Table of contents
- What is PGP and why does it matter
- How PGP works: public-key encryption explained
- OpenPGP: the open standard for PGP
- How secure is PGP?
- PGP and email: a perfect match for privacy
- Advantages and limitations of using PGP today
- Real-world use cases
Ensuring the confidentiality and integrity of digital communications is essential. PGP (Pretty Good Privacy) is one of the most powerful and long-standing tools for protecting online communications, especially email.
Developed in the early 1990s, PGP has become the de facto standard for public-key encryption, further developed and standardized through OpenPGP.
This article will walk you through what PGP is, how it works on a technical level, what security guarantees it offers, and how you can implement it in your daily communication, particularly via email.
What is PGP and why does it matter
PGP (Pretty Good Privacy) is a historic and powerful public-key encryption software created in 1991 by Phil Zimmermann.
Back then, the idea of securing your personal digital messages was revolutionary. Zimmermann developed PGP as a way to protect citizens’ privacy, especially from unauthorized government surveillance or corporate snooping.
Originally, PGP was a standalone tool available for UNIX and MS-DOS, and it quickly gained popularity. Its strong cryptography raised concerns with the U.S. government, which launched an investigation against Zimmermann for allegedly exporting military-grade encryption without authorization.
Today, PGP is no longer just software—it’s a method used in several open-source solutions (like GnuPG) and commercial tools (like Symantec Encryption Desktop), and has become synonymous with secure personal encryption.
The core idea: dual-key cryptography
What sets PGP apart is its use of asymmetric encryption. Each user has a pair of keys:
- A public key
Openly shared with others to encrypt messages. - A private key
Kept secret and used to decrypt messages and to digitally sign outgoing messages.
This architecture allows you to communicate securely without ever needing to exchange private secrets (like a password) over insecure channels.
Practical example: how PGP works in English
Suppose you want to send a confidential message to John. First, you import his public key and then encrypt your message:
# Import John's public key
gpg --import john_public.asc
# Encrypt and sign the message
gpg --encrypt --sign --recipient john@example.com message.txt
This produces an encrypted file message.txt.gpg that only John can decrypt using his private key:
# John decrypts the message
gpg --decrypt message.txt.gpg
In addition to reading the content, John can verify your digital signature to ensure the message hasn’t been altered and really came from you.
How PGP works: public-key encryption explained
The core of PGP lies in asymmetric cryptography, a method that uses a mathematically linked key pair: one public key and one private key.
Unlike symmetric encryption (where the same key encrypts and decrypts), asymmetric encryption allows for secure message exchange without sharing a common secret beforehand.
The full process in detail
- Key Pair Generation
Every user generates a key pair. The public key is freely shared, while the private key is kept secure and confidential.
gpg --gen-key
You’ll be prompted to enter your name, email, and a passphrase. The result is your PGP key pair.
- Message Encryption
The sender encrypts the message using the recipient’s public key. Only the matching private key can decrypt it.
gpg --encrypt --recipient john@example.com message.txt
- Digital Signature
The sender digitally signs the message using their private key. This guarantees the message was sent by them and has not been altered.
gpg --sign message.txt
Or encrypt and sign at once:
gpg --encrypt --sign --recipient john@example.com message.txt
- Sending and receiving
The encrypted file (message.txt.gpg) can now be sent safely via email or any other method. Anyone intercepting it cannot read its contents without the recipient’s private key.
- Decryption and verification
The recipient uses their private key to decrypt the message. If it was signed, they can use the sender’s public key to verify the message’s authenticity.
gpg --decrypt message.txt.gpg
If the message was signed, GPG will notify the user whether the signature is valid and to whom it belongs.
Technical note
The cryptographic strength of PGP is very high, but depends on:
- Key length (e.g., 2048 or 4096-bit RSA)
- Strength of the passphrase
- Physical protection of the device (to prevent key theft)
OpenPGP: the open standard for PGP
As digital privacy concerns grew, it became clear that PGP needed to evolve from a standalone tool into an open protocol that could be adopted by developers worldwide and ensure cross-platform compatibility.
That’s how OpenPGP was born—an open cryptographic standard defined and maintained by the Internet Engineering Task Force (IETF) through RFC 4880. OpenPGP isn’t a software product, but a specification that outlines:
- The format for encrypted and signed messages
- How to generate, manage, and revoke keys
- The use of digital signatures
- Which cryptographic algorithms to use (RSA, DSA, AES, SHA, etc.)
Because of this open specification, OpenPGP enabled the development of a family of interoperable tools, all capable of securely exchanging messages with each other.
