We live in an age where it seems like privacy comes at a premium.
It feels like the number of headlines we see about data breaches, for example, come at a higher (and troubling) frequency every year.
Many of us wonder what we need to do to protect ourselves. Freeze our credit? Use a different password for every last online shopping site, bank account, and other logins?
And what about email encryption?
The stakes become higher when something like PGP becomes necessary to protect one’s identity during the exchange of sensitive information.
But what is PGP? What is it used for, and why do people use it at all?
Read on to find out.
What is PGP?
PGP, which stands for “Pretty Good Privacy,” is a type of encryption for emails that must be protected from being read by anyone other than the intended recipient. PGP is used both to encrypt and decrypt email, and as a tool to verify the sender and the content itself.
PGP is built on what’s called a public key system, in which a recipient has a publicly-known key — essentially a very long number — that senders use to encrypt emails they receive. In order to decrypt these emails, the recipient must have her own private key linked to the public one. Only the recipient knows the private key, which protects the privacy of the message.
For example, let’s say someone wants to privately email a tip to a journalist. The journalist might have a public key the sender could use to encrypt and safely send the tip to her. Once the email is encrypted, it becomes ciphertext, which is text that, well, needs to be deciphered.
Once the ciphertext is transmitted, the journalist uses her own, private key to decrypt it.
Source: Bitcoin Not Bombs
There are two types of key encryption: symmetric and asymmetric.
In symmetric encryption, there is no public key. There is only one private key used for both encryption and decryption. Many consider this type of encryption to be risky, because anyone who deciphers the single key can read what’s supposed to be a secure message. It’s like having someone else find out your password — only the stakes are much higher and it’s much harder to change that “password.”
Asymmetric encryption is what I described earlier in the post. There are two keys: a public and private one, which are each different but linked values.
PGP encryption is available through different types of software. There are many available, but one of the highest-cited options is GNU Privacy Guard (GPG), a free cryptographic software that can manage keys and encrypt files and emails.
Once you select your software, you’ll need to generate a new PGP certificate — a brand new public key with additional verification information (like your name and email address) to confirm you are on the receiving end of that key.
If you’ve created a public key and want to share that key with others, you have several directories to choose from. MIT Key Server and PGP Global Directory, for example, allow people to find your key without approaching you — important for those trying to maintain the highest level of privacy.
A caveat, however: You probably won’t be able to delete your public key from these directories.
In order to send an encrypted email, you’ll need to download software that allows you to send encrypted messages. GPG is one option, but another is Enigmail, which is an add-on specifically for the Thunderbird email client.
In GPG, you can create encrypted emails within the software with various encryption options. PGP is one example, and is activated with the program’s “security method indicator.”
Although PGP still widely applies to encrypted emails, the rise in popularity and talk of cryptocurrency could explain why you might have seen the term more than usual recently.
Some Bitcoin trading platforms use PGP to help secure user accounts like Kraken. It’s largely used to protect sensitive information involved with financial transactions, especially those that are still emerging — and to prevent cryptocurrency from being stolen.
In many ways, PGP can be viewed as a intensive version of what we do to protect our private information, like financial data and health records.
However, this level of encryption becomes particularly valuable when identity protection comes into play during sensitive transactions.