by Norman Shamas
Back in 2014—about a year after Edward Snowden leaked documents on government spying—Alex Stamos was trying to make email a safer place from mass surveillance by rolling out encrypted emails for all Yahoo! users.1 This feature would move beyond just implementing HTTPS (encrypting traffic between a client computer and the email server) to implement end-to-end encrypted email that would protect users’ emails from even Yahoo!’s servers2 —but it didn’t happen.3 This ended up being a lost opportunity to make encryption and data protection more mainstream: similar to the impact of WhatsApp rolling out end-to-end encryption in 2016.
Without mainstream support for end-to-end encrypted emails, users are stuck using software that has not evolved since the early 90s. The gold standard for encrypted email is OpenPGP (PGP).4 PGP is a good tool for what it does, but it lacks many of features that make up modern secure messaging tools.
What PGP provides is two key critical pieces of security: protection of the email message from unauthorized viewers (data confidentiality) and verification of the sender’s identity (data integrity).
This tutorial will walk us through using GnuPG (GPG), an open source implementation of the PGP standard, for email encryption.5 Since GPG is open source, it is freely available. Throughout the tutorial, I will be using the command line version instead of any of the GUI options.6
Public/Private Key Encryption
GPG is based on public/private key encryption (PPKE), also known as asymmetrical encryption. This is a common type of encryption and is the same kind used for HTTPS.7
The basic premise of PPKE is to separate the items needed to encrypt and decrypt a message. One key, used to encrypt a message for someone, is meant to be public. Anyone can use it to secure the message for the recipient. But in order to decrypt the message the second key, which is meant to be private, is required.
I find one of the easiest examples of this concept in real life is a mail box. Or more accurately, a mail deposit box. Something that looks like this (to the right). With the mail box, anyone can put a letter in (i.e., encrypt it), but only the postal worker has the key to take the letters out (i.e., decrypt it).8
Let’s introduce our friendly conversation partners: Angel and Casey.9 They’re good friends who want to start communicating with each other more securely and they don’t have smartphones—so they can’t use any of the secure messaging apps. All they have that they can use is email, so they decide to try out GPG.
Both Angel and Casey go ahead and generate their public and private key pairs. When the keys are created, they are added to the local GPG keyring, which stores the public and private keys on the local computer. So Casey and Angel each need to export their public key as an ASCII file and upload it to a public location in order to be easily found and used.
Now that both public keys are available, Angel wants to send Casey an email, so they go to one of the online key servers to try and find Casey’s public key. They can search based on name, email address, or the key’s short ID to find and download Casey’s key. Once Angel has Casey’s key, they import it and can use it!
Casey was really excited and had already downloaded Angel’s key to respond when the encrypted email arrived. So when Angel’s email arrives, Casey is able to decrypt it with their private key and encrypt a new message for Angel, with Angel’s public key.
Public/private key encryption isn’t so hard! The key thing to remember is that someone needs to have your public key to encrypt the message to you and only you should have your private key to decrypt those messages.
Basic GPG Commands
Let’s take a quick look at some of the GPG commands Angel and Casey would have used to send an encrypted email. Please note this will be guidance for using GPG as opposed to a full walkthrough/tutorial.
Creating a key pair
When you create a key pair, GPG will walk you through a configuration process. The defaults for this process are based on backward compatibility as opposed to security.
Make sure you use RSA for both keys (option 1) and a keysize of 4096.
Key expiration is up to personal preference. The GPG default is to never expire. I prefer to create my keys to expire within a relatively short amount of time (e.g., 4 years).
Once you have created your key pair, GPG will provide you with some information.
4096R indicates the encryption algorithm used and the keysize (i.e., RSA 4096 bit).
FFF99224 is the short ID, an easy way to identify a public key on the key server. It is the last 8 characters of the key’s fingerprint. I will talk more about the short ID and fingerprint under key management.
Using Key Servers
Public key servers are the main way that PGP keys are shared. They are simply web servers that are compatible with PGP’s key server protocols (called HKP, PKS, and SKS). Often they will have an interface for users to upload, browse, and download public keys; but this is not true of all the key servers. One of the most commonly used and trusted public key servers is MIT’s PGP key server. When using a public key server through the web interface, there is no authentication required to upload or download keys.
