Pretty Good Privacy (PGP) is an encryption standard that uses a combination of symmetric and asymmetric encryption to create a system that is both fast and secure.
PGP is primarily used for securely communicating and storing sensitive data, although it is also commonly used for verifying the identity of the sender and the integrity of the data that is sent. PGP has become the de facto standard for email security since its inception in 1991.
How does PGP Encryption Work?
As mentioned, PGP uses a combination of both symmetric and asymmetric cryptography. Given that sending and receiving data is the most common use for PGP encryption, I will focus on that particular use case. Let’s take a brief look at the difference between symmetric and asymmetric encryption, and how they can work together.
Symmetric cryptography is where both the sender and receiver share the same “session” key, which allows them to encrypt/decrypt the data they are sending/receiving. The problem with symmetric encryption is that the sender is required to send the key to the receiver in plain text, which is obviously not very secure.
Asymmetric encryption is where both the sender and receiver have their own set of keys, which includes a public key and a private key. The sender will encrypt the data using the recipient’s public key, and the receiver will decrypt the data using their private key. It is also possible to encrypt data with a private key and decrypt data with the corresponding public key. The problem with asymmetric encryption is that it consumes a large number of resources.
In this scenario, the sender generates a random session key and then uses this key to encrypt the message. They then use the receiver’s public key to encrypt the session key. They can then send both the encrypted message and the session key, securely. The recipient will decrypt the encrypted session key, using their private key. Then, using the decrypted session key, they can decrypt the actual message. Now, both parties can now communicate quickly and securely using only the session key to encrypt/decrypt the messages. To summarise…
- Sender generates session key;
- Sender encrypts message with session key;
- Sender encrypts session key with intended recipients public key;
- Sender sends both encrypted message + encrypted session key;
- Receiver decrypts session key with private key;
- Receiver decrypts the message with the session key.
PGP Encryption in Practice
The good news is that you don’t really need to know anything about encryption to use PGP, as there are numerous solutions available that will do the job for you. Perhaps the simplest way of using PGP encryption is to use an online email service provider, like ProtonMail. If you send a message from one ProtonMail address to another, the message will be encrypted by default.
However, if you want to send an email from a ProtonMail address to a non-ProtonMail address, you will need to send the intended recipient your public key. You can do this by selecting the Attach Public Key option. You can also receive encrypted emails from non-ProtonMail accounts, assuming they have attached their public key.
In this instance, you will need to select Trust Key to view the message.
Digital Signature Verification
As mentioned above, PGP Encryption can be used to verify the identity of the sender, as well as the integrity of the data that was sent. For this to work, the sender will generate a unique hash of the message they want to send. This hash is referred to as a digest. The digest is then encrypted (or digitally signed) with the sender’s private key. They then send the plaintext message to the recipient along with the encrypted digest. The receiver decrypts the digest using the sender’s public key. The receiver then generates a unique hash of the plaintext message they received and compares it with the original hash. If the hashes match, the receiver knows that a) the message hasn’t been tampered with, and b) the sender is legitimate. To summarise…
- Sender generates digest by hashing message;
- Sender encrypts digest with private key;
- Sender sends encrypted digest + message;
- Receiver receives encrypted digest + message;
- Receiver decrypts digest with sender’s public key, revealing hash of message;
- Receiver generates a hash of the message and compares it with the original hash.
PGP can be used to encrypt files, usually using the RSA algorithm, which is very secure. Since PGP is essentially owned by Symantec, you will probably need to use either Encryption Desktop or Symantec Encryption Desktop Storage, if you want to encrypt your data. However, it should be noted that there are open-source alternatives to PGP, such as OpenPGP and GnuPG, which might be a better choice if you don’t want to use Symantec products.
What are the Downsides of PGP Encryption?
Firstly, PGP encryption isn’t particularly user-friendly, and those who use the system will need to ensure that they know what they are doing, otherwise they may introduce security holes. As such, companies will probably need to train their staff to use it correctly. When sending an email using PGP encryption, the subject lines are not encrypted, so you will need to ensure that you do not put any sensitive data in the subject line. As mentioned above, PGP is not open source, which limits the number of products available, and makes it more expensive.
How do I set up PGP Encryption?
To use PGP for sending encrypted data you will probably need to install some sort of add-on to your email client. There are add-ons available for Outlook, Apple Mail, Thunderbird, and more. As mentioned above, if you use an online service, such as ProtonMail, then you won’t need to install any additional software. As also mentioned, you can use Symantec File Share Encryption for encrypting files in the cloud, and Symantec Endpoint Encryption for full disk encryption of your device.
Different PGP Solutions
Naturally, you want to ensure that the software you are using is secure. As such, you will need to investigate any reported vulnerabilities in the software you are considering. Since learning PGP can be difficult, it might be an idea to use a solutions provider that provides dedicated support. Alternatively, if you don’t want to install an add-on to your mail client, consider using an online service, such as ProtonMail, Hushmail, or Mailfence. Below is a round-up of the most popular PGP solutions on the market.
Outlook with Gpg4o
Gpg4o is an add-on for Microsoft Outlook, which provides seamless PGP integration. Gpg4o is considered to be the easiest and most user-friendly PGP add-on available for Windows. Even-though Gpg4o is based on the OpenPGP standard, which, as mentioned above, is open-source, it is still a proprietary solution. Gpg4o is not particularly cheap, although dedicated support is provided.
Apple Mail with GPGTools
For Mac users, the GPGTools add-on for Apple Mail is probably the way to go. However, using PGP with Apple Mail will make it perform slower than normal.
Thunderbird with Enigmail
Mozilla Thunderbird is a free and open-source cross-platform email client. Enigmail, which is also free and open-source, is a PGP add-on for Thunderbird. Enigmail doesn’t provide dedicated support, although it has a large and active community, with plenty of documentation.
FairEmail for Android
FairEmail is a stand-alone email client that brings PGP encryption to Android phones. As it stands, there isn’t a huge demand for PGP on Android, and so the FairEmail community is still fairly small. This may change as people become more conscientious about data privacy.
To summarise, Pretty Good Privacy (PGP) encryption leverages the security of asymmetric encryption, and the speed of symmetric encryption, to deliver an encryption standard that is pretty much unbreakable.
If you’d like to see how the Lepide Data Security Platform can complement encryption technology by giving you visibility over how your sensitive, unstructured data is being accessed and interacted with, schedule a demo with one of our experts, or start your free trial today.