How to encrypt your email
Reader Jack Burns is a bit disconcerted by some recent news. He writes:
After reading stories about the U.S. government’s program to collect phone and Internet data I’m a little concerned about my email privacy. What can I do to encrypt my email?
I’d first suggest that you take a gander at How To Protect Your PC From PRISM Surveillance from my pals over at PCWorld. As its name implies, it offers some hints on how to attempt to make your computing life more private.
I use “attempt” for good reason. Without being overly paranoid about it, there’s every chance in the world that if the NSA and other government agencies want to read your email—encrypted or not—a way will be (or has been) found. On the other hand, the vast majority of the email we generate would be of no interest to your second-cousin, much less the government.
Still, these recent events do provide a perfect excuse for running through the steps for encrypting your email on a Mac. They go this way:
Obtain and install a personal certificate
You must first get your hands on a personal certificate. This is a small file, added to the Mac’s keychain, that verifies your identity in sent mail. Symantec sells such things for $23 per year (you can also try one for free for 25 days). You’ll need a separate certificate for each email address you wish to send encrypted messages from.
You’ll be asked to register your email address with the certificate seller. An email message will be sent to that address that contains a link to the certificate. A password will also be sent to you. Click on the link and your default web browser will launch and take you to the certificate download page. Enter the password you received, click Continue, and the certificate will download to your Mac.
Double-click on it and Keychain Access should launch and install the certificate. You’ll know that it has if you see the certificate when you click the Certificates category in Keychain Access.
Encrypting your mail
Now that you’ve installed the certificate, launch Apple’s Mail and create a new message. In the New Message window choose the account you’ve obtained the certificate for from the From pop-up menu. To the right of that pop-up menu you’ll see a couple of buttons that you haven’t seen before. The first is the Encrypt button that’s almost certainly grayed out. The second is the Digital Signing button. By default, this button will bear a check mark, indicating that when you send a message from this account it will be certified to be well and truly from you. Click that button, and you turn off digital signing.
In order for the Encrypt button to become active, you must have a certificate from the person you’re sending the message to—their public key, in the parlance of the encryption game. And that means that they too must have installed a certificate. If that condition has been met, this is how the exchange works.
You first send a digitally signed (not encrypted) message to them. When you do this, your public key is also sent to them and added to their list of certificates. They then reply to that message using their certified address. In that reply is their public key, which will be added to your keychain. Now that the two of you have swapped keys, the Encrypt button will become active when you enter their address in a new message’s To field.
Complicated? Yes, a little. But it makes sense that each party has a key to unlock the other’s messages. This is something to bear in mind for company email that you want protected from a competitor or personal email that you’d prefer not be seen by friends or family. But, again, it’s unlikely to do you any good with agencies that possess The Big Key.