• 
• Deutsch/English
• Homepage
• Contact
• Accessibility
• License
• zeitform

• Instructions
  • E-Mail Programs and Security
  • Configuring PGP (Windows)
  • Configuring GnuPG (Mac OS X)
  • Thawte Web of Trust Personal Certificate
  • Access Control for Webservers
  • Secure Passwords
  • LiDIA-CA SSL-Certificates
• Literature
• Technical Information

Configuring GnuPG (Mac OS X)

On this page we want to instruct you on how to install and setup GnuPG (for Mac OS X) to encrypt your mail and textfiles. Detailed Instructions on GnuPG can be found on the projects website. Furthermore we will introduce you to some useful tools that ease your work with GnuPG.

If you are looking for a public key to import into your keychain, you can Ask a Key Server.

• General Notes
• Installing GnuPG
• Key Generation
• Importing Existing Keys from PGP for Mac OS
• GPGPreferences – GnuPG Options
• GPG Keychain Access – Keymanagement
• GPGMail – GnuPG in Apple Mail
• Enigmail – GnuPG in Thunderbird, Mozilla or Netscape
• EntourageGPG – GnuPG in MS Entourage
• Eudora-GPG – GnuPG in Qualcomms Eudora
• MailSmith-GPG – GnuPG in BareBones MailSmith
• GPGDropThing – Encryption of Text Files

General Notes

GnuPG is a commandline oriented encryption system, compatible with PGP 5 or higher, which is developped for UNIX and its derivates. Since Mac OS X is based upon BSD-UNIX, GnuPG can be used with this system as well.

The Mac GNU Privacy Guard project works hard to port this software to the Mac OS X platform and to develop various tools for users to take advantage of all functions of GnuPG by making use of graphical user interfaces. All tools presented here are still under development. Functionality and usability will improve constantly.

GnuPG is published under the GNU Public License and therefore is freely available.

Installing GnuPG

To install GnuPG you will need administration rights on the system used! If you are not admin of the system, you will not be able to install the software.

1. Download GNU Privacy Guard, unstuff it e.g. with StuffIt Expander, mount the outcoming disc image by doubleclicking and open the drive "GnuPG for Mac OS X".
2. Now doubleclick on "GnuPGOSX.pkg", in the upcoming window click the lock and insert the admin password. Confirm with OK and follow the onscreen instructions.
   

Key Generation

The following step is also explained in detailed Instructions on GnuPG.

Please note that this step has to be done by every single user of your system, who does not have already keys e.g. from PGP for Mac OS!

If you never used PGP or any other encryption software compatible to PGP based on assymmetric encryption before, you have to generate a keypair right after the installation of the software. Please find more information on assymmetric encryption in section Technical Info (german).

To move on, please open the application "Terminal".

On its first invocation GnuPG will create a directory inside your home directory to store private and public keys as well as the configuration file. This directory will be hidden; you will not be able to see it in the Finder!

1. First a keypair will have to be generated. You will have to answer several questions. We will try to help you at the best of our abilities. Execute the following command on the commandline (Input is marked red. Confirm your input by pressing the enter key.)::

   [localhost:~] user% gpg --gen-key
   gpg (GnuPG) 1.4.1; Copyright (C) 2005 Free Software Foundation, Inc.
   This program comes with ABSOLUTELY NO WARRANTY.
   This is free software, and you are welcome to redistribute it
   under certain conditions. See the file COPYING for details.
   
   gpg: directory `/Users/hans/.gnupg' created
   gpg: new configuration file `/Users/hans/.gnupg/gpg.conf' created
   gpg: WARNING: options in `/Users/hans/.gnupg/gpg.conf' are not yet active during
   this run
   gpg: keyring `/Users/hans/.gnupg/secring.gpg' created
   gpg: keyring `/Users/hans/.gnupg/pubring.gpg' created
   Please select what kind of key you want:
      (1) DSA and Elgamal (default)
      (2) DSA (sign only)
      (5) RSA (sign only)
   Your selection? 1
   

   DSA is the standard for signing text, ElGamal is a powerful algorithm for encryption. Therefore, we encourage you to choose option 1.

