A Mac Users Guide to Encrypted Email

Information has become a commodity.  Insuring the information is private as well as authentic can be key in evaluating the worth of content.  But one of the most overwhelming problems with encrypting email is the fact that most people don’t understand how to go about securing their messages.  Encryption can be used to keep the contents of the email safe from prying eyes.  It can also be used to certify that the message a person receives was actually issued by the individual listed in the messages from field.  Email encryption is a complicated process that is simply convoluted for the average computer user.  Mac users are no exception, so here’s a rundown on the ins and outs of encrypted email.

What is needed in order to send encrypted email?
Most web mail services lack the advanced features required to encrypt email messages beyond communication with people in the same domain.  As a result, an email client application is required.  Most mature email applications offer support for encrypted messages.  On the Mac, the big names are Apple Mail and Microsoft Entourage.  Since Entourage is my email client of choice (one that I regret on a weekly basis at times), we’ll mainly cover that.  Its worth noting that Entourage is actually more complicated to configure for encryption than Apple Mail which in some ways makes the configuration process almost invisible.

With a bonafide email client selected, its time to generate the certificate that actually does the encryption.  There are at least a half dozen reputable places that generate SSL certificates, but most charge for the service.   Thawte.com is one institution with a  long track record of offering free personal email encryption certificates.  In order to generate a certificate, Thawte requires a fair amount of personal information.  They are justified in this constraint as they make a reasonable effort to ensure you are who you claim to be prior to the issue of the certificate.  Simply put, just fill out the forms requesting the email certificate and wait.  Once the information is validated, an email is issued to the requested account to let the user know the certificate has been generated.

The certificate process is mildly painful, and can be thoroughly confusing.  For Mac applications to use the Thawte encryption certificate, the cert must be resident in the Mac OS’s Keychain.  Getting it there can be something of a problem unless you know the tricks.  First of all, the browser you use when making the cert request is key.  When I went through the process, I used Firefox 2.0.  In making the request, its actually necessary to select which browser you are using to make the request.  As Safari isn’t even an option on the list I recommend using Firefox.

Once the request has been completed, as mentioned before, its necessary to wait a period of time while your identity is validated.  Once that is done, Thawte issues an email to the requesting email address to indicate that cert has been issued.  When returning to Thawte, it is essential to once again use Firefox.  Upon logging into the account created on the initial visit, there will be a message indicating that the certificate can be added to the browser by simply clicking a link.  And once the link has been clicked, there is only a succinct message indicating that the browser now has the certificate installed.  The problem here is that installing the cert in the browser does nothing to allow access to the cert from the email client software.  That brings us to trick number two.

Select Preferences from the Firefox menu in Firefox.  Then click the Advanced button at the top of the preferences window, and finally click View Certificates near the bottom of the window.  Listed in the tab under Your Certificates are a series of certificates listed hierarchically under different issuing parties.  Look for a list of certificates under the heading of Thawte Consulting (Pty) Ltd.  Any and all certs generated by Thawte will be listed here.  If there is more than one certificate listed, pay attention to the Expires on Date and make sure the most recently issues cert is selected.  The expire date should be 1 year from that date the it was issued.  Simply click once on the new certificate and then click the Backup button.  Firefox will prompt for a password that will be used to protect the exported (or backed up) cert file.  The password will keep the information secure should someone try to compromise the data in its exported form.

Now that the certificate has been exported, the next step is to import it into the Mac OS keychain so it can be made available to the email application.  Simple open Keychain Access, found in /Applications/Utilities.  Select Import from the file menu and browse for the file exported from Firefox.  One the cert has been selected, Keychain will prompt for the password designated when the backup was made from Firefox.  Once the password is supplied, the cert is added to the keychain.  It can be found by selecting My Certificates on the left side of the main Keychain Access window.

Now we’re in the home stretch.  Once the certificate has been imported into the keychain, the email application should have access to the file.  Now we just need to make Entourage aware of the certificate.  To do that, select Accounts from the Tools menu of Entourage.  In the list of accounts, double click on the account that will be used to send and receive encrypted email.  Select the Security tab at the top of the window the use each of the select buttons to designate your certificate in both the Signing Certificate and Encryption Certificate areas.  Once this is done, Entourage is ready to send secure email.

It’s worth mentioning that Apple Mail seems to eliminate this intricacy.  Once the cert is in the keychain, the OS and the Mail app seem to be smart enough to associate the cert with the email account in Mail and eliminate the need to manually select the certificate used to sign and encrypt messages.  That being said, my experience with Apple Mail is more limited so I cannot be certain that this is always the case.

