In my previous tutorial, I wrote about digitally signing emails in Apple Mail to ensure that an email being sent or received is verified as coming from a trusted source. While this does nothing to hide the contents of the email from prying eyes, it does serve to identify the users involved in sending and receiving messages at a more secure level.
If a message being received on your email client cannot be verified, chances are the message in question could have been modified during transit. This alerts you to proceed cautiously, as its integrity may have been compromised.
Before we look at the steps to send and receive encrypted email in Apple Mail, let's go over the requirements.
- Apple computer running OS X (10.9+)
- Personal certificate (self-signed or issued from a third-party CA)
- Public certificate for each user you intend on sending encrypted email to imported to the certificate store
- Email account configured in Apple Mail
Send encrypted email
1. Create a new message to your intended recipient. Before a message can be encrypted, a signed message must first be sent to the user(s) you wish to exchange encrypted messages with (Figure A).
2. After sending the message, you'll be prompted to allow the Mail.app to sign the email with your public certificate. Your public certificate will be used by recipients to encrypt future messages sent to you, so a copy of your public certificate will be included in this initial message (Figure B).
3. Once the user(s) receive your initial message your public certificate will be added to their certificate store and used to verify your signed messages. This will make up one-half of the encryption process; the second half will occur when the recipients reply to your signed message in-turn, providing you with a copy of their public certificate (Figure C).
4. The reply message from your recipients will prompt them to allow Mail.app to sign their message with their public certificate. Once they allow this, the email will be delivered to your inbox and a copy of their public certificate will be imported into your certificate store and stored in Keychain (Figure D).
5. The process is completed when both parties have exchanged public certificates. Now when replying to or creating a new message to the user(s) you've exchanged certificates with, the padlock icon will be available for the sender to enable encryption (Figure E).
6. By clicking the padlock, encryption will be enabled, and the message will be viewable only by the recipients that have provided you their public certificates (Figure F).
With encryption in place, the contents of sensitive emails can be secured from unintended parties, as this information can only be decrypted by the intended recipient's private certificate when enabled.
Subsequently, any recipients included in an encrypted email that have not exchanged public certificates with the sender will not be able to decrypt the messages until the certificates have been exchanged. Until then, encrypted messages will display an error stating that the message cannot be viewed.
Share your experiences
Have you implemented encrypted email at your site? If so, I'd love to hear about your experiences in certificate exchanges, or any troubles communicating via encrypted messages. Let us know in the comments.
- Obama calls on tech-gov't partnerships to solve problems, talks Apple-FBI showdown (TechRepublic)
- Why citizens need encryption as a fundamental human right (TechRepublic)
- Five free apps for encrypting email (TechRepublic)
- Email encryption: Using PGP and S/MIME (TechRepublic)
- Encryption Policy (Tech Pro Research)
- Encryption for Everyone: The free service that will change how you think about security (ZDNet)
Jesus Vigo is a Network Administrator by day and owner of Mac|Jesus, LLC, specializing in Mac and Windows integration and providing solutions to small- and medium-size businesses. He brings 15 years of experience and multiple certifications from several vendors, including Apple and CompTIA.