E-mail encryption and digital signatures can be accomplished using a standard called S/MIME, which uses public key cryptography and X.509 certificates. You can obtain certificates from a trusted certificate authority, but you can also create your own "self-signed" certificates using the Mac's Certificate Assistant program.
Basics of Certificates for E-mail
A certificate contains a public/private key pair plus various information about the identity of the user, intended uses of the certificate, an expiration date, and so on. In order for a user Jason to send a digitally signed e-mail to another user Diane, Jason's e-mail program will use the private key from his certificate, but in order for Diane to verify the signature, she must have the public key part of Jason's certificate. In order for Jason to send an encrypted message to Diane, he must have Diane's public key to encrypt it, and then Diane will use her private key to decrypt it. Thus, to establish two-way secure communication, each person must have a full certificate including a private key, and must have the other person's public key.
The easiest way to exchange public keys is by e-mail, but one might worry about someone intercepting a message and substituting a different key. Instead you could exchange public keys on thumb drives sent by physical mail or courier.
A certificate can either be created as a self-signed root, or can be issued by a certificate authority. It isn't possible to get Apple Mail to accept a self-signed root certificate, so we'll use an organization certificate authority and have that issue a certificate.
Requesting a Certificate from CUES
click to enlarge
The first step in using a certificate for email encryption is to request a certificate from a certificate authority (in this case, CUES). To do this, download
this file. It is a compressed file. Double click it to uncompress the file, then open the resulting file (CUES CA.certAuthorityConfig). The Application
Certificate Assistant will launch and you will be presented with a window requesting your information so a request for a certificate can be sent to the certificate authority (in this case, CUES).
Type your email address into the 'User Email Address' field. Click Continue. A new email will be created with an attachment, send that message without any modifications. You can now click the 'Done' button in the application Certificate Assistant. Now you wait for CUES to create your Certificate.
Once CUES receives your certificate request, we will generate a certificate and send it to you with instructions on how to install the certificate on your computer. To get your password for the certificate, enter the passphrase that was sent with the certificate in the field below and click 'Retrieve'.
After installing your certificate, you need to quit the Mail Application and open it again to have it read your new certificate.
Receiving Encrypted Email
Once your certificate is installed, you will be able to receive encrypted emails (
S/MIME). As discussed above, in order to receive encrypted emails, the person sending you email has to have your public key. If you haven't already, quit and reopen your
Mail Application.
click to enlarge
The Mail Application makes it easy to send your public key to them (and for them to send theirs to you). When you create a new message, you will see some additional buttons on the right side of the 'Subject' line. The first is to encrypt the message (the lock) and the second is to send your public key with the message. So before someone can send you encrypted emails, you have to send them your public key. Check the box to activate the button to digitally sign the message (ie. include your public key in the message) and then send them a message indicating you would like to encrypt email with them and request that they send you their public key. When they receive the email, your public key will be installed in their Keychain Access Application. Now, when they send you email, the lock button will be active and they can check it to encrypt email to you.
Sending Encrypted Email
click to enlarge
When someone sends you their public key, the key will be installed in your Keychain Access Application. Now when you send them email, the lock button will be active and you will be able to click it to enable email encryption. Only the body and attachments are encrypted, the email header is not.
The Importance of Your Private Key
click to enlargeWhen you receive an encrypted message, it is actually an S/MIME attachment that is signed with your public key. If you have deleted your private key (this is really bad), the message will have a single attachment with the name 'smime.p7m'. All the content of the message is encrypted inside that file. Once you restore your private key, you will be able to read the message.
Some Final Thoughts
At this time, our recommendation is to only sign your messages when you want to give someone the ability to send you encrypted email. And then only sign the first message to the person letting them know you want to have them encrypt emails that they send to you that have sensitive information in them. Do not sign every message you send.
click to enlarge
click to enlarge
click to enlarge
click to enlargeWhen you receive an encrypted message, it is actually an S/MIME attachment that is signed with your public key. If you have deleted your private key (this is really bad), the message will have a single attachment with the name 'smime.p7m'. All the content of the message is encrypted inside that file. Once you restore your private key, you will be able to read the message.