Now that we’re ready to send a secure message, there are some more intricacies to consider.  In order for the message recipient to be able to read the message when its sent, the recipient must first receive a signed message.  This gives the recipient the information needed to decrypt encrypted messages once receive.  In order to send a sign message, simply create an email to the desired recipient then select Message > Security > Digitally Sign Message from the menu while in the message window.  Depending on their email client, the recipient may need to manually add your digital signature to your entry in their address book in order for the email client to automatically decrypt future messages as the are received.

Once the signed email has been issued, it should be possible to send encrypted messages to that same contact by selecting Message > Security > Encrypt Message from the menu when within the message composition window.  Now that we should be done and ready to exchange secure email messages with another individual, there is just one more stumbling point to consider.  In my experience, at least with Entourage, I could not send a secure email to my intended recipient until they had gone though the same process of generating and installing a secure certificate in their email client.  Apparently the users on either end of the conversation must each have a cert on file with each other before secure messages can be exchanged.  As a result, before conversations can be secured, each recipient must first exchange a message with the other that has only been signed, thereby giving each individual the information needed to open the secured messages that will follow.

Now users simply need to remember to select the option to encrypt messages as they send them.  In Entourage, this means selecting the encrypt option each time a message is issued to someone who is known to allow encrypted messages.  I believe Mail makes this process more streamlined with more intelligent logic in the Mail client, but again I am not certain.

All of this brings us to the current problems with encrypted email.  The entire process is entirely too convoluted and painful.  In order to communicate securely with another individual, both parties must go through a lengthy configuration process.  Once that’s done, assuming it can be completed without either individual simply giving up on the idea, then it becomes necessary to fight with the email client to the point where it can successfully fulfill its own requirements prior to sending secure messages.  Then, finally, if the individual sending the first message is a thread forgets to manually select the option to encrypt the message, it will still be send unsecured and in the clear.

Users who routinely using both an email client and a web mail interface to access the same email account will find out that web mail is simply not equipped to deal with encryption at the level that an dedicated email client can.  Opening an encrypted email via the web mail interface proves that the message is secure because the contents of the message simply can’t be read since the web mail interface has no way to interpret the email without a means with which to access the necessary certificate.

In summary
Encryption is a powerful way to secure communication sent over a very insecure system.  Though many consider encryption only necessary when someone has something to hide, many people simply value their privacy.  The current world wide implementation of email has been described as the equivalent of sending a postcard to a friend via the postal service.  The contents of the message are exposed for all to see both while the message is in transit as well as while it is sitting in the recipients inbox.  Encryption simply offers a means to wrap that message in an indestructible envelope that can only be opened by the designated recipient.

For all of its flaws, encrypted email has its place and a wide variety of uses.  Unfortunately it cannot become main stream until the process is simplified making the technology available to those who are not technically proficient or infinitely patient.

Interested in more detailed information on the technical side of email encryption?  Wikipedia has a great detailed explanation of the different means by which email can be secured.  The method discussed above is described as S/MIME in the Wiki.


(Visited 82,903 times, 1 visits today)
22 Responses to A Mac Users Guide to Encrypted Email
  1. Anonymous Reply

    Apple Mail does make the whole thing seamless, but how do I get it to choose a particular cert? I have a few different ones in my Keychain, but it seems to have just picked the first one I installed.

  2. smanke Reply

    A great question. I did some testing in Apple mail. It did automatically see that there was a cert in my keychain that corresponded with the email account i was using and I was able to encrypt my mail by just clicking the lock icon in the email message. No configuration was needed for Mail once the certs were in my keychain.

    Unfortunately, as you pointed out, there doesn’t seem to be a way to specify which cert is used when encrypting the email. Hopefully this will be one of the many refinements 10.5’s mail will offer.

    As far as encryption goes, Mail is much easier to use than MS Entourage.

  3. lemoose Reply

    Well, Mail picks the certificate matching your accounts’ email adresses…

  4. Anonymous Reply

    Hi again (same anon),

    Yeah, both my certs correspond to the same email address. The ability to choose a cert would be a nice refinement for 10.5; I can certainly envision situations where I would want to identify myself differently to different groups of people.

  5. Anonymous Freak Reply

    Yeah, Apple Mail does make it easier. And if you have multiple certs for one email address, it does just pick the first one. (I think if you receive a message certified by the second authority, it will use that one in the reply, but I can’t confirm, as I haven’t actually sent a message using my second authority.)

    If only it were easier to GET a certification that works with Apple Mail. (aka: Thawte should support Safari, because I imagine Safari would automatically insert the cert into the keychain for all apps.)

  6. Anonymous Freak Reply

    P.S. Here is a screenshot that shows how Apple Mail handles it.