   DSA keypair will have 1024 bits.
   ELG-E keys may be between 1024 and 4096 bits long.
   What keysize do you want? (2048) 4096
   Requested keysize is 4096 bits

   Here you should choose a length of 4096 bits for your key. In short: The longer the key the more secure it is against brute-force attacks.

   Please specify how long the key should be valid.
            0 = key does not expire
         <n>  = key expires in n days
         <n>w = key expires in n weeks
         <n>m = key expires in n months
         <n>y = key expires in n years
   Key is valid for? (0) 0
   Key does not expire at all
   Is this correct (y/N)? y
   

   Here you have to tell the system if and when a key should expire. In general, you do not need a key that expires, therefore you should choose 0, the default value. You just have to confirm this.

   If you think your key should just be valid for a period of time, enter a number if necessary followed by the period code: 5w for 5 weeks, 8m for 8 months, 2y for 2 years. If you just enter a number this will indicate the number of days until your key will expire.

   You need a user ID to identify your key; the software constructs the user ID
   from the Real Name, Comment and Email Address in this form:
       "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"
   
   Real name: John Smith
   Email address: john.smith@zeitform.de
   Comment: no secrets                  
   You selected this USER-ID:
       "John Smith (no secrets) <john.smith@zeitform.de>"
   
   Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
   

   Now your user-ID will be created. You can add more IDs later. The ID consists of your full name, your email address and an optional comment. You should choose your ID with care since it cannot be changed later!

   You need a Passphrase to protect your secret key.
   
   Enter Passphrase: 1 Passphrase should be long @nd complicated!
   Repeat Passphrase: 1 Passphrase should be long @nd complicated! 
   

   To prevent your key from being missused by others, GnuPG will encrypt it with a symmetric algorithm. Therefore you have to choose a passphrase with care as well.

   In no case you should choose the passphrase used in this example! Neighter should you choose the names of your beloved persons, birthday dates or any word out of dictionaries. Please find more information on how to choose better passphrases in section Technical Info.

   For your own protection the input of the passphrase is hidden; you will not be able to see what you type. For security reasons you have to enter the passphrase twice.

   Congratulations! You're done. GnuPG will now create both your secret, private key and your public key. This could take some time depending on the sice of your key; so please be patient! Afterwards you can make use of a powerful encryption system on your Mac OS X.

   We need to generate a lot of random bytes. It is a good idea to perform
   some other action (type on the keyboard, move the mouse, utilize the
   disks) during the prime generation; this gives the random number
   generator a better chance to gain enough entropy.
   +++++++++++++++.+++++++++++++++...++++++++++++++++++++++++++++++.++++++
   +++++++++++++++++++.++++++++++++++++++++.++++++++++++++++++++.+++++....
   +++++...>+++++...............>+++++.<+++++........+++++
   We need to generate a lot of random bytes. It is a good idea to perform
   some other action (type on the keyboard, move the mouse, utilize the
   disks) during the prime generation; this gives the random number
   generator a better chance to gain enough entropy.
   ..+++++.+++++.+++++++++++++++++++++++++.+++++.++++++++++.++++++++++.+++
   ++++++++++++++++++++++++++++++++++++++++++..+++++++++++++++++++++++++++
   +++.+++++...+++++>++++++++++>+++++.................+++++^^^^^
   gpg: /Users/hans/.gnupg/trustdb.gpg: trustdb created
   gpg: key 80EEFCB2 marked as ultimately trusted
   public and secret key created and signed.
   
   gpg: checking the trustdb
   gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
   gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
   pub   1024D/80EEFCB2 2004-12-17
         Key fingerprint = 526B 9A10 AC4E DF93 D097  914E 9B55 76CA 80EE FCB2
   uid                  John Smith (no secrets) <john.smith@zeitform.de>
   sub   4096g/06A49AE2 2004-12-17
   

Importing Existing Keys from PGP for Mac OS

Please note that this step has to be done by every single user of your system, who already has keys e.g. from PGP for Mac OS!

Please note further that to succeed with this step PGP for Mac OS has to be installed in the Classic environment including all its system extensions.

If you were already working with encryption software under Mac OS you still can use both your private and all your public keys. You only have to export the existing keys and import them into GnuPG.

If you are using this encryption system for the first time, please jump to chapter Key Generation.

1. Open the applikation "PGP Keys". Select all key that you intend to use with GnuPG. Choose "Export" from the "Keys" menu.

