Secure Mail with S/Mime or OpenPGP on Mac Mail or Thunderbird

0

Most of the documentation for this seems to be pretty obsolete as things have really shifted around. The main issue that there are two big security holes right now and the big tradeoff is that you can be more completely open source and use OpenPGP, but you can’t use your iPhone conveniently as Apple doesn’t support OpenPGP and they won’t allow competitive mail clients.
Or, you can use S/Mime and then you can use iOS Mail, but you have to figure out how to use self-signed certificates since the last thing you want is for the NSA or a hacker to get into a certificate authority and your private keys.
Net, net, I did get OpenPGP to run, so here are the steps with OS X Mavericks, Thunderbird latest version on the Mac and GPGMail 2.0 which is OpenPGP for Macs:

  • Download the software.
  • Generate keys with OpenPGP. For the paranoid, 4096 bit RSA looks good.
  • Your most vulnerable point are the pass phrases. Because if you forget them, you lose *all* the mail that was encrypted, but if someone learns the pass phrase, you are really toast.
  • You generate them in GPG Keychain Access and the New entry. This creates some files that are themselves encrypted. You have to get them over to other systems though, so you need to export them in the clear to somewhere safe (like a Truecrypted file on a USB key) when you give them to other machines.
  • To make this work with Thunderbird, you then load Enigmail and then you set a bunch of parameters in Tools/Account Settings/Open PGP

To get S/MIME to work is really undocumented, so here goes (see http://www.extinguishedscholar.com/wpglob/:

  • Start the Keychain Access and choose Certificate Assistant/Create a Certificate.
  • When the screen comes up and asks for Name, type in the *email name* you want. You need a separate certificate for each email and it isn’t clear that Mac Mail (see below) is using this name to decide how to match certificates and choose let me override defaults
  • Pick a long validity period that 365 days as it is a pain to manage this. The default in OpenPGP is three years, which isn’t so bad
  • Go through the default until you get to Key Usage Extension, you have to select four things at least: signing, certificate signing, key encipherment and data encipherment. If you only do signing, then you can’t encrypt.
  • When you get to basic constraints, make sure to click on the options and click on use this certificate as certificate authority.
  • This certificate isn’t trusted by default so when done, you click on the certificate and open up the trust section and choose secure mail and select Always Trust.  See Mail (Mountain Lion): Use personal certificates in Mail.
  • Now when you restart Mac Mail and create mail from that email, you should see two tiny icons on the lower right of the header light up. These are sign and encrypt (the lock).

Now this works for Mac Mail, but I haven’t gotten it to work with Thunderbird 24.0. Here is what I’ve tried:

  • For Thunderbird, there appears to be a bug when enigmail hangs if you try to go to S/MIMe with GPG2 running at 100% and the thing unresponsive, so you should disable enigmail before starting on Thunderbird and using s/mime
  • Now you need to export the s/mime certificate by going to the Keychain access and right clicking on the certificate and export  in both .p12 and .cer form. And don’t forget the pass phrases that you use for these things.
  • Now go to Thunder/Preferences/Advanced/Certificates and choose Import.
  • Now this certificate isn’t trusted so you need to install it again as a .cer and edit trust to make sure it allows signing of certificates. But at least on my thunderbird, it says that the certificate is installed but doesn’t display it

Now to get this running on iOS you have to (see http://hints.macworld.com/article.php?story=20111219061438541)

  • Enable S/Mime in Settings/Mail
  • Email yourself the .p12 file and on iOS double click to install
  • For some reason the certificate I generated can sign but it can’t encrypt.
  • When you get a signed email, you will see a little check next to their name. Click on the name and install the certificate so you can later encrypt to them. You can then send them encrypted stuff.
  • Now go to settings/Mail, Calendar and Contacts and select the mail account and then scroll down to Advanced, turn on S/Mime and
  • One issue is that encryption is global for an email account so pretty inconvenient to actually use since you have to go down and toggle it.

Related Posts

© All Right Reserved