Apple Security

PGP on Mac OS X with MacGPG2

10 Jan 2012
5 minutes read

The goal of this tutorial is to get PGP (Pretty Good Privacy) up and running, create a public (shared) key and the corresponding private key. With them it is possible to encrypt information like mails, documents and files in a very secure and asymmetric way so that only a specified recipient can decrypt and open them.

PGP Cheatsheet

There are many implementations for PGP on OS X, however the one we’ll be using in this tutorial is MacGPG, a Mac OSX port of GPG (GNU Privacy Guard). It follows the OpenPGP standard, is completely free and offers an easy to use installer. To have a handy overview about the gpg terminal commands I’ve created a small cheetsheet in PDF-Format a while ago.

GnuPG Logo

Installing PGP

  1. Get a copy of MacGPG2 from the projects github repository. It’s not a bad idea to get the MD5 checksum of your download with the terminal command md5, followed by the filename of your download and to compare it to the official checksum of MacGPG2’s current version.
  2. Mount the disk image and follow the installation instructions.

Generating a public (shared) key

  1. Open the Terminal and type gpg --gen-key to start the whole process.
  2. Select (2) DSA and Elgamal.
    RSA and DSA/Elgamal are both considered to be very secure, but until more recently, GnuPG didn’t use RSA, so legacy GPG users might have a problem.
  3. Confirm the default DSA keysize of 2048 bits
  4. Confirm 0 = key does not expire and then again by entering y.
    For most purposes, either accepting the default or specifying 1y for one year, should be appropriate.
  5. Now GnuPG wants to construct a user ID to identify your key
    Enter Real name, then Email addres and then optionally a Comment. Confirm by entering o for (O)kay.
  6. Now you should get a dialogue box, asking you to enter a passphrase. The passphrase is a crucial part of the system since it’s the only thing that protects your private key in case your system should get compromised. It’s very important that you don’t lose your passphrase. Without it your key pair is useless and you won’t be able to decrypt messages sent to you using that key pair.
    Now GPG will start generating a key pair. During this period, GPG will ask you to do some activity on with your computer. This serves the purpose of creating more randomness (which computers in general are not very capable of) and helps in generating a more secure key.
  7. GPG will print the outcomes of its activity on the terminal, after the key pair has been generated.

Key management

In order for someone to be able to send encrypted messages or files to a receiver, that someone needs to get hold of the receivers public key. For example the receiver could post a ASCII armored file somewhere on the internet or use one of many special keyservers on the web.

Listing your keys

  1. By entering gpg --list-keys you can list a short overview of your public keys.
  2. By entering gpg --list-secret-keys you can list a short overview of your private keys.

Export your public key

If you want to share your public key by yourself — maybe on your website, maybe engraved on your doorplate — you need to export it as a ASCII armored file first:

  1. Within Terminal app, switch to a folder where you want your file to be created at.
  2. Type gpg -ao publickey.asc --export name@domain.com where ‘publickey.asc’ should be substituted with your desired filename and ‘name@domain.com’ with the email-address belonging to your key.
  3. After a second you should have your ‘publickey.asc’ file created in the folder you switched to in step one. It should look similar to our public key file.

Using keyservers to share your public key

If you use a keyserver to publish your public key, you might want to create a revocation certificate first, to be able to tell the keyserver that the key is no longer valid if you lose it somehow or it gets compromised.

Create revocation certificate

  1. In the Terminal, switch to a folder where you want your certificate to be created at.
  2. List your public keys with the command gpg --list-keys.
  3. The line pub 2048D/XXXXXXXX 2010-07-04 is important, as ‘XXXXXXXX’ is the ID for your public key, which you will need in the next step.
  4. Enter gpg -ao certificate.asc --gen-revoke XXXXXXXX, where ‘XXXXXXXX’ is the ID for the key.
  5. Enter a number from 0 to 3, to specify a reason for the revocation, 0 or 1 are probably good choices here.
  6. Now enter a description for the certificate, if you want to.
  7. Confirm your inputs by entering y.
  8. After a moment you should have a file ‘certificate.asc’ created. It might look similar to your ASCII armored file, but most likely shorter

Upload your public key

  1. Inside the Terminal, list your public keys with gpg --list-keys.
  2. Again, the line pub 2048D/XXXXXXXX 2010-07-04 is important, as ‘XXXXXXXX’ is the ID for your public key, which you will need in the next step.
  3. Enter the command gpg --keyserver keyserverurl --send-keys XXXXXXXX, where ‘XXXXXXXX’ is the ID of your key.
  4. A example for a keyserver url is hkp://pool.sks-keyservers.net, a network of keyservers which regularly synchronizes with each other. Search the web to find others if you like to. You can validate the correct upload of your public key by entering gpg --keyserver keyserverurl --recv-key XXXXXXXX with your according data replacing ‘keyserverurl’ and ‘XXXXXXXX’

Export your private key

Its quite important to have a backup of your private key, because if you loose it, you will be unable to retrieve any information encrypted by your public key. For security reasons, we will also encrypt your private key backup with a passphrase and output it as an ASCII armored file.

  1. In the Terminal, switch to a folder where you want your encrypted private key to be created at.
  2. List your private keys with gpg --list-secret-keys.
  3. The line sec 2048D/XXXXXXXX 2010-07-04 is important, as ‘XXXXXXXX’ is the ID for your private key, which you will need in the next step.
  4. Enter the command gpg -a --export-secret-keys XXXXXXXX | gpg -aco privatekey.pgp.asc, where ‘XXXXXXXX’ is the ID of your key.
  5. Now you will be promted to enter a passphrase and confirm it.
  6. After a moment you should have a file ‘privatekey.pgp.asc’ created. It might look similar to your ASCII armored file.