Understanding PGP (Pretty Good Privacy)

Privacy and digital security are essential concepts in today’s world. Pretty Good Privacy (PGP) is a powerful tool that allows us to protect our communications and data from prying eyes. Despite its humble name, PGP is one of the most reliable and widely used solutions to ensure confidentiality, integrity, and authenticity in digital environments.

What is PGP?

PGP is an encryption system that combines symmetric and asymmetric cryptography to secure information. It was developed in 1991 by Phil Zimmermann as a free tool to encrypt emails and files. Since then, it has evolved and is available in both commercial and open-source implementations (such as GPG, GNU Privacy Guard).

The main functions of PGP are:

Confidentiality: Encrypting messages so only the recipient can read them.

Authenticity: Verifying the sender’s identity through digital signatures.

Integrity: Ensuring that the message has not been altered during transmission.

How Does PGP Work?

PGP uses a public and private key system based on asymmetric cryptography. Each user generates a pair of keys:

  • Public Key: Shared with others so they can send encrypted messages to the owner of the key.

  • Private Key: Kept secret and used to decrypt messages and create digital signatures.

When you send an encrypted message with PGP:

1.The message is encrypted using a randomly generated symmetric key.

2.This symmetric key is then encrypted with the recipient’s public key.

3.The encrypted message and the encrypted symmetric key are sent to the recipient.

The recipient uses their private key to decrypt the symmetric key and then uses it to decrypt the original message.

Practical Use Cases

Email Protection: PGP is commonly used to encrypt emails, ensuring only the recipient can read them.

File Authentication: Digitally signing documents guarantees they come from the original source and haven’t been modified.

Secure File Sharing: Encrypting sensitive files before sharing them on cloud storage services.

Getting Started with PGP

1. Install a PGP Implementation

To begin, you’ll need a PGP implementation such as GPG (GNU Privacy Guard). It’s available for most operating systems:

On Windows: Download and install Gpg4win, which includes Kleopatra, an intuitive key manager.

On macOS: Download GPGTools, which includes GPG Suite for seamless OS integration.

On Linux: Use your distribution’s package manager, for example:

On Debian/Ubuntu: sudo apt install gnupg
On Fedora: sudo dnf install gnupg
On Arch: sudo pacman -S gnupg

2. Generate Your Key Pair

Once GPG is installed, generate a key pair:

gpg --full-generate-key

Select the type of key (generally RSA and RSA), key length (4096 is a good option for stronger security), and set an expiration date if desired. Also, provide your name and email address to associate with the key.

3. Export Your Public Key

To share your public key with others:

gpg --export --armor "your_email@example.com" > public-key.asc

You can send the generated file to your contacts or upload it to a key server.

4. Encrypt and Decrypt Messages

Encrypt a message for a recipient:

echo "This is a secret message" | gpg --encrypt --armor --recipient "recipient_email@example.com" > encrypted-message.asc

Decrypt a received message:

gpg --decrypt encrypted-message.asc

5. Sign and Verify Messages

Sign a message:

echo "Important message" | gpg --clearsign > signed-message.asc

Verify a signature:

gpg --verify signed-message.asc

What is a fingerprint and what is it used for?

The fingerprint of a PGP key is a short and unique representation of the full public key. It is generated using a hash algorithm that condenses the key’s information into an alphanumeric string, making verification and authentication easier. Since public keys can be long and difficult to compare manually, the fingerprint provides a quick and reliable way to confirm whether a key is legitimate.

In practice, the fingerprint is used to verify that a public key has not been altered or replaced by a third party. By sharing only the fingerprint on websites, social media, or email signatures, users can compare this string with the fingerprint of the public key they have downloaded and ensure they match. This helps prevent man-in-the-middle attacks and enhances security in encrypted communication.

Identity Verification:

  • Allows others to confirm that the public key they are using truly belongs to you and has not been modified by an attacker (man-in-the-middle attack).
  • By sharing only the fingerprint, the other person can compare it with the fingerprint of the public key they downloaded and ensure it is the correct one.

Quick Reference Method:

  • Public keys can be long and difficult to share, but the fingerprint is short and easy to verify.
  • It is useful in conversations or conferences when you need to confirm a key quickly.

Integrity on Websites and Social Media:

  • You can publish it on your website or social media so others can use it to verify your public key before sending you encrypted messages.
  • This prevents someone from creating a fake key with your name and deceiving others.

Should I publish my public key or just the fingerprint on my website?

