GnuPG + mutt + OSX + GMail

A little over two years ago I generated a new GnuPG key. I had been using a 1024-bit key created in 2004, so I created a new 4096-bit key. I've used this new key only a handful of times since it's creation.

In early 2014 I joined Keybase with high hopes of seeing an increase in GnuPG adoption. A few folks I know use the service, and we've cross-validated one another; but none of them have sent me any encrypted messages. Of course, Keybase's larger utility is as much in "proving" my various online identities as it is in facilitating encryption.

At the 2015 Ohio LinuxFest, one of the birds-of-a-feather sessions was a keysigning party. There were about a dozen of us in attendance, some complete novices and some GnuPG experts. It was a great opportunity to meet a few new folks, as well as pick up a few GnuPG best practices.

All of this took place shortly after I declared my intention to learn mutt for my day-to-day email usage. Mutt has great support for GnuPG, and I was hopeful that this support would encourage me to use GnuPG as much as mutt.

I've learned rather a lot in the last couple of weeks, and this post is an effort to record and share some of that information for others. Aside from a few OSX specific bits, most of what follows should be generally applicable to Linux users as well.

All of what follows is my own opinion. You likely don't know me, so you should not trust my opinion. Do your own research, and figure out what settings make sense for you! If you find any factual inaccuracies in my suggestions, please contact me and let me know!


I've been using OSX exclusively for my day-to-day desktop computer use. (My employer has a few compliance requirements not yet easily satisfied by Linux, so this is as close as I can get to a POSIX-based system.) There are two ways to install GnuPG onto an OSX system: Homebrew or GPG Suite. I chose the latter, because it provides good Finder and integration, but these are conveniences only.

The default options for GnuPG are okay, but not great. Depending on your level of paranoia, the defaults may be downright disastrous. One of the more interesting documents I found was Operational PGP, which was chock full of usefully paranoid suggestions. That, combined with OpenPGP Best Practices provided the bulk of my ~/.gnupg/gpg.conf settings.

In particular, ensure that you're not using old and insecure algorithms:

cert-digest-algo SHA512
default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed
personal-cipher-preferences AES256 AES192 AES
personal-digest-preferences SHA512 SHA384 SHA256 SHA224

Also ensure that you're not leaking information unnecessarily:


When using GPG Suite on OSX, be sure to make use of the GPG agent:

The agent makes it much less hassle to use GnuPG. And it will come in particularly handy with mutt, too!

There was some interesting disagreement after the Ohio LinuxFest keysigning party with respect to proper next steps. Do you encrypt the signed key that you send? Do you individually sign each user ID on a public key? Do you push to keyservers? Each keysigning party may have different norms, so be sure to get answers to these questions before taking any actions! The Debian keysigning instructions may be useful as a reference for possible best practices.

GNU/Linux users are encouraged to use caff, which handles much of the tedium of signing and sending signatures to the folks at a keysigning party. Unfortunately, caff doesn't work on OSX (despite being in homebrew). Additionally, caff sends mail directly from the host on which it is invoked, which may not work for laptops connected to residential ISPs. You may need to correctly configure a relay host in order to make the most of caff.

Aside: pass

Once you have GnuPG configured, take a look at pass, a GnuPG based password management system for Linux and OSX. pass works well for individuals as well as groups. We use it at work, and it's proven extremely helpful.


Installing mutt on OSX is best accomplished with Homebrew: brew install mutt was my first attempt, and this does work well enough. But this default incantation leaves out a newer feature of mutt's GnuPG support: GPG Made Easy (GPGME). GPGME allows you to drastically simplify your mutt config file with respect to GnuPG. In order to get mutt to use GPGME, you need to manually compile it: brew install mutt --build-from-source --with-gpgme --with-slang

With GPGME, the relevant section of my .muttrc file is this:

set pgpautosign=no
set pgpautodecode=yes
set pgpsignas="0xD8F2E57BED0F2C0A"
set pgpreplysign=yes
set pgpreplyencrypt=yes
set pgptimeout=1800
set pgpusegpgagent=yes
set cryptusegpgme=yes
set cryptreplyencrypt=yes
set cryptreplysignencrypted=yes
set cryptverify_sig=yes

I realize that looks like a lot, but compare it with the recommendations from the mutt wiki.


If you're a GMail user, you can use something like the following to get mutt to connect:
set imapuser = ""
set imapkeepalive=60
set imappassive=no
set imapchecksubscribed=yes
set imapidle=yes
set mailcheck=60
set smtpurl = "smtp://"
set from = ""
set smtpauthenticators = 'login'
set folder = "imaps://"
set spoolfile = "+INBOX"
set postponed ="+[Gmail]/Drafts"
set record="+[Gmail]/Sent Mail"
OSX users: take particular note of the set smtpauthenticators directive. This resolves a bug with the homebrew formula for mutt. I was unable to login without this.

I don't want to type in my GMail password every time I connect, and I don't really want to leave a plaintext copy of my GMail password in my .muttrc. Since I'm using GPG and the GPG agent, I can encrypt my password and decrypt that on the fly when mutt starts!

source "gpg -d ~/.mutt/passwords.gpg |"

For lots of other great suggestions about dealing with GMail, check out GPG / Mutt / Gmail by Ben Nagy. I particularly liked the recommendations for SSL hardening, and not blindly trusting SSL certs presented by IMAP and SMTP servers.


It's been a fun adventure learning some of the intricacies around GnuPG, mutt, and GMail. The fact that I'm using OSX does tend to complicate things, since so many howtos online are written for GNU/Linux users.

I still use the GMail web interface with depressing frequency, despite all the effort to configure and learn mutt. I'm trying hard to use mutt exclusively, but that's quite an uphill battle.

One of the interesting things that all of the above work does not address is shared access to my Inbox from my laptop and my mobile phone. I will not install my GnuPG private key onto my mobile phone, so any encrypted emails I may receive will need to lie unread until I can access them on my laptop. Similarly, I won't install my private key onto my VPS server, or a Raspberry Pi at home, or any other device I'm not likely to have in my immediate possession at most times.

UPDATE: I discuss private key security in a subsequent post.

So far this hasn't been an issue, given the paucity of encrypted emails I receive. If encrypted emails were to become more commonplace for me, I might need to revisit my policy against my private key on my phone, since my phone is where I read the surprising majority of my emails these days.



home / about / flickr / github / keybase / linkedin