Examples of OpenPGP-compatible software
- GnuPG (GPG)
The most widely used and fully open-source implementation, available for Linux, macOS, and Windows. - Enigmail
Aformer plugin for Mozilla Thunderbird (now integrated natively). - Kleopatra
A graphical frontend for GPG, popular on Windows. - Mailvelope
Abrowser extension (for Chrome and Firefox) that brings OpenPGP encryption to webmail platforms like Gmail.
All these tools follow the same standard, meaning you can encrypt an email with GPG on Linux and decrypt it with Mailvelope in Chrome on Windows without issues.
Why standardization matters
Before OpenPGP, secure communication required both sender and recipient to use the exact same software. Now, thanks to this shared standard, users can:
- Use different tools with full compatibility
- Ensure code transparency and security auditing
- Avoid vendor lock-in
- Support the growth of open-source encryption
That’s why OpenPGP is now a cornerstone of modern cyber security, especially for applications involving trust, authentication, and secure communication.

How secure is PGP?
PGP has a long-standing reputation in the cybersecurity community due to its robust design and use of strong cryptographic algorithms.
Widely adopted by journalists, companies, whistleblowers, and privacy-conscious users, it ensures confidentiality, message integrity, and authenticity.
Here’s why PGP is considered secure:
Strong encryption
PGP uses well-established cryptographic algorithms:
- RSA (Rivest-Shamir-Adleman)
For both encryption and digital signatures. Key sizes of 2048–4096 bits provide strong protection. - DSA (Digital Signature Algorithm)
For digital signatures only. - ElGamal
An alternative for asymmetric encryption. - AES (Advanced Encryption Standard)
Used for symmetric encryption of the message payload. Considered secure even by national agencies.
Example to inspect key algorithms:
gpg --list-keys --with-fingerprint --with-subkey-fingerprint
Message integrity
PGP ensures the integrity of messages using secure hash functions like SHA-256 or SHA-512. Any alteration of the message invalidates its signature.
Signature immutability
Each signed message is linked to the sender’s private key. If even a single character is changed, the signature verification will fail:
gpg --verify message.txt.sig message.txt
Web of Trust
Unlike centralized SSL certificates, PGP employs a decentralized trust model called the Web of Trust, where users sign each other’s keys to create a network of distributed trust without needing a central authority.
PGP Security Limitations
Despite its technical strength, PGP has several practical weaknesses:
Usability challenges
PGP isn’t user-friendly. Key generation, management, and message signing/encryption require technical knowledge, limiting its popularity among non-expert users.
Side-channel attacks
Side-channel attacks exploit physical vulnerabilities:
- Tempest attacks
Monitor electromagnetic emissions. - Cold Boot attacks
Extract encryption keys from RAM after reboot or shutdown.
Metadata exposure
PGP does not encrypt metadata like:
- Subject line
- Sender and recipient addresses
- Timestamps
To hide metadata, users must encrypt the entire message as an attachment and keep the email body generic (e.g., “See attached”).
PGP and email: a perfect match for privacy
One of the most common and practical uses of PGP is to secure email communication, which remains one of the most prevalent—and vulnerable—ways of exchanging sensitive information.
With PGP, email privacy is strengthened in three essential ways:
Benefits of encrypting email with PGP
- Encrypting the message content
Only the recipient, using their private key, can read the email. For others, it will look like encrypted gibberish. - Digitally signing the email
The sender can use their private key to apply a cryptographic signature. The recipient can verify it with the sender’s public key, ensuring the message is authentic and untampered. - Verifying message integrity
The author of the message can cryptographically sign it with his private key. The recipient, using the sender’s public key, can verify the authenticity of the message and know that it has not been altered.
Practical example: using PGP with Thunderbird
One of the easiest ways to use PGP for email is via Mozilla Thunderbird, which now includes native OpenPGPsupport (no more need for the Enigmail plugin).
Step-by-step instructions:
- Download and install Thunderbird
- It’s free and available for Windows, macOS, and Linux.
- Open “Account Settings” → “End-to-End Encryption”
- Here you can generate a new key pair or import existing keys.
- Compose a new message
- In the composition window, enable:
- “Encrypt this message”
- “Digitally sign this message”
- In the composition window, enable:
- Send your message
- The recipient, if they have your public key, can:
- Decrypt the content
- Verify the signature
- The recipient, if they have your public key, can:
This approach is extremely valuable for professionals handling confidential communications such as lawyers, healthcare providers, or corporate staff.
