PGP stands for Pretty Good Privacy. It's actually very good privacy. If used correctly, it can protect the contents of your messages, text, and even files from being understood even by well-funded government surveillance programs. When Edward Snowden says “encryption works,” it's PGP and its related software that he is talking about. It should be noted that it's not unheard of for governments to steal private keys off of particular people's computers (by taking the computers away, or by putting malware on them using physical access or with phishing attacks), which undoes the protection and even allows for reading old mail. This is comparable to saying that you might have an unpickable lock on your door, but somebody might still be able to pickpocket you in the street for your key, then copy it and sneak it back into your pocket—and hence get into your house without even picking the lock.
Unfortunately, PGP is also pretty bad at being easy to understand, or use. The strong encryption that PGP uses—public key encryption—is ingenious, but hard to wrap your head around. PGP software itself has been around since 1991, which makes it the same vintage as the early versions of Microsoft Windows, and its appearance hasn't changed much since then.
The good news is that there are many programs available now which can hide the ancient design of PGP and make it somewhat easier to use, especially when it comes to encrypting and authenticating email—the main use of PGP. We've included guides to installing and operating this software elsewhere.
Before you play around with PGP or other programs that use it, though, it's worth spending a few minutes understanding the basics of public key encryption: what it can do for you, what it can't do, and when you should use it.
A Tale of Two Keys
When we use encryption to fight surveillance, here's what we're trying to do:
We take a clearly readable message like “hello mum.” We encrypt that into a coded message that is incomprehensible to anyone looking at it (“OhsieW5ge+osh1aehah6,” say). We send that encrypted message over the Internet, where it can be read by lots of people, but hopefully not understood by any of them. Then, when it arrives at its destination, our intended recipient, and only our intended recipient, has some way of decrypting it back into the original message.
How does our recipient know how to decode the message, when nobody else can? It must be because they know some extra information that nobody else knows. Let's call this the decoding key, because it unlocks the message inside the code.
How does the recipient know this key? Mostly, it's because the sender has previously told them the key, whether it's “try holding the message up in a mirror” or “take each letter and convert it to the next letter in the alphabet.” There's a problem with this strategy though. If you're worried about being spied upon when you send your coded message, how do you send the recipient the key without someone spying on that conversation too? There's no point sending an ingeniously encrypted message if your attacker already knows the key to decoding it. And if you have a secret way to send decoding keys, why don't you just use that for all your secret messages?
Public-key cryptography has a neat solution for this. Each person in a conversation has a way of creating two keys. One is their private key, which they keep to themselves and never let anyone else know. The other is a public key, which they hand out to anyone who wants to communicate with them. It doesn't matter who can see the public key. You can put it online where everyone can see it.
The “keys” themselves are, at heart, actually very large numbers, with certain mathematical properties. The public key and private key are connected. If you encode something using the public key, then someone else can decode it with its matching private key.
Let's see how that might work. You want to send a secret message to Aarav. Aarav has a private key, but like a good public key encryption user, he has put its connected public key on his web page. You download the public key, encrypt the message using it, and send it to him. He can decode it, because he has the corresponding private key – but nobody else can.
Sign of the Times
Public key cryptography gets rid of the problem of smuggling the decoding key to the person you want to send a message to, because that person already has the key. You just need to get hold of the matching public, encoding key, which the recipient can hand out to everyone, including spies. Because it's only useful for encoding a message, it is useless for anyone trying to decode the message.
But there's more! If you encode a message with a certain public key, it can only be decoded by the matching private key. But the opposite is also true. If you encode a message with a certain private key, it can only be decoded by its matching public key.
Why would this be useful? At first glance, there doesn't seem to be any advantage to making a secret message with your private key that everyone in the world (or at least, everyone who has your public key) can crack. But suppose I wrote a message that said “I promise to pay Aazul $100,” and then turned it into a secret message using my private key. Anyone could decode that message—but only one person could have written it: the person who has my private key. If I've done a good job keeping my private key safe, that means me, and only me. In effect, by encoding it with my private key, I've made sure that it could only have come from me. In other words, I've done the same thing with this digital message as we do when we sign a message in the real world.
Signing also makes messages tamper-proof. If someone tried to change that “I promise to pay Aazul $100” into “I promise to pay Bob $100,” they would not be able to re-sign it using my private key. So a signed message is guaranteed to originate from a certain source, and not be messed with in transit.
