How to use PGP? That probably is the question that brought you to this page, didn’t it? That’s exactly what I’m covering in this piece, and not just the “how”, but also the “What” “Why” and every other question related to PGP.
I aim to make this the most elaborate, detailed guide on PGP key on the whole of the Internet, so bear with me if it gets slightly longer than our other pieces, it’ll be worth it, I promise.
What is PGP?
Before understanding how to use PGP, it’s important to learn what PGP is, don’t you agree?
As a kid I enjoyed listening to stories, so let me employ the same method to explain PGP to you, it’s a real story which explained the use and importance of PGP to me for life.
Julies Caesar was one of the earliest person who used a “kind of” PGP encryption. He had to send letters to his confidants, but he didn’t trust the mail-men who carried the letters.
So, he used to change every A with a C, every B with a D and so on, so the mail-men couldn’t understand the meaning of the letter, and only the confidants who knew this “formula” could decipher the message.
That’s exactly what PGP does. But in a more advanced, secure and with slightly different encryption protocols than Caesar’s.
Now, PGP is the abbreviation for- Pretty Good Privacy.
It was invented by Philip Zimmerman, and the origin of it was guided more by the need of “human rights to privacy” rather than “hiding Billion dollar secrets” messages and things like that. (Yeah good people exist).
In the simplest possible words, PGP is an encryption technology, or algorithm, which helps two parties verify each other’s authenticity and helps exchange encrypted data.
We have to share certain confidential things on the Internet such as E-mails or files, and hence PGP makes sure only the two parties which are actually authorized to view those E-mails and data can view them.
Although it has like a million other uses, all summing up to that one basic functionality- verification of authenticity.
So that only the intended parties get access to the encrypted material, and both the parties are who they say they are.
How does PGP Work?
In Caesar’s method, anyone who knew the “formula” of his writing the letters, could decrypt them. Because the way to encrypt the message was the same as the way to decrypt it.
But, PGP makes use of two types of keys (formulas) to encrypt and decrypt a text and not just one:
- The Public Key.
- The Private Key.
The public key is what’s used to “encrypt” the message, this key is to be shared with the person who is sending you the message so that it can be encrypted.
The private key, however, should be kept a secret, and this key is used to decipher the message.
Let’s say you wish to send your cousin John an encrypted message, or a file, so you’ll have to use John’s public key to encrypt the message, and then John would use his private key to decrypt it.
That was the shorter version of it, in case you need a better, detailed explanation, here it is.
In order to save time, PGP makes use of a faster (less secure) algorithm to encrypt the large message using a shorter key (called the session key), after that the Public key is used to encrypt this shorter key and then the encryption is complete.
In other words, imagine you’ve something valuable in your house, so you lock your room using a key, and then, you use a more secure lock to lock this “weaker key”.
Worry not, I’ll show you how to generate these two key-pairs in this PGP tutorial in the later sections.
When and How PGP Helps in real-life?
So, now you know how PGP works, and before I proceed to show you how to use PGP, let me try and explain to you when exactly in real-life PGP might come in handy for you.
No, you don’t have to be a secret agent or a hacker to use PGP, anyone with basic Internet usage can and should use PGP to encrypt anything confidential.
PGP can be used to encrypt anything and everything, starting from conversations, to whole hard-disks.
Email encryption is the most basic type and use of PGP encryption. You can simply encrypt your E-mail with your receiver’s PGP key, and send it to them.
Digital Signatures are another one of the perks of using a PGP. These are basically signatures which you can sign digitally, and make sure that the content that has been signed by you, can’t be altered by anyone else.
For e.g. if you wish to send a confidential or original, copyrighted document to a colleague, and make sure no one intercepts, changes and forwards a different version of it, you can sign the document with your digital signature.
This way, a change in even a semi-colon or a comma in the document would reveal the alteration.
Darknet Market owners often use PGP to sign warrant canaries or other such documents. This proves that the document released indeed came from their authentic sources.
The authenticity of digital assets, such as software too can be verified using PGP. Bitcoin wallet verifications are one of the most common usage of PGP keys these days, considering how Bitcoin is skyrocketing in popularity.
Because most BTC Wallets are open-source, anyone can download the source code, alter it and try to scam you out of your coins.
