You’re working late Thursday evening as a contractor for a powerful government agency. You stumble across classified documents uncovering a surveillance program that invades the privacy of millions of citizens. Your heart races as you decide to expose this to the masses and enlist the help of a few journalists.
But you also know the organization you work for monitors emails (and other forms of communication). If your emails hit the wrong eyes, you could face severe penalties. When you contact the journalists, how will you know your emails only reach their intended audience?
This is where tools like PGP come in, offering a way to encrypt and protect communications. In this blog, we’ll explore what is PGP encryption, how it works to protect your communications, its evolution and current usage, the pros and cons of using PGP, and best practices for securely implementing this encryption tool.
What is PGP Encryption?
PGP (short for Pretty Good Privacy) is an encryption system used to secure emails and files. The PGP meaning refers to the encryption of sensitive data, ensuring that only the intended recipient can access it. It can describe any encryption program or application that implements the OpenPGP encryption standard. GPG (GNU Privacy Guard) is one of the most widespread open-source implementations of OpenPGP. PGP is primarily used to encrypt sensitive information (files, emails, etc.) such that it can only be decrypted by the intended recipient. Another use is for authentication. When someone signs a file or email, the receiver can authenticate the digital signature to ensure the sender is who they say they are.
Historical Background
PGP was introduced in 1991 by Philip R. Zimmermann as freeware and was later offered as a low-cost commercial product. During this time, PGP gained popularity among computer professionals and organizations as they tried to find an affordable way to add extra security to their emails. Since then, while the original product no longer exists, PGP has become a de facto standard for encrypting and digitally signing messages with tools like ProtonMail and Thunderbird, gaining popularity among privacy-conscious individuals partially thanks to the built-in PGP encryption.
Evolution and Current Usage
Since 1991, PGP has grown from a niche encryption tool into a widely recognized secure communication standard. Today, PGP is integrated into many modern email clients. While still heavily used by privacy-conscious users, journalists, and activists, PGP’s adoption has expanded to businesses and individuals who prioritize secure communication in a world increasingly concerned with data breaches and privacy threats.
How does PGP Encryption Work?
Encryption Process
PGP combines symmetric key encryption and public key encryption. Let’s break down what these two things are and how they come together to form the basis of PGP.
Symmetric Key Encryption
Symmetric encryption relies on one shared key between the sender and the receiver (known as the session key). When the sender sends their message, they generate a random key and “lock” or encrypt the message using this key. Then, when the receiver is ready to open the message, they use the same key to “unlock” or decrypt the message.
The issue here is how can the sender securely share the key with the receiver? Sharing the key in plaintext exposes the communication to security risk.
Public-Key Encryption
Public-key encryption, also known as asymmetric encryption, in contrast uses two different keys for the encryption and decryption process as follows:
- Public key
- Private key
A user’s public key is shared openly. When the sender sends a message, it is encrypted using the receiver’s public key. The message can then only be decrypted using the receiver’s private key. Since the public key is not used for decryption, it is safe to share with others, in plaintext, eliminating the risk associated with symmetric key encryption.
While this method is more secure, it is computationally intensive. As the size of the data being encrypted increases, the time and computational resources required also increase.
Combining Symmetric and Public-Key Encryption
If the issue with symmetric key encryption is sending the key in plaintext, it would be great if we could encrypt the key itself. The session key is small, so it is a great candidate for public-key encryption. Enter PGP.
When the sender sends their message, it is encrypted using symmetric key encryption with a session key. The session key is encrypted using the receiver’s public key. When the receiver is ready to open the message, they decrypt the session key with their private key. Then, they use the session key to decrypt the message.
Using this combination, we address the risk with symmetric key encryption (not having a secure way to share keys) and the limitations of public-key encryption (being limited on the size of data to encrypt within reasonable computational overhead).
Key Uses of PGP Encryption
Following are the key uses of PGP Encryption:
- Sending Encrypted Emails
- Encrypting Files
Sending Encrypted Emails
Email encryption is by far the most prominent use case of PGP, protecting messages with sensitive data in industries ranging from journalism to healthcare to corporate communication. People are always looking for ways to protect their privacy, and many use the standard to secure their private information.
