PGP: Defining Pretty Good Privacy & How PGP Encryption Works

Pretty good privacy (PGP) is an encryption program that uses a combination of public, private, and random keys to block data from prying eyes.

If you have sensitive data moving from one place to another, PGP could block it from view. And you could use the system to ensure you're dealing with a trusted communication partner that hasn't tampered with data. 

PGP was developed in 1991, and it was surrounded by plenty of controversy after its inception. The developer released the program as freeware, but a secondary company claimed ownership, and lawsuits were filed. 

Despite its inauspicious beginning, PGP took off within the security community. Since it was available for free, plenty of companies incorporated the concepts into their products. Now, PGP is the dominant method organizations use to ensure email security.

Pretty Good Privacy (PGP)

 

What Is PGP Used For? 

Any connected device sends and receives data throughout an average day. Security experts use all sorts of tools to keep communication secure. They lean on PGP for three very specific use cases. 

PGP is most often used for:

  • Digital signatures. Is the email in your inbox from someone you trust? Has the message been altered in transit?

    A digital signature (also known as authentication) answers those questions. PGP messages come with digital signatures, or a string of computer-generated bits the user can decode with a key.

  • Email encryption. Senders need a prior connection with a recipient to make this work. The two must exchange public keys, so the garbled message the recipient gets can be decoded and a proper response can come back. Protecting messages in transit is the goal.
  • File encryption. Protecting documents in transit is crucial, but sometimes, you must protect files at rest too. PGP functions, including some compatible with Microsoft products, allow users to protect single files, multiple documents, or all the items within a folder tree. 

Some people use PGP out of fear of government intrusion and spying. But as one blogger points out, plenty of average people lean on the technology to keep their communication safe. He cites:

  • Protected technology. A company building a million-dollar product might encrypt files to keep competitors away.
  • Surprises. A husband might encrypt an email about a wife's party, so she isn't alerted before the big day arrives.
  • Personal reasons. An employee might encrypt sensitive files stored on the public server.
  • Negotiations. Parties talking about costs, fees, and contracts might encrypt their discussions so the news doesn't leak. 

In general, PGP can be a great tool for anyone talking about sensitive, damaging, or secret items that could cause damage if released into wider consumption. 

How Does PGP Encryption Work?

As we mentioned, PGP can be used for all sorts of things, including file encryption. But since the technology is so closely associated with protecting email, that's the function we'll focus on here. 

Before getting started with a PGP-encrypted email, you'll need three things.

  1. A program: You can't make this work without some kind of technology. Some email programs have PGP built in, but if yours does not, you'll need to invest in the tool. (We'll talk about this in detail later.
  2. A public key: A string of numbers and letters, created by a computer, makes up your public key. Your communication partners need to know this information to send notes to you. Share it widely. You'll use this key to validate incoming messages and send encrypted messages.
  3. A private key: A string of numbers and letters related to your public key makes up your private key. Protect this carefully. You'll need it to work with PGP, but if the information is released, others can read your notes too. You'll use this key to sign outgoing messages and decrypt incoming messages.

When you're ready to send your first message, a predictable sequence begins.

  • Encryption: You use the recipient's public key to transform the message from plain text to scrambled ciphertext.
  • Sending: You send the note to your recipient, but no one can read it during transit.
  • Decryption: Your recipient uses a private key to translate the note. 

Some programs take security a step further. They create a session key, unique to each conversation, that is encrypted with the public key of the recipient. That encrypted key is the only thing sent to the recipient, and that person's private key decrypts the session key and then the message. 

And some people who are extremely concerned about security go even further. They require a quick phone call between the sender and the recipient to verify identities and keys.

Pros & Cons of PGP Encryption 

Email has been around for decades, and most of us send hundreds of notes each month. Do all of them need PGP protection? And are you missing out if you don't join in? 

Common benefits associated with PGP encryption include:

  1. Heightened security. At one point, people believed that PGP messages were impossible to decrypt without the proper codes. As police officers discovered in 2017, that's not true.

    With enough persistence and luck, encrypted notes can be read by outsiders. But PGP offers a layer of protection that ordinary email programs can't match.

  2. Speed. Once you're accustomed to using PGP encryption tools, sending and receiving messages becomes second nature. You won't notice the moments you spend encrypting and decrypting your files.
  3. Selectivity. You're not tied to encrypting every file on your computer or every email you send. Use the technology when you need to, and allow the rest of your work to go on as usual. 

Common drawbacks associated with PGP include:

  1. False sense of security. Hackers can get around PGP protections by digging into the way servers both send and store email. Companies must ensure that they've created a strong security boundary for all files rather than relying on PGP alone.
  2. Prior communication requirements. You can't send a protected note to just anyone. You must have that person's public key to start the conversation. If you don't have that piece, you can't get started.
  3. Risk of loss. If you misplace or forget your private key, you'll never be able to read the messages heading your way. If someone steals it, you're in even bigger trouble, as that person will read all of your notes. 

Some people experiment with a few instances of PGP encryption before they go all in. You might require it for something like a sensitive project or an upcoming party. If it works for you, then you could start incorporating it into more projects. 

Implementing PGP Encryption

While the technology surrounding PGP encryption is complex, getting started is often quite simple. 

You must choose a provider that can help protect your email and your files. Choose from:

  • Freeware. Download a program like ProtonMail, and you can protect your files without paying a dime. You'll need a specific ProtonMail address, as the tech won't play with your existing programs. Most freeware works like this.
     
  • Extensions. Choose a tool like Thunderbird, and you can continue with your existing programs while protecting your communication.
     
  • Built-ins. Some email programs and websites have PGP encryption built in. Look for the tools under drop-downs labeled "security" or "privacy."

Everyone has different needs and preferences, so citing the "best" program is difficult. But in general, good PGP solutions are easy to use but come with robust customer service options, so you can reach out if you get stuck.

Frequently Asked Questions

Journalists and those with intense security demands often use PGP. Unfortunately, terrorists use the technology too. But anyone who wants to keep private conversations private could benefit from investing in the technology. 

Experiment with tools and see which offers the benefits you need at a price you're willing to pay.

Some PGP encryption tools offer certificates to verify the authenticity of keys and their owners. Different levels of certificates exist, with level 0 meaning that only the key is certified and level 1 meaning both the owner and the key are verified.

Yes. Some advocates believe in a so-called "circle of trust," in which web users know one another and can verify message authenticities quickly. If plenty of people accept PGP technologies, keys will be widely shared and saved. That could help to eliminate the Zero Trust model.

Help From Okta 

Protect your sensitive information with Okta’s PGP key solution. We'd love to show you how it works and how it can help keep your company's data safe and secure. Contact us and let's get started.

References

History. (August 2016). OpenPGP.

Pretty Good Privacy (PGP) and Digital Signatures. (October 2020). Linux Journal. 

PGP Encrypt File. (May 2019). Microsoft. 

PGP Key Encryption. (July 2017). David E. Ross. 

Police Hack PGP Server with 3.6 Million Messages From Organized Crime BlackBerrys. (March 2017). ZD Net. 

People Are Freaking Out that PGP is 'Broken,' but You Shouldn't Be Using It Anyway. (May 2018). Vice. 

How to Use PGP. ProtonMail. 

Secure Your Emails in 5 Minutes Using PGP. (September 2018). The Startup. 

Cypher Wars. (November 1994). Wired.