If you’re concerned about online and electronic privacy, encryption is the best thing to set your mind at ease. By using strong encryption protocols, you can make sure that your data is safe from prying eyes, and that only the people who you decide should see your information have access to it. One of the most common methods for encryption is called PGP, and this article will guide you through what it is, what it’s good for, and how to use it.
What Is PGP?
PGP stands for “Pretty Good Privacy,” and it’s most often used for sending encrypted messages between two people. PGP works by encrypting a message using a public key that’s tied to a specific user; when that user receives the message, they use a private key that’s known only to them to decrypt it.
This system ensures that it’s easy to send encrypted communications, because the only thing needed to encrypt a message is a public key and the proper PGP program. But it’s also quite safe, as messages can only be decrypted with privately known keys that are password-protected.
In addition to encryption, PGP also allows for digital signatures. By signing your encrypted message with your private key, you provide a way for the recipient of the message to see if the content of the message has been changed. If even a single letter in the message is changed before it’s decrypted, the signature will be invalidated, alerting the recipient to foul play.
The mathematical mechanics of PGP are extremely complicated, but the diagram below will give you a general idea of how the system works.
Throughout this article, I’ll be discussing both PGP and Gnu Privacy Guard (GnuPG, or GPG). GPG is an open-source implementation of PGP, and works on the same principles. Unless you’re going to be buying a PGP-enabled product from Symantec, the company that currently owns the PGP copyright and company, you’ll likely be using GPG.
How Secure Is PGP?
While it’s impossible to say that any particular encryption method is 100% secure, PGP is generally regarded as being extremely safe. The two-key system, digital signatures, and the fact that PGP is open-source and has been heavily vetted by the public all contribute to its reputation as one of the best encryption protocols. Bruce Schneier once called PGP “the closest you’re likely to get to military-grade encryption,” and PGP.net says that there are “no practical weaknesses.”
Edward Snowden used PGP to send files to Glenn Greenwald when he broke the story that kicked off a lot of interest in encryption. And if it’s good enough for Snowden, it’s good enough for most—if not all—of the other people who need to encrypt things.
Different types of encryption algorithms can be used with PGP, though the RSA algorithm is quite common. If you’ve never heard of RSA encryption, rest assured that it’s really, really strong. According to DigiCert, it would take a standard desktop computer a number of quadrillions of years to crack a 2048-bit RSA SSL certificate. That means that if you’d started trying to crack that certificate at the time of the Big Bang, you wouldn’t finish before the end of the universe (check out The Strength of an SSL Certificate for some awesome visualizations of these facts). 2048-bit RSA is commonly use as a standard algorithm for PGP.
Gnu Privacy Guard often uses the CAST5 algorithm. Although the key size of CAST5 is 128 bits, which is significantly smaller than that of some of the stronger RSA algorithms, it’s still approved for governmental use in Canada by the Communications Security Establishment. Nothing to sneeze at.
While cryptoanalysts and cryptoenthusiasts could argue all day over the best algorithm to use, GnuPG says that “GnuPG’s algorithms are so well-designed for what they do that there is no single ‘best.’ There’s just a lot of personal, subjective choice.”
Getting Started with PGP for E-mail in 4 Steps
1. Download PGP tools for your system.
Before you get into specific tools for using PGP, you have to download the PGP framework itself, allowing your computer to deal with the encryption and decryption. To download this framework, you’ll need to download GnuPG, the open-source implementation of PGP. While the tool suites I’ve listed below will download a number of tools, you can download just GnuPG if you want to use it only from the command line.
If you’re looking for a full suite of tools (as I’d recommend) using Windows, head over to Gpg4win and download the tools. If you’re on a Mac, download the tools from GPG Tools. Linux users can download GPA. If you’re on Ubuntu Linux, you already have PGP tools installed, so just go to Passwords and Keys to find them.
You’ll also need to make sure that you have the proper tools for your e-mail client. Apple’s Mail has built-in support for PGP, Enigmail allows you to encrypt e-mail in Thunderbird, and Mailvelope lets you use your PGP keys for webmail. Other PGP mail tools exist, but you should be able to use one of these three to get started.
2. Generate your public and private keys.
Depending on the software you use, you’ll use different methods to generate new keys. In GPG Suite, you just have to click on “New.” You’ll enter some details, like your name and the key type. You’ll also have to decide whether or not to upload your public key to a key server.
In general, this is a good idea, as it will allow other people to find your public key and send you encrypted messages, even if you haven’t communicated previously. However, if you’re just getting started with PGP, you may want to hold off on uploading for a bit, as you can’t change your name or e-mail address once it’s been uploaded.
3. Enable PGP in your e-mail client.
You’ll do this in different ways depending on your e-mail client; the best way to find out exactly what to do is to look in the help files for your app. In most cases, your PGP information will be automatically detected by the client after you’ve downloaded the correct set of tools for your operating system.
The GPG Suite automatically installs the add-on for Apple Mail, meaning you don’t have to do anything at all—you’ll just see a couple extra icons when you open up the app. Engimail creates a new menu called “OpenPGP” in Thunderbird, and you can add your accounts there. And Mailvelope can be installed as a Chrome extension, making it easy to open up and configure.
4. Get public keys for your contacts.
At this stage, you’re ready to sign PGP-encrypted and digitally signed e-mails! However, there’s one more important step. For someone to decrypt an e-mail that you’ve sent to them, you’ll need to have their public key. The easiest way to do this is exchange keys personally—in an e-mail, via IM, on Twitter, or posted on your website (because the private key is needed to decrypt a message, there’s no risk in posting your public key online).
You can also search for your friend on a keyserver. GPG Keychain Access, part of GPG Tools, allows you to search for keys from directly within the app. You can also go to keyserver websites, such as the PGP Global Directory or the MIT PGP Public Key Server. Once you’ve found a key for your contact, you should download it and import it into your app using the specific procedures required.
All of this might sound like a lot of work, and it certainly can be. Fortunately, once you get the system set up and start getting used to the process, things start running a bit more smoothly and you’ll be firing off encrypted e-mails in no time. Some groups are trying to make the whole process easier for users, one of them being Keybase.io, a command-line and online service that we’ve discussed before.
PGP File Encryption
Although plenty of open-source, free e-mail encryption tools use PGP, the number of file-encryption options is much smaller.
GnuPG provides support for encrypting files and folders, though unless you’re comfortable with the command line, you’re probably best off downloading a graphical user interface (GUI) for it. Windows users can check out Cryptophane, and Mac and Linux users will likely want to use Seahorse.
If you’re looking for official, PGP-branded encryption software, you’ll need to get it from Symantec. Because Symantec’s target market is made up largely of corporations, it can be quite expensive; their Drive Encryption software, which encrypts your hard drive using PGP, costs $110.
Cryptography Is Complicated: PGP Is Not
You don’t have to understand the complicated cryptomaths behind PGP to know that it’s a great encryption system. And you don’t have to be a computer genius to take advantage of it to encrypt your e-mails and files, significantly increasing your online and electronic safety. By downloading just a few tools, you can start encrypting sensitive information today.
Do you use PGP for encrypting e-mail or files? What are your favorite front-end programs for using the protocol? Post your thoughts and your favorite resources below so we can all learn more about it!