So, on the wallet download pages, most developers share their public keys, which can be used to verify the authenticity of the wallets you’re downloading making sure it’s legit.
Another important factor of PGP use is anonymity. While creating the keys (detailed steps explained below), you do not have to reveal any personal information. You can use random text/ gibberish everywhere. As a result, there’s nothing to link you to that PGP key in case it’s intercepted by a third-party.
This means, even if someone says you’re person X because you signed a document using the PGP key of person X, it’ll be very hard for them to prove in court that you indeed are the owner of the PGP keys in question.
Do note that PGP can still be linked to individuals but that’s mostly due to human error. If you list yourself on public keychains (explained below), or anywhere else where you prove on your own, beyond doubt, that you’re the owner of said PGP keys. In all other scenarios, there’s no data which would establish your links with the keys.
A real life example would be, you send someone an e-mail and sign it with your keys. A third-party finds it and your recipient reveals that you’re the sender of the e-mail. Even in that case, unless you botched your privacy on the e-mail service, there’s no way this PGP key can be linked to you in person.
Bottomline, PGP is one of the simplest, yet most secure ways to encrypt anything on the web right now, there’s no reason why we shouldn’t use it, right? I’m sure you love and respect your privacy just as much as any other person on the planet.
So finally, let’s get down to the point of how to use PGP.
How to use PGP?
You probably already know that the two things you’ll be needing are the Public and the Private keys.
Along with that, you’ll need a software which can help you encrypt the data because obviously not all of us are code-lovers, are we?
If you were wondering how to get a PGP key, this software we’re talking about will get you those keys as well.
There are quite a few PGP programs out there, but one of the simplest and easiest is GPG4WIN, so let’s get along with this GPG4win tutorial.
It makes the whole process easier than operating a Facebook profile or a cell phone. In just couple clicks you can be all setup!
How to Create your First Key-Pair (Public and Private)
So first of all, download GPG4WIN. You can donate if you want to, but it’s otherwise free, simply click on the Paypal button, choose $0, and click on the Download button.
Simply install the software, but make sure all the check-boxes are selected on the choose components page.
I understand this is your first time of running the application as you’re reading this guide on how to use PGP, so for first-timers, a popup comes up asking if you wish to generate a new key.
Simply click on “Generate key now”. Or, you can go to keys > new key later; and that’ll work too.
Then, it’ll ask you for your name, this data doesn’t need to be real, in fact, it’s better if it’s “not real”, so make sure the name you use is a fake one.
Similarly, use a fake E-mail on the next screen as well. Make sure it’s “complex” and not something everyone would use such as firstname.lastname@example.org, instead make it something like email@example.com
And finally, create a backup of your key. It’s not mandatory, but since this is the first time you’re learning how to use PGP key, I’ll highly recommend it.
If you do create it, it’ll ask you to “create a passphrase” in order to protect this backup key. It’s like your password, so just set something that’s hard for others to guess. It’s required while decrypting your messages.
On the next popup, select a location for your backup key. I’ll recommend using a deeper location, such as a folder inside a folder inside another folder.
Once you click on save, it’ll ask for that passphrase which you just created. This is to make sure that you’re the same person who initiated the backup key process, and that you still remember your password.
So just enter it.
Finally, you get a confirmation, letting you know where the backup key is stored. And the program itself recommends you to store this information safely, you can either snapshot it and upload it somewhere safe, or just write the location down offline.
Either way, you’ve created a new key-pair, and have also generated its backup. Kudos! It wasn’t hard now, was it?
Now that you’ve created it, how to use this PGP key is the question, isn’t it? The simplest method is, right click on the key, and select copy.
This will copy your “Public key” automatically to your clipboard, which you can then send to anyone for encryption.
Or, you can manually go to the location where you backed your key up, and open it with notepad or any other text editor.
And then, copy the key from “Begin PGP Public Key Block” to “End PGP Public Key Block”.
Make sure you don’t copy the “Private keys”, and that’s the reason why the automated “copy” button from the GPG4WIN program is a much better and easier choice.
So now you have your own Public and Private keys, you can send this Public key to anyone who wishes to send you an encrypted message.
