PGP in practice: encrypted email and files
Who this guide is for: Journalists, lawyers, activists, and anyone who needs to encrypt files or use PGP for email. For everyday private messaging, Signal is usually the better choice.
PGP in practice: encrypted email and files
Who this guide is for: Journalists, lawyers, activists, and anyone who needs to encrypt files or use PGP for email. For everyday private messaging, Signal is usually the better choice.
PGP has been around since 1991. It’s one of the few encryption standards that has stood the test of time. At the same time, it’s notorious for its complexity.
This article explains what PGP is, how it works, when it’s useful — and when you’re better off using something else.
What you gain, and what it costs
You gain an open standard for encrypted files, signed software downloads, and email in environments where modern chat tools are not the right fit. PGP remains relevant because a lot of technical, archival, and journalistic workflows still depend on it.
The cost is complexity. Generating keys, verifying fingerprints, exchanging public keys, making backups, and storing revocation certificates is more error-prone than almost anything in modern messaging apps. That makes PGP powerful, but rarely simple.
When this is overkill
For daily messages, family conversations, team chat, and quick coordination, PGP is usually the wrong tool. Use it when you genuinely need email or file encryption inside a PGP-compatible workflow. For ordinary communication, Signal or Molly is almost always the better answer.
What PGP does
PGP stands for Pretty Good Privacy. The modern implementation is called OpenPGP, and the most widely used software is GnuPG (also known as GPG).
PGP does two things:
1. Encrypt You can encrypt a file or message so that only the recipient can read it — even if it’s intercepted.
2. Sign You can digitally sign that a message came from you. The recipient can verify this.
How it works: public and private keys
PGP uses asymmetric cryptography — two keys that are mathematically linked:
- Public key — share with everyone. Anyone can use it to encrypt messages to you.
- Private key — keep secret. Only you can decrypt messages encrypted with your public key.
The analogy: your public key is an open padlock. Anyone can lock something with it. Only you have the key to open it.
Encryption works like this:
- You get the recipient’s public key
- You encrypt the message with their public key
- They decrypt it with their private key
- Nobody else — including you — can read the message afterwards
Signing works in reverse:
- You sign a message with your private key
- The recipient verifies the signature with your public key
- They know the message is from you and hasn’t been altered
When do you use PGP?
Honest answer: for most people, PGP is not the right tool.
Use PGP for:
- Encrypted email (when email is truly necessary)
- Encrypting files for long-term storage
- Verifying software downloads (many open-source projects sign releases with PGP)
- Source communication for journalists or activists
Use Signal/Molly instead for:
- Daily encrypted communication
- Real-time messaging
- People without a technical background
Signal’s encryption is stronger than PGP for messages. It offers forward secrecy — if a key is ever compromised, earlier messages remain encrypted. PGP email doesn’t offer this by default.
→ PGP is powerful for files and email. For messaging: use Signal.
Installation
Linux
GnuPG is available on most Linux distros by default:
gpg --version
If not installed:
sudo apt install gnupg # Ubuntu/Debian/Mintsudo dnf install gnupg2 # Fedora
Windows
Download Gpg4win — includes GnuPG, Kleopatra (GUI), and Outlook integration.
macOS
Download GPG Suite — includes GPG Tools and Mail integration.
Creating your first key pair
gpg --full-generate-key
You’ll be asked:
- Key type: Choose
(1) RSA and RSAor(9) ECC (sign and encrypt). ECC (Ed25519/Curve25519) is more modern and faster. - Key size: For RSA: 4096 bits. For ECC: accept the recommendation.
- Expiry: Set an expiry date — 2 years is sensible. You can extend it later.
- Name and email address: This will be publicly linked to your key.
- Passphrase: Protect your private key with a strong passphrase.
View your keys:
gpg --list-keys # public keysgpg --list-secret-keys # private keys
Sharing your public key
You can share your public key in several ways:
Export to file:
gpg --export --armor[[email protected]](/cdn-cgi/l/email-protection) > my-public-key.asc
The .asc file can be emailed, put on your website, or included in your email signature.
Upload to keyserver:
gpg --keyserver keys.openpgp.org --send-keys YOURKEYID
Others can then look up your key. Note: keyservers are public and permanent — your name and email become visible.
Importing someone’s public key
From a file:
gpg --import their-public-key.asc
From a keyserver:
gpg --keyserver keys.openpgp.org --search-keys[[email protected]](/cdn-cgi/l/email-protection)
Encrypting and decrypting messages
Encrypting
gpg --encrypt --armor --recipient[[email protected]](/cdn-cgi/l/email-protection) message.txt
This creates message.txt.asc — encrypted for the recipient.
