How to setup encrypted email on OS X with a digital certificate

One of the features the OS X Mail app offers is encrypted email. OS X Mail allows the user to send digitally signed or encrypted email to protect your electronic communications. I’ve written about digital certificates before. The idea is to use a special key — a digital certificate — to sign and encode your email so that only the intended recipient can read it. Encrypted email is a great way to send confidential information — passwords, social security numbers etc. — without worrying about who might intercept my email. An SSL email certificate ensures your mail cannot be read by anyone but the intended recipients. It also ensures your message was not modified during transmission and allow recipients to confirm your identity as the sender of the message1.

In this post, I will walk you through the steps to securing email in OS X. The steps to follow should allow you to encrypt your email communications in any mail application on OS X.

Getting a digital certificate

I use free email certificates issued by certificate authority StartSS but you can also get free certificates from Comodo or spend some money and get one from Symantec. The key is to make sure you get a certificate from a trusted source. Getting an email certificate requires you to fill out a form on the certificate authority web site with some basic information and then waiting for a confirmation email. Once you have received the email, follow the instructions to download and install your certificate. On Mac OS X that means downloading the certificate file and opening it in Keychain.

Keychain Access

screen shot of new signed email

Once you receive the confirmation email from the certificate authority, follow the instructions to download the certificate to your Mac.

On Mac OS X digital certificates are stored in OS X Keychain Access. The certificate file will have a file extension that indicates it contains certificates—such as .cer, .crt, .p12, or .p7c. Locate the certificate file and double-click to import into Keychain Access. Once you import your certificate, it should be listed in the My Certificates category in Keychain Access. If Keychain Access can’t import the certificate, try dragging the file onto the Keychain Access icon in the Finder. If that doesn’t work, contact the CA to ask if the certificate is expired or invalid.

Alternatively, you can launch Keychain Access (look in the Utilities folder inside the Applications folder) and type Shift-CMD-I to import the file. Once the certificate file has been imported I strongly recommend that you save your certificate to a safe place if you need to reload it later. I keep mine on an encrypted USB flash drive.

Open your certificate in Keychain Access and make sure its trust setting is “Use System Defaults” or “Always Trust.” Now you can use the certificate to send and receive signed and encrypted messages.

Using the certificate for encrypted email

screen shot of new signed email

A signed message lets the recipients verify your identity as the sender; an encrypted message offers an even higher level of security. To send signed messages, you use your personal certificate from your keychain but to send encrypted messages, the recipient’s certificate must be in your keychain.

Open OS X Mail and create a new message. Choose the email account for which you have a personal email certificate in your keychain. OS X Mail includes a security field in the header area that indicates whether a message is signed or encrypted. A signed icon (containing a check mark) in the lower-right side of the message header indicates the message will be signed when you send it.

To send the message unsigned, click the Signed icon; an “x” replaces the check mark. An encrypt (closed lock) icon appears next to the signed icon if you have a personal certificate for every recipient in your keychain; the icon indicates the message will be encrypted when you send it.

screen shot of new encrypted email

If you don’t have a certificate for every recipient, you must cancel the message or send it unencrypted (click the Encrypt icon; an open lock icon replaces the closed lock icon).

screen shot of signed email

When you received a signed message, an icon (a check mark) appears in the header area of a signed message. To view the certificate details, click the icon.

If the message was altered after it was signed, OS X Mail displays a warning that it can’t verify the message signature. A lock icon appears in the header area of an encrypted message. If you have your private key in your keychain, the message is decrypted for viewing. Otherwise, Mail indicates it can’t decrypt the message.

screen shot of encrypted email

To include encrypted messages when you search for messages in Mail, set the option in the General pane of Mail preferences. Although the message is stored encrypted, the option enables Mail to search individual words.


  1. I’m simplifying a lot here. Read my original article for more detail on digital certificates

iOS 5 Secure Mail

One of the least mentioned features of the new Mail app in iOS 5 is encrypted email. iOS 5 allows the user to send digitally signed or encrypted email to protect your electronic communications. I've written about digital certificates before on this blog. The idea is to use a unique key — a digital certificate — to sign and encode your email so that only the intended recipient can read it. I've wanted this feature in iOS for a while. Encrypted email is a great way to send confidential information —  passwords, social security numbers etc. — without worrying about who might intercept my email.1

Getting a digital cert

I use free digital certificates issued by certificate authority Comodo, but you can also get a paid one from Verisgn. Getting a certificate issued is quite easy. Fill out the form on the web site with some basic information and wait for an email. Follow the instructions in the email to download and install your certificate. On Mac OS X that means downloading the certificate file and opening it in Keychain.2

Screen Shot 2011 10 14 at 7 52 28 PM

Keychain

On Mac OS X digital certificates are stored in the Keychain. I want to use the certificate with my iPad or iPhone so I need to bring that certificate over to the iPad. This means I'll need to export the certificate from Keychain and import into the iPad.

Screen Shot 2011 10 14 at 7 53 22 PM

Once your certificate has been installed, launch Keychain and find your certificate in the Certificates section of Keychain. Right click the certificate and export it to somewhere on your hard drive. I exported the certificate from Keychain to my Documents folder. Make to protect the certificate file with a string password when prompted.