How to Import other’s PGP Keys
How to use PGP to send someone a message which you want? Well, you’ll need their Public keys to begin with.
If it’s a person, they can just send you their key, or if it’s a company/ software etc you can find their keys on the websites if they’ve provided it for authenticity verification.
For this example, I’ve downloaded the PGP key of a friend. I simply copied it from his E-mail, and now I’ll paste it on a notepad file.
You can save the file with any name you want, just make sure the extension is .txt. I’ve saved it as PGP.txt
Once you have the PGP key saved, click on “Import” on the PGP4WIN window.
A popup will come up, simply browse to the location where you saved the Public PGP key of the receiver, select it, and click open.
Once done successfully, this is the kind of confirmation you should be getting.
So in this guide on how to use PGP, so far you’ve learnt how to create your own keys, and how to import a receiver’s PGP key to your GPG4WIN program.
You’ve all the ingredients required to cook a delicious encrypted messages meal! Too dramatic? I meant to say let’s create an encrypted message now!
How to use PGP to Encrypt a Message
As I said earlier, you can encrypt both a simple text message, or whole files and folders using PGP.
I’ll discuss both the types of encryptions, for now let’s start with encrypting simple text.
The Clipboard opens by default when you run the program, if it does, proceed to the next step if you’re on any other page, simply click on the “clipboard” icon from the top-bar.
Type your text in the text area, and click on “Encrypt”.
Then, choose the PGP public key of the person whom you wish to send this message, note that only that person will be able to decrypt this message.
Although, you can also select multiple keys, in that case, all those persons who own those keys will be able to decrypt the message.
Click “Yes” on the next popup, and your text would be encrypted.
Simply send this message to anyone you want, and only that person will be able to view this message, because it has been encrypted with their Public key.
How to Decrypt a Message using PGP
One of the other sides of using PGP is decrypting encrypted messages sent to you.
Before you can decrypt a message, make sure that the message has been encrypted using your PGP public key.
Once you get the encrypted message, open clipboard, paste it there and click on decrypt. It will ask you for your password; enter the password, which you setup earlier.
Once done, the message gets decrypted and copied to your clipboard, so you simply can open any text-editor like notepad, and right click > paste, or simply press ctrl+v.
So we’ve encrypted as well as decrypted a message using PGP, Kudos team! But hey, didn’t I say you could also encrypt files and folders using PGP? Let’s see how to get that done.
How to Encrypt Files and Folders using PGP?
First of all, why would you want to encrypt files and folders? To make sure that the contents of the file/folder haven’t been altered when they’re received on the other end.
Also, if you encrypt it for someone specifically, it makes sure that only they can decrypt the contents.
So in order to encrypt a file or a folder, right click on the file/folder, select “More GPGex Options” and click on “Sign and Encrypt”.
Here are the elements you need to understand:
- Sign as: It is your key with which you want to sign the file/folder. This will help verify the receiver that the message/data is actually from you.
- Encrypt for others: If you use someone else’s public key to encrypt the data, only that person will be able to read the data.
- Encrypt with a password: For added security, you can select this, then you’ll have to create a new password and share it with the person whom you send the file, and only the person who has this password will be able to decrypt the file.
Anyway, click on Encrypt for others, then click on the “question mark” icon and select that persons’ public PGP key from the list of your imported keys.
You will be asked to enter a passphrase (if you selected “encrypt with password” option). Note that this isn’t your own password which you created earlier, rather it’s a new password which you need to set for the decryption of this file.
You’ll have to send this to your receiver so that they can decrypt the file. So, set this new password, and then it’ll ask you to enter the same password once again (to make sure you know what the password is) simply repeat the password.
Considering this is your first time of encrypting a file, as you’re just learning how to use PGP, it will ask you for your password. This time, it’s asking for the password of your GPG4WIN program, the one we created while creating our new keys.
Enter it correctly and once done, you should get a successful message as shown in the following screenshot.
Now you can send this encrypted file, which has the extension .gpg to your receiver.
How to Decrypt a file using PGP?
I just showed you how to use PGP to encrypt a file, now let’s see how to decrypt an encrypted file.
There are many ways to do this, I will use the easiest one so you can understand. Open Kleopatra PGP, it’s installed on your system when you installed GPG4WIN.