Digital Signature Verification
PGP can also be used for digital signatures, allowing email recipients to verify the identity of the sender and the integrity of the message.
This works by leveraging the sender’s public and private keys. When the email is sent, the message is hashed. The hash is encrypted using the sender’s private key to create the digital signature.
The recipient decrypts the hash with the sender’s public key. The received message is also hashed. If the decrypted hash matches the hash of the message that is received, the digital signature is verified.
Importance of Signature Verification
Once a message is hashed and encrypted, if even one character changes in transit, the recipient will know when they verify the digital signature. This can be a sign that either the sender is not who they say they are or that the message has been tampered. Digital signatures ensure the integrity of emails and add a safeguard against threats like phishing scams or identity theft.
Encrypting Files
With more people moving files to the cloud, you may wonder how to protect those files against unauthorized individuals. PGP-encrypted files can be safely stored on local or cloud storage to protect your information. Similarly, when sharing sensitive documents (including contracts, financial records, and research data), PGP ensures only the intended recipient can view the data.
The process works similarly to encrypting emails: using a symmetric session key to encrypt the files and encrypting the key with a public key. Once the files are ready to be accessed, using a private key to decrypt the file.
Popular PGP File Encryption Solutions
Several solutions can help with encrypting your files. Symantec (now part of Broadcom) is a major vendor of PGP file-encryption software after they acquired PGP Corp. in 2010. Products like Symantec Encryption Desktop and Symantec Encryption Desktop Storage allow you to encrypt your files without having to know all the ins and outs of the encryption/decryption process.
Practical Examples of Using PGP Encryption
PGP in Email Encryption
PGP is widely used to encrypt emails, making sure they are only visible to the intended parties. A popular example is Edward Snowden using PGP to communicate with journalists.
At the time, he reached out to journalist Glen Greenwald urging him to install PGP so that their communications could be secured. Greenwald ignored his persistent requests for months. PGP can be complicated and it’s hard to find time to sit and figure it out (even if government secrets may be on the line). Today, there are several email services that make PGP encryption more accessible to a standard user.
How ProtonMail Implements PGP
Sending PGP messages can be much easier than it seems. Email services, such as ProtonMail, that offer PGP can facilitate the process.
If both parties are using ProtonMail, ProtonMail automatically encrypts emails as well as creates digital signatures, hiding the complexity of key management.
If you’re communicating with someone who is not using ProtonMail, they need to have a PGP plugin installed in their mail client or use some other PGP service (some of these tools will be discussed later).
First, you will share your public keys with each other—this can be done in multiple ways, including sending the key as an email attachment. The public key is saved with the user’s contact, and you can start sending end-to-end encrypted messages, sign messages, and verify the other user’s digital signatures.
Pros and Cons of PGP Encryption
Pros of PGP Encryption
Unbreakable Security | While people have tried to break PGP encryption, it is nearly impossible. The advanced algorithms provide robust security against hackers, nation-states, and even government agencies like the NSA. While PGP itself is highly secure, certain implementations have presented security vulnerabilities, such as the Efail vulnerability. |
Broad Adoption and Versatility | PGP is widely supported for several use cases from securing your emails with tools such as ProtonMail to securing files with vendors such as Symantec. With its open-source implementation, OpenPGP, it can also be integrated into a variety of different software solutions, ensuring all users can benefit from strong encryption. |
Cons of PGP Encryption
Complexity and Usability Challenges | One reason PGP isn’t even more prominent is that it can still be highly complex and not user friendly. Several solutions that we’ve discussed are making it easier, but using PGP can still be a strenuous effort. Improper uses of PGP can introduce additional security holes. Businesses wanting to leverage it would need to provide thorough training to their users |
Potential Alternatives to PGP | There are several alternatives to PGP. For messaging, consider Signal or other similar apps that offer more user-friendly encryption. For storing data, anonymization (or pseudonymization) can be a more resource-effective way to protect data. |
How to Set Up PGP Encryption
Email Client Integration
For most common uses of PGP, the set up involves downloading an add-on for your email program and following the installation instructions.