Screen Shot 2011 10 14 at 7 57 06 PM

Creating a configuration profile

To install the certificate onto the iPad we'll need the help of the iPhone Configuration Utility3. The iPhone Configuration Utility is used by corporate information technology engineers to manage the configuration parameters of corporate iOS devices. It allows them to create, maintain, encrypt, and push configuration profiles, track and install provisioning profiles and authorized applications, and capture device information including console logs. We'll be using it to create a configuration profile to install the certificate.

Download, install and launch the iPhone Configuration Utility. Select the Configuration Profiles tab and then press Command-N on the keyboard to create a new profile.

Screen Shot 2011 10 14 at 8 53 06 PM

Now you will import the cert you exported from Keychain. Select the Credentials tab and then click the + symbol. Find and select the digital certificate file to import. Enter the password you choose earlier when you exported the certificate.

Installing the cert

At this point attach your iOS device to your computer and you'll see the device appear in the left hand of the configuration utility. Select the device and then click the Configuration Profiles tab. Find the profile you just created in the list and then click install to push the profile to your device.

Screen Shot 2011 10 14 at 8 54 59 PM

On the screen of your iOS device you should see a prompt to confirm the installation of the profile. Once you click install to confirm, you are done.

IMG 0097

New profiles entries will be visible in the General->Profiles section of the Settings app on your iOS device.

IMG 0098

Configuring the email account

Now that you have a digital certificate on your iOS device you'll need to configure Mail to use it. You'll do this from the Mail, Contacts, Calendars tab in the Settings app on the iOS device. Select the email account from the list. Select the Account tab.

IMG 0100

Enable the S/MIME switch and then turn on Sign and/or Encrypt depending on what you want to do and then tap Done. That's it! You can now use the Mail app to send signed and encrypted email.

IMG 0101


  1. I'm simplifying a lot here. Read my original article for more detail on digital certificates. 
  2. The process is most likely different on Windows but I'm a Mac user. 
  3. Corporate command and control IT types use this tool to lock you out of all the cool stuff they are scared of. 

Digital certificates and signatures

Digital signatures are one component of what is called a public key infrastructure ( PKI ). PKI provides mechanisms and process for ensuring the confidentiality and integrity of digital information. It allows someone to prove his/her online identity and that documents and communications ( e.g. email and banking transaction ) haven’t been tampered with.

"Padlocks_128"Recently the topic of spam came up in one of the meetings of the PMUG. Someone suggested that digital signatures were one solution to the problem of spam, but there was no clear understanding of digital signatures and how they help with the spam problem. I intend to write a concise but easily understood series of article on digital signatures, email encryption, and how to use it on Mac OS X ( with Mail.app ).

What is a digital signature?

According to Wikipedia:

A digital signature or digital signature scheme is a type of asymmetric cryptography used to simulate the security properties of a handwritten signature on paper.

Digital signatures are one component of what is called a critical public infrastructure ( PKI ). PKI provides mechanisms and process for ensuring the confidentiality and integrity of digital information. It allows someone to prove his/her online identity and that documents and communications ( e.g. email and banking transaction ) haven't been tampered with.

How does it work?

The science behind PKI involves some very complicated math. It consists of finding the factors of vast prime numbers. These factors are used to create two keys, one private and one public. The private key is kept strictly confidential and is not shared with anyone, while the public key is distributed widely. Messages encoded with the private key can only be decoded with the corresponding public key and signal encoded with the public key can only be decrypted by the private key.

How is this useful for digital signing?

The idea is to take a piece of digital data and, using a mathematical algorithm, compute a large number called a hash - a small digital "fingerprint" made from any data. The hashing function should create a unique hash for any particular piece of data. If the data changes, then the hash will also change, and we will know that the data has been tampered with.

To digitally sign a document, we compute the hash of the document and then encode the hash using the private key. Since the data was encoded with the private key, it can only be decoded with the corresponding public key. To verify that the document ( e.g. an email message ) came from that user, decrypt the hash using the widely known public key, compute a new hash from the received document, and compare against the hash that was sent. If the hashes do not match, we know that the document was tampered with. We know who sent the message because only that user has the private key used to encode the message.

How do I know the person sending the message is the person posting the message?

How do I know that the doctors are a doctor? That the lawyer knows the law? In the end, everything in security boils down to trust, but verify. In the real world we have authorities that certify that the doctors and lawyers ( teacher etc.) know what they are doing. The doctor or lawyers has been issued a license (certificate) to practice their craft. Similarly, PKI has the concept of a Certificate Authority (CA).

The user securely creates a private key, and the CA signs the users public key with their private key. This places their stamp of approval on the user digital certificates. The system is very heavily dependent on the trust placed in the CA. If the private key of the CA is compromised, the entire PKI system is at risk since anyone could use that private key to create digital certificates. Similarly, if the user loses his/her private key, then anyone could digitally impersonate that user.

How does it all work together?

  • "A" and "B" want to exchange confidential message. - A creates a message and encodes the message ( and the message hash ) using B's public key. B receives the message and decodes the message using his/her secret private key. B is the only one who can decrypt the message because B has the private key.
  • "A" wants to send "B" a ( non-confidential ) message but B wants assurances the message did come from A. -A creates a message and encodes the hash of the message using her private key. B received the message and decoded the hash using As the public key. B knows the message came from A because only A has the private key to encode the hash.

What's Next?

In my next article, I plan to show how to use the digital certificate, and digital signature to make your email more secure.

References:

Cross-posted from the Princeton Macintosh User's Group