There are two ways to export and import public keys to a key server: manually and with GPG’s built in functions.
gpg --export -a key-id
gpg --import key
GPG allows you to export and import keys independent of the key servers.
Export requires a key-id parameter to indicate which key to export. Often, this will be the short ID.
By default, GPG will export the file as a binary. However, in order to upload the key to a key server or place it as text on a website, it will need to be exported as plain text (ASCII armor in GPG speak). Using the
--armor option will export as ASCII text.11 12
Import requires the key itself. You can either import the key from a file using
gpg --import file.key or by pasting the text of the key with
echo "-----BEGIN PGP PUBLIC KEY BLOCK-----" | gpg --import
If you want to import and export on a key server, you can manually upload or download the key using these steps.
GPG has a built-in process for sending and receiving keys to a key server as well.13 Using the key I just created, you would export the key with
gpg --send-key FFF99224 and import it with
gpg --recv-key FFF99224.
The primary advantage of using GPG’s built-in functionality is that it simplifies the process.
Encrypting and Decrypting Messages
In practice, most people use GPG through a plugin that integrates with their email client (for some examples, see the list in the Appendix). These plugins will use the email address of the recipients to select the corresponding public key in the local keyring (some plugins will give you the option to search for the public key from key servers based on email).
For me, the advantages of using GPG through the command line are twofold: to provide greater control over public keys used and to ensure only encrypted text is stored in the email server. GPG clients will use the recipient’s email address to create a seamless experience. However, to read the encrypted email, only the private key and passphrase are needed and this does not need to correspond to the email address. By using the command line, you can select the public keys to use even if the email address differs from the key’s associated email.14 Most modern web clients will automatically save draft emails. If the drafts of your sensitive emails are saved, they are often stored with the plain text, not encrypted text. By using the command line, you can ensure that only the encrypted text is saved by email clients.
gpg -e -a -r user-id user-id... message
The command to encrypt a message in GPG is
--encrypt (shortened to
-e). Recipients need to be specified using the
-r option followed by a user-id, which are commonly a name, an email, or a key short ID.
When you encrypt a message using GPG, you might receive this warning
gpg: 13599357: There is no assurance this key belongs to the named user. This is based on GPG’s web of trust, which we will go into more below.
gpg -d message
The command to decrypt a message simply uses the
--decrypt (shortened to
For both encryption and decryption, the message can also be sent to the GPG command via
| (pipe) (i.e.,
echo "message" | gpg)
Key Management and Exchange
The real difficulty of using the PGP protocol comes from key management and exchange.15 PGP is based on a decentralized exchange model.16 This places the responsibilities of key exchange and management entirely on the users. There are a number of advantages of this model: interoperability with different mail providers and clients, trust to be determined by users, discrete methods for key exchange, and others. But it all comes at the cost of usability.
Already, given the simple example above, there are a number of issues that could arise. One of the common mistakes is accidentally uploading or sending your private key instead of your public key.17 If this happens, then all that is preventing someone from reading your encrypted emails (past, present, and future) is your password/passphrase!
In general, a lot of trust is placed in the key servers and it was only recently that they started using HTTPS.18 This leaves people wanting to download a key susceptible to a man-in-the-middle attack.19
Public key servers provide no validation of who uploads keys. Multiple people can create keys with the same email address, which are only identified by looking at the key text or the short ID. Alternatively, someone could have uploaded a public key, lost their private key, and have to upload a new public key.20 More recently, there have been cases of short IDs being the same for two different keys. This issue arises from the combination of the short length of the short ID and the increase in available computational power.21
PGP is designed to address the need for key identity verification by using fingerprints. A fingerprint, essentially a hash of the key, can be generated for each key to verify that it is the same. Even in the case of two keys having the same short ID, looking at the full fingerprints would reveal that they are two different keys. Most key servers will provide a way to view a key’s fingerprint when searching through them.
