Encrypting Emails with OpenPGP
Email was never designed to be private. By default, messages travel across the internet in plain text — readable by anyone in between. OpenPGP changes that by adding end-to-end encryption to email, so only you and your recipient can read the content.
This guide walks you through setting up OpenPGP email encryption on macOS using GPG Suite (GPGTools) and Apple Mail.
How OpenPGP Works
OpenPGP uses asymmetric cryptography — a pair of mathematically linked keys:
- Public key — you share this with anyone who wants to send you encrypted email. Think of it as an open mailbox slot.
- Private key — you keep this secret. It’s the only key that can decrypt messages encrypted with your public key.
When someone sends you an encrypted email:
- They encrypt the message with your public key
- The encrypted message travels across the internet — unreadable to anyone
- You decrypt it with your private key
When you sign an email:
- Your mail client creates a digital signature using your private key
- The recipient verifies the signature using your public key
- This proves the email actually came from you and wasn’t tampered with
What You Need
- macOS (Sonoma, Ventura, or later)
- Apple Mail (built-in)
- GPG Suite from gpgtools.org — integrates OpenPGP directly into Apple Mail. GPG Keychain and GPG Services are free; GPG Mail (the Apple Mail plugin) requires a paid support plan after a 30-day trial.
GPG Suite includes:
- GPG Keychain — manage your keys (create, import, export, publish)
- GPG Mail — the Apple Mail plugin for encryption and signing
- GPG Services — encrypt and sign text or files from any app via the Services menu
Step 1: Install GPG Suite
Download GPG Suite from gpgtools.org and run the installer. It will install all components and the Apple Mail plugin automatically.
After installation, open System Settings > Privacy & Security > Extensions > Added Extensions and make sure the GPG Mail extension is enabled for Apple Mail.
Step 2: Generate Your Key Pair
Open GPG Keychain and click New. Fill in:
- Name — your full name
- Email — the email address you want to use with encryption
- Passphrase — a strong passphrase to protect your private key (you’ll need this every time you decrypt or sign)
Under advanced options, you can choose:
- Key type: RSA (4096 bit) for maximum compatibility, or ECC (Curve 25519) for modern, shorter keys
- Expiration: setting an expiration date (e.g. 2 years) is good practice — you can always extend it later
Click Generate key. GPG Keychain will create your key pair. This may take a moment.
Step 3: Share Your Public Key
Others need your public key to send you encrypted email. You have several options:
Upload to a Key Server
In GPG Keychain, right-click your key and select Send Public Key to Key Server. This publishes your key to a public directory where anyone can find it by searching for your email address.
Export and Share Manually
Right-click your key, select Export, and make sure only “Include secret key in exported file” is unchecked. Save the .asc file and share it via email, your website, or any other channel.
Publish on Your Website
Host your public key as a downloadable file — just like the pubkey.asc on this site. This lets people verify they have the right key by checking your domain.
Step 4: Import Someone Else’s Public Key
Before you can send someone an encrypted email, you need their public key.
- From a key server: Open GPG Keychain, click Lookup Key, and search by email address or key ID
- From a file: Double-click the
.ascfile or drag it into GPG Keychain - From an email: If someone sends you their public key as an attachment, just open it — GPG Keychain will handle the import
After importing, verify the fingerprint with the key owner through a separate channel (phone, in person) to make sure it’s genuine. This prevents man-in-the-middle attacks.
Step 5: Send an Encrypted Email
Open Apple Mail and compose a new message. When GPG Mail is active, you’ll see two icons in the compose window:
- Lock icon — toggle encryption on/off
- Star/seal icon — toggle digital signature on/off
To encrypt:
- Enter the recipient’s email address
- If you have their public key, the lock icon turns green — click it to enable encryption
- The signature icon is usually enabled by default
- Write your message and hit Send
Apple Mail will encrypt the message before sending. The subject line is not encrypted — keep it vague if the topic is sensitive.
Step 6: Read an Encrypted Email
When you receive an encrypted email:
- Open the message in Apple Mail
- GPG Mail will prompt you for your passphrase (or use the macOS keychain if you’ve saved it)
- The message decrypts and displays normally
- A green banner confirms the message was encrypted and/or signed
If the message was signed, you’ll also see whether the signature is valid and which key was used.
Key Management Best Practices
- Back up your private key — if you lose it, you lose access to all encrypted emails. Export it (with the secret key included) and store it in a secure, offline location.
- Use a strong passphrase — your private key is only as secure as the passphrase protecting it.
- Set an expiration date — this limits the damage if your key is compromised. You can always extend a key before it expires.
- Revoke compromised keys — if your private key is stolen, generate a revocation certificate and publish it to key servers immediately.
- Verify fingerprints — before trusting someone’s public key, confirm the fingerprint through a trusted channel.
- Keep your software updated — GPG Suite and Apple Mail receive security updates regularly.
The Web of Trust
Unlike centralized systems (like S/MIME with certificate authorities), OpenPGP relies on a decentralized trust model. You decide which keys to trust by:
- Verifying fingerprints in person
- Signing other people’s keys to vouch for their identity
- Trusting keys that have been signed by people you already trust
This creates a “web of trust” — a network of verified identities without relying on a single authority.
Limitations
OpenPGP email encryption is powerful but has some constraints:
- Subject lines are not encrypted — only the message body and attachments are protected
- Metadata is visible — sender, recipient, timestamp, and subject remain in plain text
- Both parties need OpenPGP — if the recipient doesn’t have a key, you can’t encrypt
- Key management takes effort — exchanging and verifying keys requires manual steps
- Attachments are encrypted — but large attachments may cause issues with some mail servers
Quick Reference
| Task | How |
|---|---|
| Generate a key pair | GPG Keychain > New |
| Export public key | GPG Keychain > right-click > Export |
| Import a public key | Double-click .asc file or GPG Keychain > Lookup Key |
| Encrypt an email | Compose in Apple Mail, click lock icon |
| Sign an email | Compose in Apple Mail, click star icon |
| Verify a signature | Open signed email — green banner confirms validity |
| Revoke a key | GPG Keychain > right-click > Generate Revocation Certificate |
Further Reading
- OpenPGP.org — the official OpenPGP standard
- GPG Suite Documentation — guides and troubleshooting for GPGTools
- Email Self-Defense — the Free Software Foundation’s guide to email encryption