    The first time you try to send using your certificate, Keychain just asks if you want to allow this use. If you say ‘Always’, it will never ask again. (You do have to follow all the steps to get the cert in your keychain, though.) If Apple Mail detects a cert for your email address, it simply shows those buttons. If it doesn’t, you don’t see the buttons.

  7. smanke Reply

    Anonymous Freak,

    Thanks for the clarification! The screen shot is perfect.

    If Apple Mail only had the ability to hide read messages in my inbox, I would be willing to switch to Mail full time. As it is now, my workflows rely on Entourage’s ability to toggle any mail folder between show all and show unread with a keystroke.

    If anyone knows how to do the same in Mail, I’ll dump the bloated software that is Entourage!

  8. anon Reply

    smanke: I don’t know if this would cover your needs, but you can create a smart folder in Mail that shows unread messages and another that shows read messages. It can’t be toggled with a keystroke that I know of, but it’s just one mouse click.

  9. Anonymous Reply

    I got the certificate generated and into the keychain. Woohoo! Apple Mail is now showing that my messages are signed, but I can’t encrypt them. Is this normal?

  10. smanke Reply

    I’m not terribly experienced with Apple Mail, but i suspect you can’t encrypt because you haven’t first sent a signed message to the recipient. Once they have a signed message in their posession, they will have the info they need to decrypt the following messages. I’m not sure that’s the cause of the issue in Mail, but Entourage did something similar to me. Sending a signed message first got me around the issue. Though I did need the person on the other end to have their own encryption enabled before i could send to them as well.

  11. Anonymous Freak Reply

    In order to encrypt a message, you have to have the recipient’s certificate, too. So you would have to receive a signed message FROM the person you are sending to at least once.

    Then it doesn’t matter if they have encryption enabled or not. For example, in my linked-to screenshot, the lock button is available because I am sending to myself, therefore I already have my own certificate.

    If I go to send an email to someone for the first time, and they have never sent me anything, I will be able to ‘sign’ my message, but not encrypt it. When they reply, and include their own certificate, I will be able to encrypt it.

    If I get a signed message from someone else that I have never emailed, I WILL be able to sign and encrypt the return message, because they sent their certificate with their message.

    The way the encryption works is by encrypting using BOTH certificates. The ‘private’ key of your own, and the ‘public’ key of the recipient. To decrypt it requires the opposite. The private key of the recipient, and the public key of the sender. This ensures that ONLY the person you are sending to can open it. Even if someone in the middle has both of your public keys, they can’t decrypt it, it requires one public, and one private.

  12. Anonymous Freak Reply

    P.S., if you want to send a test message, you can send it to “ed” at the domain my example picture is hosted at. When you send to me, you will only be able to ‘sign’ your message. But when I reply, you will get my certificate, and will then be able to encrypt it. (I will reply unencrypted the first time, even though I would be able to reply encrypted since you sent your certificate to me already in your first message.)

  13. smanke Reply

    Anonymous Freak,

    Thanks for the detailed explanation. I wasn’t clear on those details when I wrote the post. Your reply filled in the pieces I wasn’t clear on.

    The explanation was a perfect completion for the story!

  14. Anonymous Reply

    Actually http://www.joar.com/certificates/ is a more detaild gude and has been aroud for ages.

    And you thawte users out there, dont forget to visit your local web of trust persons, so yout certificate has your own name instead of “thawte freemail member”

  15. smanke Reply

    The joar.com post was very useful. Thanks!

  16. Anonymous Reply

    Is this system compatible with GPG, or does it only work with other Thwaite members?

  17. smanke Reply

    This will work with anyone using certificates regardless of the vendor. I believe GPG is a different technology entirely so they won’t be compatible.

  18. lonewolf Reply

    great article! I had a similar experience using the “Thawte process”, but I was having trouble getting the certs into Mail. Your detail explanation pushed me to finish my work. Thanks again.

  19. Anonymous Reply

    I found a document that goes over similar stuff for setting up thawte certs in Entourage: http://orb-of-knowledge.blogspot.com/2007/04/setting-up-email-encryption-in.html

  20. Anonymous Reply

    I had an old expired certificate in my 10.5 address book for one of my addresses. I sent my self the new certificate, and I imported the private key to keychain as well. Address Book still shows the old expired certificate. Is this cosmetic? Or how can I fix this?

  21. smanke Reply

    The actual private part of the key should be stored ink your OS Keychain. You will need to update the key there. Then it should be available to the Mail application.

  22. [...] Failing that, you could try encrypting your email using something such as PGP. But that’s not for ... https://www.ukcreditinfo.co.uk/cms/lessons-the-tech-world-learned-in-2012

Leave a Reply

Your email address will not be published. Please enter your name, email and a comment.

This site uses Akismet to reduce spam. Learn how your comment data is processed.