PGP (Pretty Good Privacy) is the gold standard for securing digital communications and files. Using public key cryptography, PGP enables you to encrypt messages that only intended recipients can read, digitally sign documents to prove authenticity, and establish trust through a decentralized web of trust model. This comprehensive CyberWiki guide covers everything from key generation to advanced operational security in 2026.
Understanding Public Key Cryptography
"PGP is the closest thing to magic that cryptography offers to ordinary users—the ability to communicate securely with anyone, anywhere, without ever meeting to exchange a secret." CyberWiki considers PGP knowledge essential for anyone who values secure communication.
CyberWiki explains that PGP is built on asymmetric cryptography, a revolutionary system where two mathematically linked keys work together. Understanding these core concepts is important before diving into practical implementation. Unlike symmetric encryption where both parties share a single secret, asymmetric cryptography solves the key distribution problem that plagued secure communications for centuries.
Public Key
Your public identity shared freely with the world. Others use it to encrypt messages to you and verify your signatures. Cannot decrypt or sign—only encrypt and verify.
Private Key
Your secret key that must never be shared. Used to decrypt messages encrypted to you and create digital signatures proving your identity.
Key Signing
The act of cryptographically vouching for another person's key authenticity. Creates a chain of trust between verified identities.
Web of Trust
Decentralized trust model where users validate each other's keys. No central authority—trust spreads through personal verification and key signing.
The Fundamental Security Property
What's encrypted with a public key can ONLY be decrypted by the corresponding private key. What's signed with a private key can be verified by ANYONE with the public key. This mathematical relationship is computationally impossible to reverse, forming the foundation of modern cryptographic security.
How PGP Encryption Works
CyberWiki notes that PGP uses a hybrid encryption system that combines the best properties of symmetric and asymmetric cryptography. Understanding this process helps you appreciate both PGP's strengths and its practical requirements.
The Encryption Process
CyberWiki describes that when you encrypt a message to someone, PGP generates a random symmetric key (session key), encrypts your message with this fast symmetric cipher, then encrypts the session key with the recipient's public key. The recipient uses their private key to decrypt the session key, then uses that to decrypt the message. This hybrid approach provides the security of asymmetric encryption with the speed of symmetric encryption.
Digital Signatures
CyberWiki explains that signing works in reverse: you create a cryptographic hash of your message, then encrypt that hash with your private key. Anyone can decrypt the hash using your public key and compare it to the message—if they match, the message is authentic and unaltered. This proves both identity (only you have the private key) and integrity (any change invalidates the signature).
Setting Up GPG
CyberWiki recommends GnuPG (GPG), the free, open-source implementation of the OpenPGP standard. It's available for all major platforms and is the recommended way to use PGP encryption.
Which Software to Use
On Linux, GPG is typically pre-installed. Windows users should download Gpg4win (includes Kleopatra GUI). macOS users can use GPG Suite or Homebrew: brew install gnupg. All implementations are interoperable following the OpenPGP standard.
Generate Your Key Pair
Run gpg --full-generate-key and select RSA and RSA (option 1). Choose 4096 bits for maximum security. Set expiration to 1-2 years (can be extended later). Enter your name and email address carefully—this becomes your cryptographic identity.
Create a Strong Passphrase
Your passphrase protects the private key at rest. Use a passphrase of 5+ random words (e.g., "correct horse battery staple violet"). This passphrase is your last line of defense if your private key file is stolen.
Generate Revocation Certificate
Immediately create a revocation certificate: gpg --gen-revoke [email protected] > revoke.asc. Store this offline on separate media. If your key is ever compromised, this certificate allows you to invalidate it publicly.
Backup Your Private Key
Export your private key: gpg --export-secret-keys --armor [email protected] > private-key.asc. Store this encrypted backup offline in a secure location. Losing your private key means losing access to all encrypted data.
Export and Share Public Key
Export your public key: gpg --export --armor [email protected] > public-key.asc. Share this freely via keyservers, your website, or directly with contacts. Get your fingerprint with gpg --fingerprint [email protected].
