In light of recent revelations about the suspected warrantless wiretapping being conducted by the NSA on citizens I felt it was only appropriate to write a brief how-to guide on getting and using GPG for the Mac. The GPG system is the GNU (GPL Public Licensed) version of PGP, which stands for Pretty Good Privacy. The design is relatively easy once you see how it works. PGP is a encryption standard that creates two keys. One key is public and the other is secret. The public key can be given out freely to anyone who wants it, there are also Key Servers which you can query using names, email addresses, or key ID’s to obtain the public PGP key of someone you are trying to reach. You keep your secret key safe, that’s what enables you to decrypt anything that was encrypted with your public key.
An example is perfect for this, lets say I wish to have a private conversation with my friend Chris. He has my public key and I have his public key. I open up my Mail.app application on my Mac and I address the mail to Chris and I select his public key. I want the message to be encrypted and signed so only he can read it. I send the message, it arrives at his system and he uses his Mail application to decrypt the message and verify that I really sent it. Nobody but Chris and I have any idea about what the conversation is about. You can do this with emails, chats, and files. All you have to do is make sure the public Keyservers have your public key and that you ensure that your secret key is well and truly secret.
This makes wiretapping meaningless. If everyone is (and they should) communicate with each other using PGP (or GPG) then there is no reason to fear wiretapping of any kind. If your message is intercepted by an unknown third party, like the government, they can’t decrypt the message because they don’t have the recipients secret key.
Now, on to the nitty-gritty details:
1) Download and then Install GPGtools starting here: https://gpgtools.org/installer/index.html
2) Open GPGTools–2013.5.20.dmg and install GPGTools.
3) If you don’t have a secret key, the installer will start the GPG Keychain Access program and offer to help you create public and secret keys for all the email accounts that you have associated with yourself in your Addressbook. If you have secret keys to import, skip this step.
4) Eject GPGTools–2013.5.20.dmg disk image.
5) Follow instructions here: http://support.gpgtools.org/kb/how-to/first-steps-where-do-i-start-where-do-i-begin
6) Find, Download, and Install GPGMail–2.0b6.dmg
7) Start Mail.app, enjoy.
Once more people adopt encryption strategies like this, along with other ways to protect yourself, such as 1Password, AES–256 encrypted sparsebundle disk images and openssl, you can take an active role in protecting yourself. There is no point in expecting the government to alter their design, there is nothing in it for them. It’s a fools errand to discuss right and wrong in this situation, the best thing any of us can do is take that extra step and secure our communications by ourselves. The natural and proper response to the violated trust between citizens and their government lies not in some form of meaningless expulsion of hot air but rather technology through encryption. It’s fine if they want to snoop, snoop not on text, but on encrypted data.
I’ve written about this before, but not on this scale. Before I wrote about how you should not trust cloud services like Dropbox or Google Drive. You can still use them as the mules that they are, keeping data in sync and ubiquitous, but in order to be fully secure, well, a great idiom comes to mind “God helps those who help themselves”. Deploying a AES–256 encrypted sparsebundle disk image in Dropbox is the best of both worlds. You get the protections that Dropbox and Amazon offer (HA HA HA) and you get the protections your AES–256 disk image provides. You know you are safe no matter what anyone tries to do to break in. For the time being, AES–256 is a great way to secure your communications, virtual belongings, and your freedom online.
Encrypt it all.
P.S. You can find all my public keys on the key servers as well as here: http://www.windchilde.com/bluedepth/pgp-public-keys/