My PGP Info
I’m currently using a key with the ID of
6A9C5F59. Its full fingerprint is:
30D1 B2EF ECD0 BCA9 EBFA E13A CC77 A709 6A9C 5F59
Publishing the fingerprint and full public key in several places helps you be more certain that this key actually belongs to me. So I’ve included the key on my Twitter bio; put the fingerprint in the sidebar of this website, in this tweet, and on my employer's website; and published my full public key both on the MIT Public Key Server here and at https://s3.amazonaws.com/pgp.johnkeefe.net/6A9C5F59.asc.
These keys have belonged to me in the past, but I am no longer using them:
Most email these days zips across the internet in an open format someone can read in transit — even though the sender’s and receiver’s mailboxes are password protected. In that way, emails are more like postcards.
Encryption can help keep information private in transit. PGP, or “Pretty Good Privacy,” is one way to encrypt email and other text. (GPG stands for “GNU Privacy Guard,” and is basically the same thing.)
Encrypting email seems the like one of the most natural ways to communicate securely, but it’s unfortunately complicated to set up. I’ve jumped in, and I'm sharing my steps here so they might help others.
Caveat & credit
I’ll say upfront that I am not an expert on encryption or operational security. By any means. I'm a journalist who would like the option of keeping his communications secure. If your life or livelihood depends on secure communications, please rely on resources provided by experts.
Also, I’ve benefited from generous journalists who are more experienced and have shared their tips and tricks. These include Jeff Larson, Mike Tigas, Harlo Holmes and Aruelia Moser. Look up their stuff. They’re awesome.
Here, then, is how I started using encryption for email.
First I downloaded the GPG Suite at gpgtools.org for my system, which is Mac OS. My apologies, but I’m not familiar with GPG on other platforms.
Since the whole point of this effort is security and integrity, I wanted to be sure the file I downloaded was an exact copy of the file distributed by the GPG developers — and not something that was altered or corrupted. There are helpful verification steps described here. Here’s what I did:
- Opened Terminal
Went to my Downloads folder and checked the name of the downloaded file (yours may be different, depending on the current version):
/usr/bin/openssl sha1 GPG_Suite-2015.03-b6.dmg
The part after the equals sign is a “hash” of the file, providing a kind of fingerprint based on all of the data in the file. It will be different for different versions of the software.
I compared that result with the SHA-1 hash posted on the gpgtools.org website (again, yours may be different — though the two should match)
That's a match, so I'm good.
(Now that I’ve been using a version of GPG I trust, when I download updates I also use GPG to do a verification. Here’s how I do that.)
Having verified the software is intact, I launched the .dmg file to install GPG Suite. The suite contains a set of modules. One is called “GPG Keychain,” and another modifies Apple Mail, which likely came with your computer, so it can send and receive encrypted email.
Make a new key
Once everything was installed, I launched "GPG Keychain" from my Applications folder.
I then made a new key, with the “New” icon. (If you have an existing key, you can look it up with “Lookup Key,” searching by your email address or name, and import it.)
- I use my real name, so people can find me in key services
- The email address matches the one I use to send and receive my email
- I upload my public key so people can find me
- I use the longest key possible
- I have my key expire
- I use a strong passphrase (GPG tools warns you if you don’t)
Making a key this way publishes your “public key” to the world. It also stores your super-secret “private key” on the computer you are using. This “private key” is what GPG Keychain and Apple Mail will use to decode messages sent to you. It is super important to keep it super secret. This means things like using a strong passphrase, using full-disk encryption on your computer and keeping your private key off cloud services like Dropbox. Some folks keep it off their computers entirely and use a sub-key instead.
Make a revoke certificate
This was an important step, I learned. If my private key gets lost, stolen or otherwise compromised, I need a way to disable it even if I don’t have it. A revoke certificate does that.
In GPG Keychain, I clicked on my key and then went to the top menu to
Generate Revote Certificate ...
I keep the resulting file in a safe place apart from my key.
Now I fire up the Apple Mail app. If all is working well, there is a shiny green "OpenPGP" box at the top edge of a new message window.
And in the Mail preferences, there’s now a GPG window with happy indicators.
As you can see, I’ve chosen to encrypt and sign all of my Mail emails whenever possible.
If things are not working well, here are a couple of bumps I hit and solved:
- My Mail email account’s address needed to match the address in my key. Another option is to add a second “User ID” to the key, which I did by going into GPG Keychain, clicking on the key, clicking on “User ID” and clicking on the + sign.
- I hadn’t used Mail before, and it seemed to hang initially. Turns out it was actually was downloading all of my online mail. This can take hours(!) When it was done, I restarted Mail and things worked.
Sending encrypted email
To send someone an encrypted email, I go to “GPG Keychain” and and look up their public key, either with their email address or — even better — with their PGP key fingerprint.
As a test, I used teammate Alan Palazzolo’s fingerprint to search for his key, and then imported it.
Switching back to Mail, I typed his email address into the "To:" field and the lock icon turned blue. That means I’m ready to send him an encrypted message. (The second symbol indicates I have digitally signed the email, which is useful but not an indication that it is encrypted. The lock is what I want.)
Importantly, the subject line and other meta information, including the fact that he and I are corresponding at all, is not encrypted. Also, I trust Alan to keep our conversation private, but there’s really nothing preventing him from copying a decrypted version of my note and posting it on the internet.
What do I have wrong?
This stuff gets complicated, fast. If Citizen Four is any indication, even journalists working on the most sensitive stories make mistakes with “OpSec,” or operational security.
If you see a mistake here, or have links to more resources, please let me know. You can leave a message in the comments … or send me an encrypted email.
Top photo (CC) David Bruce / Flickr