Secure dead-drops on a Mac with GPG Tools

Sending files marked “for your eyes only”, without getting stuck in the terminal

31st May 2016

Today I had to send some sensitive data to a client. Normally I’m happy using secure storage options or relatively anonymous file transfer sites. But sometimes you have to send stuff that it’s very important to protect. For that, I turned to GPG, and the GPG Tools app for Mac, which is a fairly user-friendly way of handling public and private keys, and encrypting files. This is what I did:

I first needed to generate a GPG key. This is nice and simple: just fill in a form, choose a nice secure passphrase – I used a password generator, and then stored the text in my password manager – and create the key.

Screen Shot 2016-05-31 at 12.08.53

I asked the client who the last point of contact was for this data, so that it didn’t go through any mediators or middle-men. I asked for that person’s public GPG key, and imported it into GPG Tools:

Screen Shot 2016-05-31 at 12.18.09

Then it was a matter of right-clicking the file I wanted to encrypt, heading to Services and choosing Open PGP: Encrypt File. It brought up a dialogue box like this, where I could choose the recipient, sign the file with my own key – and add myself as a recipient too – and generate a file with the same name as before, but now with a .gpg extension.

Screen Shot 2016-05-31 at 12.18.35

Then finally I exported my public GPG key, sent that to my client along with the encrypted file – via WeTransfer – and that’s it. I can delete the file on my computer so there’s no trace of it here, and once it’s downloaded from WeTransfer it’ll disappear from their servers, and the only person that can open the file is someone in possession of my client’s public key, which should be signed with a passphrase that only he or she knows.

I’m available to hire

You’ll get a personal response from me,
and I won’t add you to a mailing list.