It depends on the purpose:

If you only want people to verify your key:

  • Publish only the fingerprint.
  • Example on your website: 
My PGP Public Key: Fingerprint: ABCD EFGH IJKL MNOP QRST UVWX YZ12 3456 7890 1234

If you want to make it easy for people to send you encrypted messages:

  • Also publish the full public key or a link to download it.
  • Example on your website: 
My PGP Public Key: Fingerprint: ABCD EFGH IJKL MNOP QRST UVWX YZ12 3456 7890 1234 Download my public key here: [Link to .asc file]

Best practice:

Publish both (the fingerprint and the full public key or a link to it). This way, anyone who wants to communicate securely with you can verify the authenticity before using it.

What is uploading a public key to a key server?

Uploading a public key to a key server means storing it in a public database where anyone can search for it and download it to communicate with you securely using PGP. Key servers allow others to verify your identity and encrypt messages without requiring you to send the key manually.

Some commonly used key servers include:

  • keys.openpgp.org (Recommended, as it requires email verification and prevents fake keys).
  • pgp.mit.edu (Historical, but has issues with key deletion).
  • keyserver.ubuntu.com (Popular and widely used in Linux systems).

How to upload your public key to a key server

Using the command line (Mac/Linux)

1. Find your public key ID

Open the terminal and run: 

gpg --list-keys

You will see an output similar to this: 

pub   rsa4096 2024-01-24 [SC]
      1234ABCD5678EFGH9012IJKL3456MNOP7890QRST
uid   [ultimate] Your Name <your@email.com>

The key ID is the long sequence (example: 1234ABCD5678EFGH9012IJKL3456MNOP7890QRST), or you can use the last 8 characters (7890QRST).

2.Upload the public key to a server

To upload the key to keys.openpgp.org (recommended):

gpg --keyserver keys.openpgp.org --send-keys 7890QRST

To upload it to keyserver.ubuntu.com:

gpg --keyserver keyserver.ubuntu.com --send-keys 7890QRST

3.Verify that the key has been uploaded successfully
You can search for your key on the server:

gpg --keyserver keys.openpgp.org --search-keys your@email.com

Using Kleopatra (Graphical Interface on macOS/Linux/Windows)

  1. Open Kleopatra and ensure your public key appears in the list.
  2. Select your key and click on Export to a key server.
  3. Choose the key server (keys.openpgp.org is recommended).
  4. Upload the key and follow any email verification steps required by the server.

Important Considerations

  • You cannot delete a key once it has been uploaded (except on keys.openpgp.org, where you can revoke it).
  • If you upload an incorrect key, you can upload a new one with the same email and a later creation date, so people will use the most recent version.
  • Always upload only the public key, never the private key.

What is revoking a key?

Revoking a PGP key means marking it as invalid so that others know it should no longer be used. This is useful if you have lost access to your private key, suspect it has been compromised, or simply want to stop using it. Once revoked, the key still exists, but other users will receive a warning that it is no longer trustworthy.

How to revoke a key?

1. Generate a revocation certificate (Recommended from the start)

If you still have access to your private key, you can generate a revocation certificate right away and store it in a safe place for future use:

gpg --output revocation.asc --gen-revoke YOUR_KEY_ID

This creates a revocation.asc file that you can use later if you need to revoke your key.

2. Apply the revocation

If you decide to revoke your key, import the revocation certificate with:

gpg --import revocation.asc

Then, upload the revoked key to the key server so everyone can see the change:

gpg --keyserver keys.openpgp.org --send-keys YOUR_KEY_ID
3. Revoke manually without a revocation certificate

If you have access to your private key, you can revoke it without needing a certificate:

gpg --edit-key YOUR_KEY_ID

Then, enter the command:

revkey

Confirm the revocation and save the changes with:

save

Finally, upload the key to the key server again so that the revocation becomes public.

Best Security Practices

Protect Your Private Key: Use strong passwords and store the key securely.

Revoke Compromised Keys: If you suspect your private key has been stolen, create a revocation certificate and distribute it.

Use a Key Manager: Tools like Kleopatra (Windows and Linux), GPG Keychain (macOS), or Seahorse (Linux) make key management and PGP usage easier.

PGP is an essential tool for anyone who values privacy and security in the digital world. While its learning curve can be intimidating at first, the benefits of data protection and secure communication are invaluable. Taking the time to understand and use PGP not only safeguards your information but also reinforces the fundamental principle that privacy is a basic human right.