   Make sure to activate the options "Include Private Keys" and "Include 6.0 Extensions" in the upcoming dialog. Save the file as "Exported Keys" inside your user directory under Mac OS X (Harddrive:Users:Username).
   

2. Open the file just generated with a text editor, e.g. with BBEdit lite and convert Macintosh linebreaks into UNIX linefeeds. Save the file as "Importable Keys".
   

   Alternatively you could launch the application "Terminal" and type the following (Input is marked red. Confirm your input by pressing the enter key.):

   [localhost:~] user% tr -d '\r' < "Exported Keys" > "Importable Keys"
   

3. On its first invocation GnuPG will create a directory inside your home directory to store private and public keys as well as the configuration file. This directory will be hidden; you will not be able to see it in the Finder!

   To import all public keys into GnuPG type the following command in Terminal:

   [localhost:~] user% gpg --import "Importable Keys"
   

4. To import your private key into GnuPG execute the following command:

   [localhost:~] user% gpg --import --allow-secret-key-import "Importable Keys"
   

   Congratulation! You now succuessfully installed GnuPG and can encrypt your messages. Go on with reading on how to setup options for GnuPG in chapter GPGPreferences – GnuPG Options.

GPGPreferences – GnuPG Options

Normally you edit the options file with a text editor to change user defined options in commandline oriented programs.

Since this is not the usual way for Macintosh users you could use a different way by installing GPGPreferences. With it you can change all relevant options with an additional panel in "System Preferences".

Basically you can leave the options as they are. Just make sure to choose an appropriate server under "Key Server" to enable GnuPG to import non existant keys when needed. If you choose the option "Automatically retrieve keys from server while verifying" the keys needed will be fetched automatically when you verify the signature of a message.

GPG Keychain Access – Keymanagement

To manage both private and public keys you could use GPG Keychain Access, whose design and graphical interface are similar to the PGP-Suite for Mac OS. This application lets you both import and export public keys to pass it to the persons you want to communicate with. Moreover you can generate and sign new keys. You even can search for keys on key servers.

GPGMail – GnuPG in Apple Mail

GnuPG mainly is used for communication through email. To ease encryption and signing of emails the swiss company Sen:te created GPGMail, a plug-in for "Mail" which comes with Mac OS X. An additional slider lets you setup all options.

You can execute the commands for signing, encryption and decryption from an additional menu inside "E-Mail" or by using the new buttons in the toolbar.

Enigmail – GnuPG in Thunderbird, Mozilla or Netscape

With Enigmail the "Mozilla" community developed an extension for the email clients inside the browser suites "Mozilla" and "Netscape" as well as for the independent email client "Thunderbird" which provides a new menu with all necessery options for encrypting and decrypting resp. for signing messages. Buttons in the message windows show all functions needed.

Furthermore "Enigmail" comes with a substantial key management which turns GPG Keychain Access into needless.

EntourageGPG – GnuPG in MS Entourage

Users of "Entourage" which comes with MS Office can make use of the main functionalities of GnuPG also. Simon Kornblith developped a set of AppleScripts and offers them with a nice installer under EntourageGPG for free.

After the installation of the AppleScripts you may find the new entry "EntourageGPG" inside the scripts menu giving you the possibility to call the main functionalities for encryption and decryption of your emails.

Eudora-GPG – GnuPG in Qualcomms Eudora

Users of Qualcomms Eudora can make use of AppleScripts written by Richard Chang which can be found as Eudora-GPG for free.

MailSmith-GPG – GnuPG in BareBones MailSmith

Users of BareBones MailSmith can make use of AppleScripts written by Alessandro Ranellucci which can be found as MailSmith-GPG for free.

GPGDropThing – Encryption of Text Files

If you are using an email client which does not have an interface to GnuPG already, or if you want to en- or decrypt text files you do not need to use the cammandline. With GPGDropThing you get an application which enables you to type text into a working window or you could use "Drag and Drop" and then sign or encrypt it. Or vice-versa: Paste the encrypted text into the window and choose the decrypt command. After entering your passphrase you will see the information in cleartext.

You can execute GPGDropThing from within every application able to edit text. Using the "Services" menu you have access to the four most used commands of GnuPG: Encrypt, Decrypt, Sign and Verify.