SPECIAL NOTE FOR GMAIL USERS

There appears to be a ‘feature’ for Gmail users in that it either selects the wrong public key or thinks it is doing the right thing by using a public key for a canonical email address instead of the alias, rendering the message undecryptable to me. If you want to send me an encrypted email, do not use the Gmail web client. Rather, use your favorite mail application, like Mail.app (MacOS), Outlook (Windows), or Thunderbird (most anything).

Configuring your Mac for secure email

Get an X.509 certificate

If you are at Virginia Tech, VT4Help has instructions for generating and and installing a certificate. If you are not at Virginia Tech, ask your IT support people for an X.509 S/MIME signing and encryption certificate. If getting your institution to issue a certificate is not an option, my favorite place to get a free email certificate is Actalis.

Install the certificate and enjoy

If you get the certificate from Actalis, just follow their instructions, restart Mail.app, and check off the seal (signing) or padlock (encrypting) on the right hand side of the message composition window. Note that to encrypt, you need the recipient’s public key. If they send you a signed or encrypted email, MacOS will automatically store it for you. You can see that in your address book. If you have someone’s public email key, there will be a little certificate icon next to their email address in the address book.

Apple Support

A not bad, but not great resource is https://support.apple.com/guide/mail/sign-or-encrypt-emails-mlhlp1180/mac

Don’t forget PGP

After all that, if you have taken any of my courses, you will know there are fatal flaws in X.509, some of which require certificate pinning to mitigate. So, the next best thing is PGP. Where do you get that from? Check out GPGtools.