PGP in practice: encrypted email and files
What is PGP, how does it work, and when should you use it? An honest guide without hidden complexity — from key pair to encrypted message.
PGP in practice: encrypted email and files
PGP has been around since 1991. It’s one of the few encryption standards that has stood the test of time. At the same time, it’s notorious for its complexity.
This article explains what PGP is, how it works, when it’s useful — and when you’re better off using something else.
What PGP does
PGP stands for Pretty Good Privacy. The modern implementation is called OpenPGP, and the most widely used software is GnuPG (also known as GPG).
PGP does two things:
1. Encrypt You can encrypt a file or message so that only the recipient can read it — even if it’s intercepted.
2. Sign You can digitally sign that a message came from you. The recipient can verify this.
How it works: public and private keys
PGP uses asymmetric cryptography — two keys that are mathematically linked:
- Public key — share with everyone. Anyone can use it to encrypt messages to you.
- Private key — keep secret. Only you can decrypt messages encrypted with your public key.
The analogy: your public key is an open padlock. Anyone can lock something with it. Only you have the key to open it.
Encryption works like this:
- You get the recipient’s public key
- You encrypt the message with their public key
- They decrypt it with their private key
- Nobody else — including you — can read the message afterwards
Signing works in reverse:
- You sign a message with your private key
- The recipient verifies the signature with your public key
- They know the message is from you and hasn’t been altered
When do you use PGP?
Honest answer: for most people, PGP is not the right tool.
Use PGP for:
- Encrypted email (when email is truly necessary)
- Encrypting files for long-term storage
- Verifying software downloads (many open-source projects sign releases with PGP)
- Source communication for journalists or activists
Use Signal/Molly instead for:
- Daily encrypted communication
- Real-time messaging
- People without a technical background
Signal’s encryption is stronger than PGP for messages. It offers forward secrecy — if a key is ever compromised, earlier messages remain encrypted. PGP email doesn’t offer this by default.
→ PGP is powerful for files and email. For messaging: use Signal.
Installation
Linux
GnuPG is available on most Linux distros by default:
gpg --versionIf not installed:
sudo apt install gnupg # Ubuntu/Debian/Mint
sudo dnf install gnupg2 # FedoraWindows
Download Gpg4win — includes GnuPG, Kleopatra (GUI), and Outlook integration.
macOS
Download GPG Suite — includes GPG Tools and Mail integration.
Creating your first key pair
gpg --full-generate-keyYou’ll be asked:
- Key type: Choose
(1) RSA and RSAor(9) ECC (sign and encrypt). ECC (Ed25519/Curve25519) is more modern and faster. - Key size: For RSA: 4096 bits. For ECC: accept the recommendation.
- Expiry: Set an expiry date — 2 years is sensible. You can extend it later.
- Name and email address: This will be publicly linked to your key.
- Passphrase: Protect your private key with a strong passphrase.
View your keys:
gpg --list-keys # public keys
gpg --list-secret-keys # private keysSharing your public key
You can share your public key in several ways:
Export to file:
gpg --export --armor yourname@email.com > my-public-key.ascThe .asc file can be emailed, put on your website, or included in your email signature.
Upload to keyserver:
gpg --keyserver keys.openpgp.org --send-keys YOURKEYIDOthers can then look up your key. Note: keyservers are public and permanent — your name and email become visible.
Importing someone’s public key
From a file:
gpg --import their-public-key.ascFrom a keyserver:
gpg --keyserver keys.openpgp.org --search-keys name@email.comEncrypting and decrypting messages
Encrypting
gpg --encrypt --armor --recipient name@email.com message.txtThis creates message.txt.asc — encrypted for the recipient.
To also encrypt for yourself (so you can read it later):
gpg --encrypt --armor --recipient name@email.com --recipient your@email.com message.txtDecrypting
gpg --decrypt message.txt.ascGPG asks for your passphrase and displays the content.
Encrypting files
Same principle, but for files:
gpg --encrypt --armor --recipient name@email.com secretfile.pdfOr symmetrically (with passphrase, no key pair needed):
gpg --symmetric --armor secretfile.pdfUseful for personal files you want to store or back up without sharing a key pair.
Signing
Signing a message
gpg --clearsign message.txtThis creates message.txt.asc — readable text with an attached signature.
Verifying a signature
gpg --verify message.txt.ascGPG tells you whether the signature is valid and which key it came from.
Verifying software releases
Many open-source projects (Tor Browser, Signal Desktop, Linux distros) sign their releases. To verify:
# Import the project's key (see their website)
gpg --import projectkey.asc
# Verify the downloaded file
gpg --verify software.tar.gz.asc software.tar.gzThis confirms the file genuinely came from the project and hasn’t been modified.
Setting up encrypted email
Thunderbird (recommended)
Thunderbird has built-in OpenPGP support since version 78.
- Install Thunderbird
- Add your email account
- Go to Account Settings → End-to-End Encryption
- Click Add key → import your existing key or generate a new one
Thunderbird lets you choose per message whether to encrypt and/or sign.
Limitations:
- Only the message body is encrypted
- Metadata (who sends to whom, when, subject line) is visible to your email provider
- Both parties must support OpenPGP
Privacy-friendly email providers
PGP doesn’t solve the metadata problem. Also choose a provider that doesn’t cooperate with surveillance:
- Proton Mail — built-in PGP, Swiss law
- Tutanota — own encryption standard, not compatible with standard PGP
- Posteo — German, paid, no tracking
Key management: the hardest part
Web of Trust
PGP has no central authority. Trust works via a web of trust: when you sign someone’s key, you’re telling others that you’ve verified it.
In practice: if you meet someone in person, you can compare each other’s keys and sign them. This builds trust in the network.
Verifying keys
Never blindly trust a key from a keyserver. Verify the fingerprint — a unique string associated with the key.
gpg --fingerprint name@email.comCompare this fingerprint with the recipient through a separate channel (phone call, in person).
Back up your private key
Your private key is irreplaceable. If you lose it, you can’t read previously encrypted messages.
Export and store safely:
gpg --export-secret-keys --armor your@email.com > my-private-key-backup.ascStore this offline — on an encrypted USB or on paper (see KeePassXC for key storage).
Create a revocation certificate
Immediately after creating your key, generate a revocation certificate:
gpg --gen-revoke your@email.com > revocation-cert.ascIf your key is ever compromised or lost, use this certificate to invalidate the key on keyservers.
Store this certificate safely — separately from your private key.
Limitations of PGP
Being honest about what PGP doesn’t do:
No forward secrecy If your private key is ever compromised, all encrypted messages ever sent to you can be decrypted — if the attacker has been storing them. Signal uses per-message keys that are discarded after use. PGP doesn’t.
Metadata is visible Your email provider sees who communicates with whom, how often, and when. Only the content is encrypted.
Complexity = mistakes PGP is hard to use correctly. People forget to encrypt, use the wrong key, or don’t properly secure their private key. One mistake undoes everything.
Few people use it PGP email only works if both parties support it. In practice, the audience is small.
When PGP is the right choice
Despite the limitations, there are situations where PGP is the best option:
- Long-term encrypted file storage — backups, archives, sensitive documents
- Email when there’s no alternative — contact with organisations that don’t use Signal
- Software verification — confirm what you download
- Journalistic source contact — SecureDrop uses PGP
For everything else: use Signal or Molly.
See also:
- Secure laptop setup
- Two-factor authentication
- WhatsApp vs Signal
- Thunderbird review — email client with PGP
- KeePassXC review — stores PGP passwords securely