When using multiple devices, key management can also be difficult. While it is simple, from the tool perspective, to export your entire keyring (including your private key) and import it on a new device, the user now needs to manage and protect all the locations that the private key is stored.22
By bringing up these issues with key exchange and management I am not trying to discourage anyone from using GPG. It is still a useful tool that has its purposes and some cool features (as we’ll see below). In the future, additional tools and platforms could be available to make this much easier for users.23 At the moment, it is particularly important to be aware of these concerns, especially if you are using PGP in a high risk situation.24
GPG’s Web of Trust
Some of these issues surrounding user identification and key management are addressed by GPG through the web of trust. The basic concept of the web of trust is that users can indicate they know or trust a person’s identity by signing their public key. That signed public key then shows a record of who has trusted the identity of that key. It can be used by a conversation partner to determine whether they believe that the person who has owns the key pair is who they claim to be.25
I realize this sounds somewhat abstract, so let’s introduce three more characters to our conversation: Dakota, who is Casey’s best friend; Riley, who is Angel’s best friend; and Jessie, who only knows Riley and Dakota.
Casey has mentioned Dakota to Angel a couple of times and Angel decides they want to meet Dakota. After asking Casey for Dakota’s public key, Angel imports it to their keyring. Even though Angel received Dakota’s key from Casey, they want to make sure Casey has signed the key.
Angel lists all the keys in their keyring using
gpg --list-sigs. This will list all of the keys and the associated signatures.26
Angel now feels they can trust that the public key Casey sent actually belongs to Dakota.
After emailing with Dakota for a while, Angel keeps hearing about how awesome Jessie is from two people, Dakota and Riley. Angel decides to send Jessie an email to hang out sometime. So they download Jessie’s public key from a key server and checked the signatures. Only Dakota has signed they key.
Because only Dakota has signed Jessie’s key and Angel and Dakota have not met in person yet, Angel decides they don’t trust Jessie’s public key. Angel decides to ask Riley if have Jessie’s public key and goes ahead to verify the signatures. This public key file appears to be the same key for Jessie (verified by the key fingerprint) and has Jessie’s signature. At this point, Angel decides to trust that Jessie owns the key.
There are two important points to bring up based on this brief example. First, verification of keys is done by checking fingerprints (
gpg --fingerprint user-id). Second, signed keys can complicate the key management process. Each time a key is signed, the signature is added to that current public key file. It is up to the key owner to determine whether to upload their signed key to key servers or distribute it another way. It might also end up that a signed key is not sent back to the key owner, so multiple signed key files are needed before trusting the key.
Key signing parties are a common way to meet people and get a public key signed. They are self-organized gatherings for people to meet, verify identities, and sign each other’s public keys. It is also a common occurrence at workshops or trainings.
The main advantage of using the web of trust is that GPG will automatically assign a level of trust for keys based on their associated signatures.27 However, there are risks involved. When a key is signed, that information is available to anyone who has the public key file. It can be used to create a network map of associations, which might be a problem for operational security. There are different philosophies on how to use the web of trust safely or whether to use it at all. It is best to decide what you feel comfortable with before including signatures in key management.
Email encryption is a valuable tool to have for secure messaging. This article wasn’t able to cover all aspects of PGP in depth. One useful feature you can try once you’ve mastered the basics is encrypting an email file with an embedded attachment. This will allow you to ‘hide’ the fact that you have an attachment to your email and protect the content all in plain text!
Despite all the benefits and cool features, there are a number of serious security concerns in its use. Some are directly related to email protocols, like leaky metadata. Others stem from user experience and outdated cryptographic implementations. Beyond the key management issues discussed above, PGP lacks forward secrecy, which means that if a public key is compromised all messages (past, present, and future) are compromised. If the concern is large scale surveillance, use of GPG could flag your email exchanges as suspicious. Combined with metadata analysis, someone can learn a lot about your communication habits and build a case against you without needing to know the content of your messages. For some additional thoughts on concerns with PGP, see cryptographer Matthew Green’s article “What’s the Matter with PGP?” and “GPG and Me” by Moxie Marlinspike, the creator of Signal.
It is important to truly evaluate whether using email encryption is better than other secure messaging options. All things said, I do use GPG on a regular basis and enjoy it (as much as I can).
Appendix: GUI Implementations of GPG and Guides for Learning More
- Enigmail: Add-on for Mozilla Thunderbird
- GPGMail GPGTools: Plugin for Apple Mail
- Free Software Foundation, Email Self-Defense
- The GNU Privacy Handbook
Norman is an activist and educator whose work focuses on human-centered information/digital security and privacy.