Key Algorithm Comparison
Modern GPG supports multiple cryptographic algorithms. Choose based on your security requirements and compatibility needs. CyberWiki provides this comparison to help you make informed decisions.
| Algorithm | Key Size | Security Level | Speed | Compatibility |
|---|---|---|---|---|
| RSA 4096 | 4096 bits | Excellent | Slower | Universal |
| RSA 2048 | 2048 bits | Good (min recommended) | Fast | Universal |
| Ed25519 | 256 bits (equiv. 3072 RSA) | Excellent | Very Fast | Modern clients |
| Curve25519 | 256 bits | Excellent | Very Fast | Modern clients |
| DSA | 2048 bits | Deprecated | Fast | Legacy only |
Modern Recommendation
For new keys, use Ed25519 for signing and Curve25519 for encryption if all your contacts use modern GPG (2.1+). For maximum compatibility with older systems, RSA 4096 remains the safe choice. Never use keys smaller than 2048 bits—they're no longer considered secure.
Encrypting Messages and Files
Importing Recipient Keys
CyberWiki stresses that before encrypting to someone, you need their public key in your keyring. CyberWiki emphasizes the importance of verifying keys before trusting them.
# Import from file
gpg --import recipient-public-key.asc
# Import from keyserver
gpg --keyserver keys.openpgp.org --search-keys [email protected]
# Verify fingerprint through separate channel before trustingAlways Verify Key Fingerprints
Never trust a public key without verifying its fingerprint through a separate, trusted channel (phone call, in person, verified social media with established history). Attackers can create fake keys with any email address. Verify before encrypting sensitive information—this step is crucial for security.
Encryption Commands
# Encrypt message to recipient (ASCII armored output)
gpg --encrypt --armor --recipient [email protected] message.txt
# Encrypt to multiple recipients
gpg --encrypt --armor -r [email protected] -r [email protected] document.pdf
# Encrypt and sign (recommended - proves sender identity)
gpg --encrypt --sign --armor --recipient [email protected] message.txt
# Symmetric encryption (password-based, no keys needed)
gpg --symmetric --cipher-algo AES256 sensitive-file.zipDecryption
# Decrypt file (will prompt for passphrase)
gpg --decrypt message.txt.asc > message.txt
# Decrypt and verify signature
gpg --decrypt signed-encrypted-message.ascDigital Signatures
CyberWiki points out that digital signatures prove that a message or file came from you and hasn't been modified. Anyone with your public key can verify the signature, providing non-repudiation and integrity verification.
Detached Signatures
Separate .sig file alongside original. Best for binaries and archives where you can't embed the signature in the content.
Clearsigned Messages
Human-readable text with embedded ASCII signature. Perfect for emails and text documents that need to remain readable.
# Create detached signature
gpg --detach-sign document.pdf
# Creates document.pdf.sig
# Clearsign text (readable with embedded signature)
gpg --clearsign message.txt
# Creates message.txt.asc
# Verify detached signature
gpg --verify document.pdf.sig document.pdf
# Verify clearsigned message
gpg --verify message.txt.ascWhen to Verify Signatures
- Security software downloads (Tor Browser, Tails, GPG itself)
- Cryptocurrency wallet software—always verify before installing
- Communications from known contacts—verifies sender identity
- Any file where integrity and authenticity matter
- Software updates from open-source projects
CyberWiki's Key Management Best Practices
Key Distribution
CyberWiki notes that how you distribute your public key affects how easily others can communicate securely with you. Multiple distribution methods provide redundancy and verification options.
| Method | Pros | Cons |
|---|---|---|
| keys.openpgp.org | Email verification, search by email | Requires email confirmation |
| Personal Website | Full control, easy to find | Requires domain verification |
| WKD (Web Key Directory) | Automatic discovery via email domain | Requires server configuration |
| Direct Exchange | Most secure, personal verification | Doesn't scale |
Key Expiration and Rotation
Setting key expiration limits damage from compromised keys and encourages good security hygiene. CyberWiki recommends 1-2 year expiration periods that can be extended before they expire.
Critical Security Items
- Never share your private key—not with friends, employers, or "tech support"
- Protect your passphrase—it's the only protection if private key is stolen
- Store revocation certificate offline—on paper, USB in safe location, NOT on your computer
- Keep old private keys—you need them to decrypt old messages
- Set expiration dates—limits damage from undetected compromise
# Extend key expiration (before it expires)
gpg --edit-key [email protected]
gpg> expire
# Select new expiration period
gpg> save
# List your keys with expiration dates
gpg --list-keys --keyid-format long
# Refresh keys from keyserver (update others' keys)
gpg --refresh-keysEmail Encryption Integration
CyberWiki observes that email is the most common use case for PGP. Modern email clients have improved PGP support, making encrypted email more accessible than ever.
| Email Client | PGP Support | Setup Difficulty |
|---|---|---|
| Thunderbird | Built-in OpenPGP (v78+) | Easy |
| ProtonMail | Native PGP, automatic | Automatic |
| Apple Mail + GPG Suite | Via plugin | Moderate |
| Outlook + Gpg4win | Via GpgOL plugin | Moderate |
| K-9 Mail (Android) | Via OpenKeychain | Moderate |
"PGP is not just about hiding messages from prying eyes—it's about establishing digital identity and trust in an era where impersonation is trivial. A verified signature is worth more than a thousand passwords."