To also encrypt for yourself (so you can read it later):
gpg --encrypt --armor --recipient[[email protected]](/cdn-cgi/l/email-protection) --recipient[[email protected]](/cdn-cgi/l/email-protection) message.txt
Decrypting
gpg --decrypt message.txt.asc
GPG asks for your passphrase and displays the content.
Encrypting files
Same principle, but for files:
gpg --encrypt --armor --recipient[[email protected]](/cdn-cgi/l/email-protection) secretfile.pdf
Or symmetrically (with passphrase, no key pair needed):
gpg --symmetric --armor secretfile.pdf
Useful for personal files you want to store or back up without sharing a key pair.
Signing
Signing a message
gpg --clearsign message.txt
This creates message.txt.asc — readable text with an attached signature.
Verifying a signature
gpg --verify message.txt.asc
GPG tells you whether the signature is valid and which key it came from.
Verifying software releases
Many open-source projects (Tor Browser, Signal Desktop, Linux distros) sign their releases. To verify:
# Import the project's key (see their website)gpg --import projectkey.asc# Verify the downloaded filegpg --verify software.tar.gz.asc software.tar.gz
This confirms the file genuinely came from the project and hasn’t been modified.
Setting up encrypted email
Thunderbird (recommended)
Thunderbird has built-in OpenPGP support since version 78.
- Install Thunderbird
- Add your email account
- Go to Account Settings → End-to-End Encryption
- Click Add key → import your existing key or generate a new one
Thunderbird lets you choose per message whether to encrypt and/or sign.
Limitations:
- Only the message body is encrypted
- Metadata (who sends to whom, when, subject line) is visible to your email provider
- Both parties must support OpenPGP
Privacy-friendly email providers
PGP doesn’t solve the metadata problem. Also choose a provider that doesn’t cooperate with surveillance:
- Proton Mail — built-in PGP, Swiss law
- Tutanota — own encryption standard, not compatible with standard PGP
- Posteo — German, paid, no tracking
Key management: the hardest part
Web of Trust
PGP has no central authority. Trust works via a web of trust: when you sign someone’s key, you’re telling others that you’ve verified it.
In practice: if you meet someone in person, you can compare each other’s keys and sign them. This builds trust in the network.
Verifying keys
Never blindly trust a key from a keyserver. Verify the fingerprint — a unique string associated with the key.
gpg --fingerprint[[email protected]](/cdn-cgi/l/email-protection)
Compare this fingerprint with the recipient through a separate channel (phone call, in person).
Back up your private key
Your private key is irreplaceable. If you lose it, you can’t read previously encrypted messages.
Export and store safely:
gpg --export-secret-keys --armor[[email protected]](/cdn-cgi/l/email-protection) > my-private-key-backup.asc
Store this offline — on an encrypted USB or on paper (see KeePassXC for key storage).
Create a revocation certificate
Immediately after creating your key, generate a revocation certificate:
gpg --gen-revoke[[email protected]](/cdn-cgi/l/email-protection) > revocation-cert.asc
If your key is ever compromised or lost, use this certificate to invalidate the key on keyservers.
Store this certificate safely — separately from your private key.
Limitations of PGP
Being honest about what PGP doesn’t do:
No forward secrecy If your private key is ever compromised, all encrypted messages ever sent to you can be decrypted — if the attacker has been storing them. Signal uses per-message keys that are discarded after use. PGP doesn’t.
Metadata is visible Your email provider sees who communicates with whom, how often, and when. Only the content is encrypted.
Complexity = mistakes PGP is hard to use correctly. People forget to encrypt, use the wrong key, or don’t properly secure their private key. One mistake undoes everything.
Few people use it PGP email only works if both parties support it. In practice, the audience is small.
When PGP is the right choice
Despite the limitations, there are situations where PGP is the best option:
- Long-term encrypted file storage — backups, archives, sensitive documents
- Email when there’s no alternative — contact with organisations that don’t use Signal
- Software verification — confirm what you download
- Journalistic source contact — SecureDrop uses PGP
For everything else: use Signal or Molly.
Next step
Go further
- SecureDrop guide — PGP in journalistic or source-protection workflows
- Secure laptop setup — securing the device you use for PGP
- Two-factor authentication — layering 2FA alongside PGP
- WhatsApp vs Signal — why metadata still leaks even with encryption
Reviews
- Thunderbird review — email client with PGP support
- KeePassXC review — stores PGP passwords securely