The icon is that of a girl’s face in a red-hood.
Click on Decrypt and Verify on the top-bar.
A popup will let you select the encrypted file. Click on the file, and click open.
And finally, it’ll ask you to enter the passphrase for your secret key (the one you created initially).
Once done, you’ll get a decryption successful message like the following screenshot. Click on the “Save all” button. The file gets decrypted in the same folder where its encrypted version was found.
Well, we’ve covered nearly everything there is to using PGP, but there’s still one tiny bit of addition I can make to this guide on how to use PGP, that of explaining “expiry dates”.
Benefits and importance of expiry dates are easier to understand if you know what Keyservers are, and they add to your overall knowledge of how to use PGP as well.
What are Key Servers?
Note that, it’s an advanced aspect of using PGP, and shouldn’t be used unless you’re familiar with it, but you can learn about it right here and right now even if you don’t have to use it.
For e.g. if you need the Public key of Edward Snowden or anyone else, you can find them on these exchanges.
You can upload as many keys as you want, there’s no limitation to it, but having multiple keys with your name creates confusion.
So now you know what key servers are, let’s move on to setting expiry dates to your certificates.
How to Set Expiry Date on Keys
In Kleopatra PGP, you can set the “Validity” of keys and certificates. Once the certificate expires, it can’t be used to encrypt anything, or be used in any other way.
When is it helpful? Well, most people set their certificates to “never expire”. Which is fine, unless ofcourse you lose your private key!
Or, you forget your password for the secret key. In both the cases, that certificate used to encrypt the data will be impossible for you to decrypt.
Setting an expiry date makes sure you don’t lose all future communications to people who may have downloaded your PGP key from keyservers across the globe, you can set it to let’s say 1 months, and then extend it if everything is still fine.
If not, the people using your Public key would know of the key’s expiry date, and hence not use it after it’s expired.
Or, if it expires and you lose all access to it, just wait some days till the key hits its expiry date, and then update the key servers with your new Public key which anyone in the world can download simply by refreshing the keyservers.
So to change the expiry date of certificates, simply open Kleopatra, right click on the certificate and click on “Change expiry date”.
Choose an expiry date for your certificate, ideally a week or two from today and click on ok. Done!
If you’ve still got some time to linger, and would like to know how secure PGP actually is, and how to increase its security even more, please lend me your attention for 5 more minutes.
How Secure is it?
By now I’ve covered everything you need to know when learning how to use PGP, but the final question remains, how secure is it? Let me answer that.
PGP is basically cryptography, a very serious and advanced type of it. Just because it’s easy to use and implement, doesn’t mean it’s not worth it.
Bruce Schneier, in 1995 said about PGP that it’s “the closest you’re likely to get to military-grade encryption” and today, even 13 years later it holds true.
In fact, it’s so secure that not even govt. agencies can crack it. So yes, it’s some real serious encryption, Edward Snowden used PGP to encrypt the files which he leaked on the web, so hey if Snowden uses PGP, I believe that says quite a bit about its security doesn’t it?
Also, as of today, there are no known exploits or vulnerabilities which can be used to break into a PGP encryption, they might be developed in the future, but for now no one’s getting into your encryptions.
How to Increase PGP Security
You might be thinking why do you need to increase PGP key’s security? Isn’t it unhackable? Well it is.
But, PGP public keys need to be shared for encryption as you know, the only problem is there might be times when someone intercepts that public key, interchanges it with his own, and sends you their own key instead of the one you intended to receive.
This isn’t a loophole in PGP, it’s a loophole in the communications system, when this happens you’ll think you’re encrypting the data using your friend’s key, but actually it’s the hacker whose key you’re using.
Note that these are advanced methods, and you don’t need to use these in everyday life unless you’re sharing something extremely confidential.
Six Degrees Separation Trust Model (Chain of trust): I’ll explain it as simply as possible, let’s say you wish to receive some data from person A, but you can’t be sure if the key actually is from person A.
So, you make sure that the key of person A, is signed by the key of person B, the key of person B by that of person C’s key, and C’s key with the key of person D.