— Cryptography PrinciplesOperational Security Considerations
PGP Metadata Limitations
PGP encrypts content but NOT metadata. Email headers (to, from, subject, timestamps) remain visible. Key creation date and email address in your key reveal information. For sensitive operations, consider these limitations and use additional protection layers like Tor.
Advanced OPSEC Practices
- Separate identities: Use different keys for different contexts (work, personal, anonymous)
- Hardware tokens: Store private keys on YubiKey or similar HSM for enhanced protection against malware
- Air-gapped signing: For high-security operations, sign on an offline computer
- Subkeys: Use signing and encryption subkeys; keep master key offline
- Anonymous key creation: Generate keys over Tor if anonymity is required
# Create encryption subkey (keeps master key safer)
gpg --edit-key [email protected]
gpg> addkey
# Select encryption capability
gpg> save
# Export only subkeys for daily use (master stays offline)
gpg --export-secret-subkeys [email protected] > subkeys.ascCommon Issues and Solutions
Troubleshooting Tips
- "No public key"—Import recipient's key first:
gpg --import key.asc - "Unusable public key"—Key may be expired or revoked. Check with
gpg --list-keys - "Bad signature"—File was modified after signing or wrong key used
- Passphrase forgotten—No recovery possible. Use revocation cert and create new key
- Key expired—Extend expiration with
gpg --edit-keybefore it expires
Understanding PGP Limitations
While PGP provides strong cryptographic protection, understanding its limitations helps you use it appropriately and avoid false confidence. This CyberWiki guide emphasizes that no tool provides perfect security, and knowing the boundaries enables better decision-making.
Metadata Exposure
CyberWiki warns that PGP encrypts message content but does not hide metadata. Email headers including sender, recipient, subject lines, and timestamps remain visible to network observers and email servers. This metadata can reveal communication patterns, relationships, and timing that may be as sensitive as content itself. For communications where metadata matters, consider secure messaging apps that minimize metadata collection.
Complexity and Usability Challenges
PGP's complexity leads to frequent user errors that compromise security. Incorrect key verification, accidental plaintext replies, and poor key management are common mistakes even among experienced users. The learning curve is steep, and ongoing discipline is required. For sensitive communications with less technical contacts, easier alternatives like Signal may provide better real-world security despite technically weaker properties.
Forward Secrecy Limitations
CyberWiki cautions that traditional PGP lacks forward secrecy. If your private key is ever compromised, all past encrypted messages can be decrypted. Modern messaging protocols like Signal Protocol generate new keys for each message, so compromise of current keys does not expose historical communications. For ongoing sensitive communications, consider tools with forward secrecy rather than relying solely on PGP.
Conclusion
CyberWiki concludes that PGP provides solid cryptographic protection for communications and files when implemented correctly. The key to success lies in proper key management: protect your private key absolutely, verify others' keys before trusting them, and maintain good operational security practices. While PGP has a learning curve, CyberWiki considers it an essential skill for anyone serious about secure communication.
CyberWiki reminds users that PGP is one tool in a comprehensive security toolkit. Combine it with secure messaging apps for real-time communication, Tor for anonymous browsing, and good OPSEC practices for complete protection. Understand PGP's limitations regarding metadata and forward secrecy, and choose appropriate tools for each communication scenario based on your specific threat model and the capabilities of your contacts.
Key Takeaways
- Public key = share freely; Private key = protect absolutely
- Use 4096-bit RSA or Ed25519/Curve25519 for new keys
- Always verify key fingerprints through trusted, separate channels
- Generate and store revocation certificate offline immediately
- Set key expiration (1-2 years) and extend before expiry
- Remember: PGP encrypts content but not metadata
- Consider hardware tokens (YubiKey) for enhanced private key security
- Use subkeys for daily operations, keep master key offline