What is PGP?

A graphic of a padlock in a digital blue colour, with effects

Pretty Good Privacy (PGP) is a highly-secure method of encrypting text-based data used by businesses and organisations all over the globe. It combines different cryptographic protocols such as hashing, data compression, symmetric and asymmetric key cryptography to provide users with a fast and easy method of secure communication.

Each user has a 'private key' and a 'public key' and the interaction between the two forms the basis of the method's security. Private keys remain with the user only, forming the only part of the system that can verify a user's true identity. If anyone else has access to a private key, they can decrypt any communication intended to the rightful holder, rendering the communication channel compromised.

You can think of public keys as telephone numbers, something you can freely give out so people know how to contact you. When encrypting a message, a user must do so with the intended recipient's public key, like calling the right phone to reach the right person. You can think of the private key as the phone's password, only the person with the password can answer the phone.

Because the public key is linked to the recipient's private key, only that user can decrypt the message. You encrypt with the public key to ensure it gets to the right person and decrypt with a private key so only the right person can see it.

Pretty Good Privacy was developed by computer scientist Phil Zimmerman in 1991, who wanted to create an open source encryption platform that could be used by anyone across the world, without having to pay huge fees.

It's now owned by security giant Symantec Group, and it is the antivirus developer that now is responsible for updating PGP to ensure it's sufficient to protect email communications. The company has also developed an open source variant - OpenPGP, which is used alongside the licensed version.

What is PGP used for?

Although PGP was initially built to encrypt emails, this technology can be used to safeguard a range of communications from text messages to files. PGP can be applied in many ways, including boosting privacy as well as securing digital certificates.

There are a number of different standards in use, but the most widely-adopted is OpenPGP, an open-source iteration that bypasses the licence arrangements tied to PGP.

It’s predominately used to secure desktop apps and email clients such as Apple Mail and Microsoft Outlook. Google Chrome also offers extensions that allow users to apply the standard to web browsing.

How does PGP work?

This security tool works by adding layers of encryption onto text-based content to safeguard the content, and raise the level of privacy.

PGP relies on strong cryptography that renders encrypted text impossible to decipher without the requisite tool, or key. When applied to email clients, for example, the message content is protected through the use of an encoding algorithm that garbles the text so it’d be impossible to read if intercepted by a third-party.

Anybody hoping to read the text would need the key to unlock the code, but the key itself is often encrypted as well. Both are sent to the recipient of the message, so it can be read as normal once opened. The key and message are deciphered through the recipient’s email application, through the use of a private key, almost instantly once it’s sent.


Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation


Is PGP secure?

There has been some controversy over how secure PGP is. In 2011, researchers discovered that short encryption keys (32-bit or smaller) were unsafe to the extent some claimed they in effect offered no security at all.

This is because, with modern GPUs, it's easy for hackers to come up with a "colliding" (i.e. matching) key ID if the key in question is short. This doesn't mean PGP is fatally flawed, though - it just means a long key (greater than 32-bit) must always be used. If it is, then PGP works as intended and is secure - for now at least.

Most recently, hackers have discovered a hugely significant flaw in OpenPGP, the open-source variant of Symantec's licensed version. The flaw has been known to developers for over a decade and it could mean the end for the technology, according to those who built it. Hackers have found a way to flood keys with a huge amount of unnecessary data which will break the program (GnuPG) needed to use the technology.

"This is a mess, and it's a mess a long time coming," said Daniel Kahn Gillmor, a lead developer of OpenPGP. "The parts of the OpenPGP ecosystem that rely on the naive assumptions of the SKS keyserver can no longer be relied on, because people are deliberately abusing those keyservers. We need significantly more defensive programming, and a better set of protocols for thinking about how and when to retrieve OpenPGP certificates."

Nevertheless, the licensed version of PGP is still a secure method of communications that you can rely on to deliver sensitive information to individuals without having to worry about it being read if it were intercepted.

Connor Jones

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.