Legal relevance: GDPR compliance
In the European Union, using PGP for email can help organizations comply with the General Data Protection Regulation (GDPR), specifically:
- Article 32
Requires technical measures like encryption to protect personal data. - Article 5
Enforces the principle of integrity and confidentiality.
Advantages and limitations of using PGP today
Although PGP is one of the most reliable tools for protecting digital communications, its use is not always easy or immediate. Below we analyze the pros and cons of its use today, both in personal and professional contexts.
Advantages
High cryptographic strength
PGP uses algorithms such as RSA, DSA, ElGamal, and AES-256, delivering security levels that are currently considered extremely resistant to brute-force attacks. It remains one of the most secure tools available when used correctly.
Global adoption
PGP and OpenPGP are widely adopted across the globe. From NGOs to government institutions, PGP sees international use across sectors and countries.
Open-source software
Most PGP implementations, like GnuPG, are open-source. This guarantees transparency, peer review, and independence from proprietary systems—important features for privacy-focused users.
No reliance on third-party servers
With PGP, users aren’t forced to rely on centralized services for encryption or signing. This eliminates risks related to compromised cloud systems and ensures user autonomy.
Limitations
Complex usability for non-technical users
PGP can be confusing for users unfamiliar with cybersecurity: key management, signing, and encrypting aren’t exactly beginner-friendly. Even simpler tools like Mailvelope require some initial learning.
No protection of metadata
PGP does not encrypt metadata such as the email subject, recipient address, or timestamp. Even with content encryption, these contextual clues remain exposed to observers.
Key management can be difficult
Handling, exporting, revoking, and signing keys require care and discipline. Losing your private key means losing access to all encrypted messages. This is a critical operational risk.
Limited mobile and webmail support
Many browser-based email clients (like Gmail) and mobile apps don’t natively support PGP. Though browser extensions (like Mailvelope) and mobile apps (like OpenKeychain) exist, the experience is often less intuitive than on desktop platforms.
Real-world use cases
Despite the stereotype, PGP isn’t just for nerds or hackers. It’s a vital tool for protecting human rights, ensuring safety, and securing confidential communication, particularly in high-risk environments.
Here are some real-world examples where PGP makes a real impact:
Investigative journalists protecting sources
In many countries, journalists face persecution or worse for exposing the truth. PGP helps them communicate securely with their sources, ensuring anonymity and confidentiality, even under strict surveillance.
For example, WikiLeaks used PGP to communicate with whistleblowers like Chelsea Manning, enabling the release of the “Cablegate” documents.
Lawyers communicating with clients
The attorney-client relationship is based on strict confidentiality. PGP allows lawyers to exchange legal opinions, evidence, and contracts without risk of interception, in compliance with professional secrecy laws.
Whistleblowers reporting wrongdoing
Whistleblowers face serious risks, including retaliation and legal threats. PGP provides them with a secure channel to report misconduct to journalists, regulators, or NGOs.
Edward Snowden popularized PGP through secure communications with journalists like Glenn Greenwald during the NSA revelations.
Political activists in repressive regimes
In countries where free speech is criminalized, PGP is often the only means of coordinating actions, sharing information, and communicating with the outside world safely.
Pro-democracy activists in Hong Kong and dissidents in Iran and Russia have relied on PGP to evade government surveillance.
Companies managing sensitive data or trade secrets
In the corporate world, PGP protects intellectual property, sensitive negotiations, internal strategy, and employee/client data. It’s especially used in legal, financial, healthcare, and industrial sectors.
One common thread: privacy otherwise impossible
In all these cases, PGP is often the only tool that provides a level of privacy, authenticity, and message integrity that would be technically impossible to achieve without expensive private infrastructure.
Questions and answers
- What is PGP?
A data encryption method that uses public and private key pairs to secure communications. - Is PGP free?
Yes, open-source tools like GnuPG are based on the OpenPGP standard. - How do I use PGP with email?
Encrypt messages with the recipient’s public key and sign them with your private key. - Does PGP protect attachments?
Yes, if encrypted with the message. - What’s the difference between PGP and OpenPGP?
OpenPGP is the open standard on which modern PGP implementations are based. - Is PGP safe from hackers?
Yes, when used properly with secure key storage. - Can I use PGP on mobile devices?
Yes, with apps like OpenKeychain (Android) or iPGMail (iOS). - Is PGP legal?
Generally yes, though some countries restrict strong encryption. - How can I get someone’s public key?
From public keyservers or direct, secure exchange. - What if I lose my private key?
You can no longer decrypt messages—always keep backups in a secure place.