGP Security under your account to enable OpenPGP support, but I'm having a memory lapse.

In case of other memory lapses, check out this link and this one for more detailed instructions and with pictures, too. Of particular interest are how to exchange public keys and also how to revoke a key if you do something stupid like email your private key in an unencrypted attachment through a Gmail server (oops*).

Here I'll mention a few caveats. First, Tenfourbird had a GUI bug where the OpenGPG menu on the Compose window wouldn't show check marks by the "Encrypt Message" item after being selected, but the encrypt icon in the status bar illuminates and the "Encrypt Message" item in the main menu is correctly checked. So just be aware of that.

Also, Gmail users, or I guess IMAP users generally, will want to be very cautious of how your draft messages are saved. It should always prompt you to save a draft as encrypted, but if for some reason you hit the wrong button, your super-secret private message will end up unencrypted on a basically public server. Just to be safe, I have my client set to save all drafts locally like this (picture is of Tools --> Account Settings):

Tenfourbird account settings

Also, some general Tenfourbird performance tips: checking "Enable Global Search and Indexer" in Preferences --> Advanced --> General will slow performance as it's indexing, so you can uncheck it if you don't want it. And if you don't want to download all your IMAP messages locally, uncheck "Keep messages for this account on this computer" from Account Settings --> Synchronization & Storage.

What about Mail.app, you ask? There's an old GPG plug-in you can download from Mediafire. GPGTools just revamped their website and took it down literally days ago. The plug-in won't work with the gpg binary in /opt/local, so you'd need to compile it yourself into /usr/local. In that case, you may need to generate your keys from the command line as I don't see a way to generate them through the plug-in. There's more on that from this page last modified in 2009, meaning it's very unsupported and you should probably move on.

For users who prefer a web mail interface, there's a couple of Firefox add-ons. One is WebPG which has "experimental" Gmail integration, and the other is Mailvelope which is in alpha, so alpha that you have to compile it yourself. But they both look very promising for the future.

All that said, I'm really impressed with Tenfourbird. I'd always clung to Mail.app when I was just downloading from a POP account, but when I started spawning several Gmail addresses, I made the switch and it handles everything great, including encryption. And you can even torify it with Jacob Appelbaum's TorBirdy add-on. And if you ever want to suppress the user agent from email headers, GHacks has a page about it right here.

*Lucky it was just practice.

6 comments:

  1. That GPG Mail plugin, you wouldn't happen to have a Leopard compatible version would you?

    ReplyDelete
    Replies
    1. I never downloaded it myself. The closest I could find was the Leopard version on this page, but the download link to its Source Forge page is dead :-(

      Delete
    2. I've found the Leopard version with the help of the Wayback Machine here:
      https://github.com/downloads/GPGTools/GPGTools/GPGTools-20110711.dmg
      Apparently the download it's self is still located on their server, They just removed the download link from their site. I found it by going to this page:
      https://web.archive.org/web/20111017231546/http://www.gpgtools.org/installer/index.html
      on the Wayback Machine and copied the download link into Safari's url/address bar. I've actually used this trick before to obtain older (PPC compatible) version of apps & other utilities that are seemingly no longer available for download.

      There was a problem with this older version of GPGTools however. Halfway through the installation process, the installer hung & the installation script failed. After a reboot the scripts seemed to have damaged the startup items & launch daemons. Long story short, I had to reboot off my month old backup disk. If you or anyone else want to modify the installer package and it's scripts to work correctly on PPC, be my guest. But because of this I can't exactly recommend this old GPGTools release to anyone.

      Delete
    3. I think that 2011 version might be for Snow Leopard. The download file for the Leopard version is named "GPGMail-1.2.0.dmg", but it doesn't seem to exist anywhere on the web.

      Thanks for the Wayback tip. I didn't realize files on github were just left there!

      Delete
    4. The strange part though was that they said the installer was universal binary. It mentioned that some components were intel only or required 10.6, but implied that the installation of those components would be skipped if not compatible. Perhaps they only tested the package's contents to see if they worked on ppc then just assumed the scripts would work too without actually testing.

      Also that trick works on more than just github, and simultaneously the trick isn't guaranteed to work. It can work on any site so long as the file it's self is still uploaded to their server. Sure the web designers delete those older links, but not everybody does their job. Sometimes maintenance guys forget to do spring cleaning when it comes to older files & data, and that's exactly what this trick exploits.

      Delete
    5. I seem to have finally found all the various tools for our old systems. Below are the various WayBack pages where I found them.
      GPGMail can be found here: https://web.archive.org/web/20130723013000/https://gpgtools.org/gpgmail/index.html
      GPGKeychain can be found here: https://web.archive.org/web/20130318062319/https://www.gpgtools.org/keychain/index.html
      A binary release for the GPG framework/engine can be found here: https://web.archive.org/web/20130318062344/https://www.gpgtools.org/macgpg1/index.html
      And even a release of GPG2 for PPC can be found here: https://web.archive.org/web/20130514175256/https://gpgtools.org/macgpg2/index.html
      I also seem to have found out why the main installer crashed my system: https://web.archive.org/web/20160902171554/https://gpgtools.lighthouseapp.com/projects/65162/tickets/102
      That ticket seems to imply that PPC support for the main installers wasn't fully tested.
      I haven't actually tried any of these downloads out yet as I'm still a little nervous after what happened last time.

      Delete