Setting Up PGP in Outlook with gpg4o
Gpg4o is popular among users looking to integrate OpenPGP with Outlook 2010-2016. It is one of the most straightforward and easy to install ways to implement PGP for Outlook.
Setting Up PGP in Apple Mail with GPGTools
GPG Tools offers a broad suite of software to encrypt all areas of your Mac system. The package contains an email plugin for Apple Mail. Other tools include a key manager, allowing you to use GPG in almost any application, as well as an engine so you can use GPG with the command line.
Setting Up PGP in Thunderbird with Enigmail
Enigmail is a security add-on that integrates with SeaMonkey, Epyrus, and Postbox. Enigmail was originally developed for Thunderbird, however latest versions of Thunderbird are no longer supported. Enigmail is free and can be used, modified and distributed under the terms of the Mozilla Public License.
Advanced PGP Encryption Concepts
Web of Trust Concept and Implementation
How do you know which public keys actually link back to the user you expect them to? A “web of trust” is used to describe the decentralized way trust is established with public keys. When you communicate with other users using their public keys, determine if that public key can be trusted (i.e. is the owner of the public key the person you think they are). If so, you can add that public key to your “keyring” and sign the key to indicate to others that you have verified this key and that it can be trusted.
The concept can be extended to trusting the people that “the people you trust” trust. A little bit of a mouthful, but basically “Your friends are my friends.” If you know Bob carefully vets the public keys he accepts and trusts, you can choose to expand your list of trusted keys to include the ones that Bob trusts, thus creating a “web.”
Levels of Trust and Certification
Every key can be trusted to a certain extent. There are 5 trust levels:
- Unknown – the default trust level when there is not enough information
- Untrusted – This key is marked such that it should not be trusted. This may happen if the key holder is compromised, making bad signatures, or not verifying keys before signing them.
- Marginal – These keys are just okay. For another key to be marked as trusted, it will need signatures from three keys that you’ve given marginal trust to.
- Full – This is the highest form of trust you can give other users. Keys only need one signature from someone who is fully trusted to be marked as trusted.
- Ultimate – Should only be used with your own keys! You ultimately know who you are. Other well-verified keys should be given full trust.
PGP Fingerprints and Certificates
Importance of Public Key Fingerprints
It is important to be able to trust the keys you’re using. Using the wrong key, could lead to the data falling into the wrong hands if intercepted. A digital certificate serves to establish whether a public key belongs to the correct owner. It will consist of three things:
- A public key
- Certificate information (information about the identity of the user such as name or user ID)
- One or more digital signatures that state that the certificate information has been verified by some other person or entity.
When you want to verify a user’s key, you can check the certificate’s fingerprint. The fingerprint is a hashed version of the certificate and appears in the certificate properties either as a hexadecimal number or a series of words.
Now, you can call the user you want to communicate with and have them verify the fingerprint. Or you can trust that someone else has gone through the process of validating it.
Certificate Management and Revocation
Certificates are created with a validity period (a period of time in which it can be trusted). When the certificate expires, it will no longer be valid.
If a certificate owner terminates employment with the company that issued the certificate, or if somebody suspects that the certificate’s private key can be compromised, the certificate can be revoked.
Anyone who has signed a certificate can revoke their signature on the certificate in these cases (which carries almost the same weight as the certificate itself being revoked).
Only the certificate owner or someone that has been designated with permissions to revoke by the owner can revoke the certificate.
Security Considerations in Choosing PGP Encryption
Potential Vulnerabilities and How to Address them
While PGP encryption itself is very secure, several other factors can introduce risk:
- Key Mismanagement:This includes things like not rotating, securing, or revoking keys which increases the likelihood for a key to be compromised. Attackers may be able to decrypt sensitive messages with compromised keys. Prevent this by implementing strong key management policies to manage regular key rotation/expiration, secure storage, and clear revocation procedures.
