I recently praised Apple’s Mail for making it so easy to use email encryption. This is more important than ever, since electronic privacy is front and center in our attention. Let’s look at what you need to do to get started with encrypted email using Apple’s Mail app.
Step 1: Get Your Certificate from Actalis, a Free Email Encryption Authority
The first thing you need to do is get your encryption certificate. There are several Certificate Authorities (CAs), but many have stopped providing free options. On the other hand, Actalis recently began offering free S/MIME certificates for email. To get started, click over to the Actalis website and verify your email. Then, prove you aren’t a robot. Check all the appropriate boxes and click Submit Request. In moments, your certificate will arrive in your email.
Step 2: Download and Install Your Certificate
After a few moments, you’ll get an email from Actalis with your certificate and the link and password to manage it. Drag the link from your email to your Downloads folder, then click on it to unzip the archive. Once unzipped, double-click the certificate file (ending in file extension .pfx) from the download location to open it and begin importing it into your Keychain. I store my encryption certificates in login, and you should too. Yes, the image below shows System, but I learned that placing it there resulted in having to enter my login credentials many, many times to send and decrypt emails. When I reinstalled the certificate, the window below never returned, and the certificate went to login.
After you click Add, Keychain Access will ask you to authenticate as a system administrator. Do so, and your certificate will be added to your Keychain.
Next, you’ll be prompted to enter the password for your certificate. This was displayed on the final page, notifying you that your certificate had been generated and emailed to you. After that, macOS will prompt you one more time for your administrator password, and then you’ll be done.
Step 3: Exchange Digital Signatures
If Mail is already running, quit the application and relaunch it. At this point, Mail will automatically sign your emails with your public key. You can tell that it’s done so by the new icons next to the subject line. The lock, grayed out, is to encrypt your email. The checkmark, blue, shows that the email will be digitally signed.
When you send a signed email for the first time, you’ll be asked to grant Mail permission to use the keychain the certificate is stored within. Provide your user name and password, then click Allow.
Step 4: Send Your Encrypted Email
Once you’ve exchanged digitally-signed emails with your recipient, you’ll be all set to send encrypted messages. To do this, simply make sure the Lock next to the subject line is blue, and Mail will encrypt the email using your certificate.
Step 5: Verifying Your Emails Are Encrypted
If you want proof that the email encryption is working, try opening your message in another mail client. You’ll see that the body of your email is in an S/MIME attachment. You can open that attachment with Keychain Access (in fact, that’s the default), but that’s the only way you can read the content.
But Is It Really Encrypted?
Okay, you have your doubts. Try opening the S/MIME attachment using TextEditor, for example. You’ll see that it’s completely encrypted and unreadable.
Be Careful With Those Keys
Once you’ve exchanged signed emails with someone, all of your future messages to that person will be encrypted. Of course, you can always turn that off by clicking the Lock to disable encryption. Just be very careful with your keys and certificates; if you lose them, you won’t be able to read those emails again.
What Happens When a Certificate Expires?
Almost all S/MIME certificates have expiration dates, and you can’t just renew them. You have to obtain a new certificate. However, you should not delete your public and private keys from your Keychain. You will still need them to open and decrypt older encrypted emails. You just won’t continue using them to encrypt new email messages.
This article has been updated to use a new S/MIME certificate provider, and reflect changes in Apple Mail on macOS Catalina.