You trust no one in the chain, but only person D. But because it’s a chain, so person D’s trust basically gets shared all the way over to person A and that provides you the trust you need in person A.
Personally Meeting: You can personally meet the person and give him your Public key, this makes sure it can’t be intercepted mid-way.
So, that’s how you can increase the security of your PGP encryption and decryptions! I hope I was simple and easy enough to understand?
What are the Problems with PGP?
When we first scribbled this guide on how to use PGP, we didn’t include this section. But now we believe you should know what are the problems (if any) with PGP.
Well there sure have been some known vulnerabilities, for e.g. the Efail. It was a vulnerability which allowed hackers to decrypt an encrypted E-mail and read its contents. However, it was over-hyped. Exploitation required hackers to already have access to some encrypted E-mails.
Let’s make it clear right away that there are no “technical” or structural issues with PGP. Whatever issues do exist are based on the user’s way of implementation, precautions and knowledge as a whole.
Encrypting or Decrypting content using PGP isn’t exactly “very easy”. It’s no rocket-science either as you’ve seen throughout this guide, but sure not for absolute newbies.
Then, this paper by Alma Whitten and J.D Tyagar further enlists a number of problems which point towards the problems of its usability.
The complexities of key sharing, management and encryption as a whole are what demotivate users from using PGP. The lack of forward secrecy doesn’t help either. Also, there are a number of applications such as Whatsapp, iMessage etc. which (claim to) offer End-to-End encrypted messaging without all of these complexities.
I personally would still like you to use PGP. It’s harder than using Whatsapp, but individual encryption is a lot more trustworthy than company-owned applications.
The Law vs. PGP
Where does the law stand in its fight against PGP?
In simpler words, if you encrypt your system with PGP, are you truly 100% secure?
I’m no lawyer, but, I’ll get you answers from both the sides.
Let’s start with the fortunate fact that, the govt. can’t crack PGP on its own. Well yes, that’s good news.
According to this mailing list the Italian police failed at cracking a laptop owned by some Terror-group. The laptop supposedly held content that would be fruitful beyond measure if and when the contents could be accessed.
Even Zimmerman, the founder of PGP said it was not possible to break the encryption with sheer computational powers.
In the U.S, the “In re boucher” case was when Judge Jerome ruled that the forcing a person to reveal his decryption keys is a violation of the Fifth Amendment.
This verdict however was later overruled and a key had to be produced by the accused.
Also, in the far U.K, the RIPA act can be exercised to force someone to reveal their keys, or the contents of the encrypted data.
Not doing so results in jail time, or worse.
And, my other reservation against PGP is that, it’s accepted to be unbreakable, and is encouraged by govt.-organizations themselves.
That just seems too convenient. Sure, to public knowledge PGP is unbreakable, but, “public knowledge” is barely a fraction of what the govt. knows, right?
So, the point is, using PGP is only secure till the point you’re caught with the keys.
Is online, automated PGP encryption safe?
Not at all.
After reading this PGP guide, most of you would probably go online and search for “Online PGP encryption tool”.
Simply because, the steps above may look slightly complex.
And that will be your undoing.
In fact, one of the most common questions on the internet regarding PGP today is- “Is iGolder safe”?
No, it’s not 100% safe. None of the online PGP encryption tools are.
I don’t have anything against iGolder, 8gWifi, or basically any other online PGP encryption tool.
It’s just that, these tools are “not controlled by you”.
Despite their claims of “not storing logs” and “not monitoring activities”, how do you know?
At the least, your IP address and browsing habits can be traced even if the tool doesn’t retain your private keys or messages.
Would you rather trade security for “simplicity” offered by these online PGP encryption tools for security?
If so, send a SMS anyway.
Bottomline? No, online PGP encryption tools aren’t safe.
Spend a couple minutes (it doesn’t take any more than 10), learn PGP (the guide above IS really detailed) and start using PGP.
It’s been a long guide on how to use PGP, and I apologize for that, if it took longer than you though it would.
But I’ve tried to cover every angle that there is to PGP, and there won’t be much left for you to wonder regarding how to use PGP once you’ve gone through this guide in detail.
You can connect to our Facebook page and leave us your doubts and questions there if you still aren’t sure how to use PGP, I answer to all and any query I know the answers to.