- Man-in-the-Middle Attacks: These attacks can occur if someone posts a fake public key posing as the intended recipient. If they intercept the message, they will be able to access data that was not meant for them. Mitigate this by verifying keys with methods such as PGP fingerprints.
- User Error and Lack of Training: Some users may be unfamiliar with PGP which leads them to misuse keys or fail to properly verify signatures. Provide regular training for users so that they remain aware of best practices and your organization’s policies.
- Implementation Errors: Vulnerabilities such as Efail can be introduced by improper PGP implementation. Regularly update and patch PGP software and vet the software thoroughly for any known vulnerabilities before deploying it to your organization.
Legal and Compliance Aspects
Organizations should consider the following legal and compliance aspects:
- Data Protection: Regulatory standards such as GDPR and HIPAA require securing sensitive or personally identifiable information with end-to-end encryption for data in motion. Implementing PGP can help meet these privacy requirements.
- Key Management Policies: Regulations like PCI DSS and NIST require thorough key management practices. When implementing PGP, have strong policies around key generation, storage, rotation, and revocation to keep encryption keys up to date and ensure decryption can only be done by authorized users.
- Audit and Reporting Requirements: It may be necessary to provide audit trails and documentation, especially when handling regulated data or cross-border transfers. Evaluate the logging capabilities or procedures needed of your PGP solution.
Best Practices of Using PGP Encryption
When to Use PGP Encryption
PGP is best utilized if the following scenarios apply to you:
- Confidential asynchronous communication: PGP excels in ensuring asynchronous messages, like emails, only hit the eyes of your intended recipient.
- Need to meet legal and compliance requirements: While everyone can benefit from keeping their emails and files secure, organizations handling customer or employee information may face legal and compliance mandates for data encryption. PGP solutions offer an easy starting point.
- Encrypting individual files or smaller amounts of data: PGP is ideal for encrypting emails, individual files, and other smaller amounts of data. If you need to encrypt large amounts of data at rest in bulk, such as databases, consider using AES encryption.
Integrating PGP with Other Security Measures
Integrating PGP encryption with other security measures will further enhance data protection and defend against potential threats:
- Combine with multi-factor authentication: adding this layer of security ensures that only authorized users can access encrypted information.
- Use alongside a data loss prevention tool: combining the two will allow you to have a proactive stance against data exfiltration and sensitive data leaks.
- Secure password management: usingpassword managers to generate and store complex passwords for email accounts and PGP keys help prevent potential compromise due to weak or reused passwords.
- Keep software patched and up to date: as with any software, ensuring your PGP tools are patched and on the latest version will reduce the likelihood that you are impacted by a vulnerability from earlier versions of the product.
Conclusion
Importance of PGP for Secure Communications
As our reliance for digital communications grows, your privacy is still your right. PGP enables you to maintain the confidentiality and integrity of your messages. Over 30 years, PGP continues to be one of the most widely recognized and trusted standards for secure email encryption.
As Philip Zimmermann, the author of PGP, said “PGP empowers people to take their privacy into their own hands. There’s a growing social need for it. That’s why I wrote it.”
Practical Considerations for Implementing PGP
If your organization wants to implement PGP, make sure to vet the software you are considering and make note of things like user training, key management policies, and integration of PGP with existing security frameworks.
Evaluating the specific needs of your users and your organization will help ensure successful adoption.
Recommendations
How to Get Started with PGP
The first step in getting started with PGP is selecting the right software. Consider your specific needs when doing so. Will your users need to integrate with their existing mail clients? Or would it be preferred to use a standalone application?
Research the software before putting it into place to ensure that it is safe, reliable, and that you will have strong support throughout the process.
After selecting the software, setup is often straightforward with several vendors also offering a free trial so you can make the most informed decision possible.
Integrating PGP into a Comprehensive Security Strategy
Email encryption should only be part of your overall cybersecurity strategy.
A comprehensive security strategy should include protecting your users from getting compromised, which could put your keys at risk.
Additionally, monitor your sensitive data before they are emailed out to ensure users are only accessing and sharing the appropriate data.
Adding these additional layers will put you in the best position to protect your data and your privacy.
