Stark & Wayne
  • by Jamie van Dyke


There are many reasons why encrypting your email is a good idea, but as developers we have a responsibility to for our clients. Maybe you're sending credentials for a service, maybe the client would like to discuss sensitive company information, maybe you're about to find out your Secret Santa!

We've been encouraged in the corporate and enterprise environment to go with paid-for services that can provide end-to-end solutions to our problems. These come with the worrying fact that governments can demand they hand over the keys and all of that sensitive information is no longer a secret.

Encrypting your information with the open source GPG tools is simple enough, but verifying an identity (like a github account, twitter account or maybe even a domain) was a little harder. I'd like to show you a simple way to do encryption and verification that leaves the keys in your hands.

The pieces

Here's a quick overview of how this works.

Encryption requires you to have 2 keys, a private one and a public one, we call this a keypair. You keep the private one to yourself and you give the public one to others. When you encrypt a message you encrypt it with your private key and the recipient's public key. The only person that can unlock that encryption is whomever holds the private key that matches the public key you encrypted against.

For example, if I wanted to send Dr Nic an email containing my bank details (so he can give me wads of cash) I would take my private key and his public key and encrypt it. Because he holds the private key that matches the public key I used, only he can unlock it.

For verification of an identity you can use Keybase. My twitter account is (as you know) @fearoffish, if you search Keybase for that twitter account then you'd find that I have verified that account belongs to me and my public key is there for you to use.

Snapshot of my Keybase account

You'll also notice there are links to other services I've verified are mine like my github account, my domain name and more.


If you are on a Mac you can use the GPG Suite along with and it's easy. If you use any another client it becomes more painful but still achievable.
If you are on iOS then you can use iPGMail and sending messages is painless, but receiving is still a little copy and paste dance.
If you want to verify users and then get hold of their public keys, there are services like Keybase that are starting to make that painless.

What do I need

There are many tools you could use but these are the tools that I use.

The GPG Suite:

The workhorse of our workflow, this does the encrypting, decrypting, signing and verifying of all the things. It comes with a complete commandline toolset to use as well as GUI tools that accompany them.


A directory of identities that will prove the person you're communicating with is who you think. For example, when I want to send Dr Nic an encrypted email with my bank account details, I can use Keybase to look him up because I know his Github account is drnic.


This is the iOS application I use, it's inexpensive and simple to use. On Android you could use K9 with Android Privacy Guard (APG) to achieve the same.


On your Mac:

The GPG Suite provides the majority of tools you'll be using here. There are many extensive tutorials available around the Internet for this, so I'll give the short summary and a handy tip below.

Install the Keybase client using either Homebrew or their own NPM installer:

$ # Using Homebrew
$ brew install keybase
$ # Using their NPM installer
$ npm install -g keybase-installer

Once you have the tools it's time to join Keybase, at the moment it's invite only. I'd recommend you either join the queue by signing up, or search Keybase for someone you know and it will show if they have any invites to pester them for. You can join Keybase from the cli as well as the site:

$ keybase join

Once you're registered you should go to the Keybase website, sign in and follow the instructions to verify your online identities like your Twitter and Github account.

On iOS:

Now you have the tools and keys in place, let's talk about how to use them.

Encrypting, decrypting, signing, verifying

On a Mac:

The good news here, is that the GPG Suite handles this all for you if you use Apple Mail. GPGMail (it gets installed as part of the suite) integrates directly into Apple Mail when you're reading it will decrypt and verify signatures, and when you're composing it will encrypt and sign. Let's have a quick look.

When I want to send Dr Nic an encrypted or signed message I'll need his public key, I can find that with Keybase (using their site or the cli) as well as verify it is the right Dr Nic.

$ keybase search drnic
-	drnic	579b1c809edbcbed8b869bdc0b92a265a0921641	github:drnic	twitter:drnic	dns//	dns//
-	nickloose	19bbdcac4565f2f3fb06157f23caa66394fdff67	github:nickloose	twitter:nickloose

Keybase has found 2 matches for this search, we want the first. We see his Keybase username (the first word after the dash) is drnic so let's keep track of him:

$keybase track drnic
info: ...checking identity proofs
✔ public key fingerprint: 579B 1C80 9EDB CBED 8B86 9BDC 0B92 A265 A092 1641
✔ "drnic" on twitter:
✔ "drnic" on github:
✔ admin of the DNS zone for
✔ admin of the DNS zone for
Is this the drnic you wanted? [y/N] y
Permanently track this user, and write proof to server? [Y/n]

You need a passphrase to unlock the secret key for
user: "Jamie Van Dyke <>"
2048-bit RSA key, ID 48872E720641FE38, created 2013-07-30
         (subkey on main key ID 84C040D506DF5149)

info: ✔ Wrote tracking info to remote server
info: Success!

So Keybase has looked up the user drnic and presented me with all of the details that he has verified. I can see he has verified his Twitter account, Github account and 2 domains that he owns. It also shows me how he verified that with the Tweet and Gist. I accept that this is indeed the Dr Nic that I want to track, and I chose to permanently track him.

But what is tracking? If I'm using the Keybase commandline tool, every time I want to interact with his public key (that is every time I want to encrypt, decrypt, sign or verify something with him) I will need to verify that he is who I think. That can get tedious very quickly; Tracking removes that need. An added benefit is that tracking him adds his public key to our local GPG Keychain (when you use the commandline tool), so his public key is available to GPG Mail when we want to email him.

Dealing out the secrets

On a Mac

Let's have a look at how we'd email an encrypted message. Open up and compose a new message, you should see some new options available to you:

Compose message with Open PGP options

Notice the lock symbol and the tick. These are the encryption and signing options. The blue tick shows me I'm signing this message, the grey lock shows me that encryption is not available. It won't be, not until I give it a recipient who I have the public key for. There are some caveats to the process here, I'll talk about them at the end of this post.

I tracked Dr Nic earlier, so I should be able to encrypt a message to him. In it looks like this:

Example screen when encrypting

I've used his account for this, as that's the only email that is stored in his public key (for now). I'm going to run him through adding his other email addresses to his public key later, you can skip to the bottom of this short post to see how you can.

So the steps to send an encrypted and signed email in go like this:

My GPGMail preferences look like this:

My GPG Mail Preferences

Receiving encrypted emails in is simple, you just receive them and they get decrypted on the fly:

Decrypted message in

On iOS

Until email clients build encryption into their apps, this is the painful part. I prefer to send encrypted emails from iPGMail on the go because it's much easier. Decrypting requires a little effort too, but it's all in the name of secrecy!

Receiving in Mail is easier when the encrypted message is attached instead of embedded. Attached messages are basically just copied over to iPGMail which decrypts them and checks the signatures. Here's a series of screenshots to demonstrate:

A received encrypted message in iOS Mail

Click on the attachment, and you're presented with the plain text version. Click on the text and the sharing icon appears at the top right:

The share icon for the encrypted attachment

Click the share icon bring sup your list of options for sharing. We'd use the "Copy to iPGMail" option:

The "Copy to iPGMail" sharing option

If the message were embedded we would have to copy all of the text to the clipboard, and then open iPGMail which would ask if you'd like to decrypt the clipboard contents.

Adding email addresses to your private key

There are command line options to achieve this, but using the GPG Keychain is so simple you might as well use that.


Encryption is still painful, however finding and verifying the people you need to interact with has become easier thanks to Keybase. If you need to send encrypted messages there is no workaround until messaging client's get onboard. Open source encryption is the future as it isn't open to a government demanding the keys be handed over and masses of people losing their privacy.

Find more great articles with similar tags encryption