- Google was also working on end-to-end encrypted emails at this time as well. Alex Stamos was one of the contributors on Google’s git repository for the project. ↩
- End-to-end encryption refers method of encrypting and decrypting data for only the communication recipients (i.e., conversation endpoints). ↩
- Less than a year after this announcement, Stamos left his job as Yahoo!’s Chief Information Security Officer to join Facebook as Chief Security Officer. It appears his resignation came after finding out about efforts to undermine Yahoo! user security by creating a tool to search all incoming emails at the behest the of the US government. ↩
- OpenPGP refers to the ecosystem and open standards RFC 4880 based around Pretty Good Privacy (PGP) created in 1991. PGP is a closed source software and GNU Privacy Guard (GPG) was created as an open source version in 1999. ↩
- Due to space constraints, I won’t be going into signing emails, which is a way to verify who the sender of the email is. ↩
- One of the reasons for using the command line version is that GUIs can obscure the process. ↩
- If you have set up a web server with HTTPS, you might have had two or more files you needed to add to your web server. The file with the .key extension is your private key and the .crt file (s) are public keys. ↩
- Sorry if this type of mailbox is unfamiliar to you. Metaphors and examples are, by nature, culturally specific. I’m hoping this example of the mailbox is universal and simple enough to understand even if you haven’t seen or used one. ↩
- Unlike the typical generically named conversation partners, Alice and Bob, Angel and Casey are really nice gender neutral conversation partners. ↩
To get a list of all full key pairs (i.e., both public and private keys) in your local keyring, use
When encrypting messages, GPG will default to exporting a binary. We will continue to use this
-aflag for all outputs. ↩
GPG will export directly to the command line. If you would like to save it as a file, you can use
gpg export key-id > fileor
gpg export -o file key-id. ↩
GPG should install itself with the keyserver option already set. This is a requirement for sending and receiving keys through GPG. For Mac and Linux machines, the GPG configuration file should be located at
- In the past, I have used the same key pair for different work emails without updating the public key to include those emails. This has caused issues with people who are using non-command line versions of GPG and is not recommended. ↩
- The most recent usability study of PGP (BYU’s 2016 article “Why Jonny Still, Still Can’t Encrypt” demonstrates almost all of the study participants failed to complete the initial key exchange to send an encrypted email. ↩
- HTTPS certificates, on the other hand, are based on centralized, trusted authorities. ↩
- This is one of the ways that users of the BYU study failed to complete the key exchange. ↩
- Not all public key servers use HTTPS (checked on Feb 14, 2017). ↩
- A man-in-the-middle attack is when another party intercepts and/or tampers with data in transit. HTTPS is a way to mitigate this type of attack. ↩
- In the case of a lost or compromised key pair, users can upload a revocation certificate. However, the creation of a revocation certificate requires the private key. If someone lost their private key and didn’t make a revocation certificate, then there will be an obsolete key that appears as valid (until it expires) on the public key servers. ↩
- In 2014, Richard Klafter and Eric Swanson published their work on GPG short keys. Scallion, the tool they created, is able to generate 500 million keys per second with modern (2014-era) GPUs. ↩
- One of the ways modern secure messaging apps have addressed this concern is with forward secrecy. The basic idea is that the keys used are different for each message or set of messages. Then if someone is able to decrypt a single message, they can’t decrypt all your messages. PGP does not have this feature. ↩
- There are a couple promising projects aimed at making the key exchange process simpler for the user. Keybase is a platform in use to help verify identities. It can be thought of as a PGP key server with additional functionality. In addition, there is a command line tool to help users manage PGP keys. LEAP (LEAP Encryption Access Project) is a platform under development with a suite of tools to make email encryption more usable. One aspect of the platform is to try and do key exchange and verification with minimal interaction with the user. ↩
- If you want to practice using GPG in a low-risk situation, Top Secret is an interactive fiction game for that. It is based on the story of the Snowden leaks and requires use of GPG throughout. Disclosure: The author was a backer of the game on Kickstarter. ↩
- PGP has three levels of trust that can be assigned to keys: none, marginal, and trusted. These can also be managed manually (instead of through a chain of signed keys). Because the concept of trust varies for different people and space constraints, I won’t go into specifics in this article. ↩
If you want to just list the keys without seeing signatures, you should use
gpg --list-keys. ↩
- The web of trust is a key aspect of PGP’s distributed nature. Instead of trusting centralized authorities, like HTTPS Certificate Authorities, users trust the identities of keys and people. ↩