So public key cryptography lets you encrypt and send messages safely to anyone whose public key you know. If others know your public key, they can send you messages, which only you can decode. And if people know your public key, you can sign messages so that those people will know they could only have come from you. And if you know someone else's public key, you can decode a message signed by them, and know that it only came from them.
It should be clear by now that public key cryptography becomes more useful, the more people know your public key. It should also be apparent that you need to keep your private key very safe. If someone else gets a copy of your private key, they can pretend to be you, and sign messages claiming that they were written by you. PGP has a feature that lets you “revoke” a private key, and warn people it's no longer trustable, but it's not a great solution. The most important part of using a public key cryptography system is to guard your private key very carefully.
How PGP Works
Pretty Good Privacy is mostly concerned with the minutiae of creating and using public and private keys. You can create a public/private key pair with it, protect the private key with a password, and use it and your public key to sign and encrypt text. It will also let you download other people's public keys, and upload your public keys to “public key servers,” which are repositories where other people can find your key. See our guides to installing PGP-compatible software in your email software.
If there's one thing you need to take away from this overview, it's this: you should keep your private key stored somewhere safe, and protected with a long password. You can give your public key to anyone you want to communicate with you, or who wants to learn whether a message truly came from you.
Advanced PGP: The Web of Trust
You may have spotted a potential flaw in how public key cryptography works. Suppose I started distributing a public key that I say belongs to Barack Obama. If people believed me, they might start sending secret messages to Barack, encrypted using the key. Or they might believe anything signed with that key is a sworn statement of Barack. This is quite rare, and yet it has actually happened to some people in real life, including to some of the authors of this document—some people writing to them have been fooled! (We don't know for sure in these instances whether or not some of the people who make the fake keys were really able to intercept the messages in transit and read them, or whether it was the equivalent of a prank to make it more inconvenient for people to have a secure conversation.)
Another sneaky attack is for an attacker to sit between two people talking online, eavesdropping on their entire conversation, and occasionally inserting the attackers own misleading messages into the conversation. Thanks to the design of the Internet as a system that ferries messages across many different computers and private parties, this attack is entirely possible. Under these conditions (called a “man-in-the-middle attack”), exchanging keys without prior agreement can get very risky. “Here's my key,” announces a person who sounds like Barack Obama, and sends you a public key file. But what's to say someone didn't wait until that moment, jam the transmission of Obama's key, and then insert his or her own?
How do we prove that a certain key really does belong to a certain person? One way is to get the key from them directly, but that's not much better than our original challenge of getting a secret key without someone spotting us. Still, people do exchange public keys when they meet, privately and at public cryptoparties.
PGP has a slightly better solution called the “web of trust.” In the web of trust, if I believe a key belongs to a certain person, I can sign that key, and then upload the key (and the signature) to the public key servers. These key servers will then pass out the signed keys to anyone who asks for them.
Roughly speaking, the more people who I trust that have signed a key, the more likely it is that I will believe that key really belongs to who it claims. PGP lets you sign other people's keys, and also lets you trust other signers, so that if they sign a key, your software will automatically believe that key is valid.
The web of trust comes with its own challenges, and organizations like EFF are currently investigating better solutions. But for now, if you want an alternative to handing keys to one another in person, using the web of trust and the public key server network are your best option.
PGP is all about making sure the contents of a message are secret, genuine, and untampered with. But that's not the only privacy concern you might have. As we've noted, information about your messages can be as revealing as their contents (See “metadata”). If you're exchanging PGP messages with a known dissident in your country, you may be in danger for simply communicating with them, even without those messages being decoded. Indeed, in some countries you can face imprisonment simply for refusing to decode encrypted messages.
PGP does nothing to disguise who you are talking to, or that you are using PGP to do so. Indeed, if you upload your public key onto the keyservers, or sign other people's keys, you're effectively showing the world what key is yours, and who you know.
You don't have to do that. You can keep your PGP public key quiet, and only give it to people you feel safe with, and tell them not to upload it to the public keyservers. You don't need to attach your name to a key.
Disguising that you are communicating with a particular person is more difficult. One way to do this is for both of you to use anonymous email accounts, and access them using Tor. If you do this, PGP will still be useful, both for keeping your email messages private from others, and proving to each other that the messages have not been tampered with.